better-auth 1.6.12 → 1.6.14

package/dist/oauth2/link-account.mjs

@@ -46,6 +46,7 @@ async function handleOAuthUserInfo(c, opts) {
 				};
 			}
 			if (userInfo.emailVerified && !dbUser.user.emailVerified && userInfo.email.toLowerCase() === dbUser.user.email) await c.context.internalAdapter.updateUser(dbUser.user.id, { emailVerified: true });
+			user = await applyUpdateUserInfoOnLink(c, dbUser.user.id, userInfo) ?? user;
 		} else {
 			const freshTokens = c.context.options.account?.updateAccountOnSignIn !== false ? Object.fromEntries(Object.entries({
 				idToken: account.idToken,
@@ -137,5 +138,27 @@ async function handleOAuthUserInfo(c, opts) {
 		isRegister
 	};
 }
+/**
+* Apply the `account.accountLinking.updateUserInfoOnLink` policy: when enabled,
+* copy the freshly linked provider's profile onto the local user, matching the
+* field set persisted on sign-up. The local `email` and `emailVerified` are
+* never changed, so a link can't rebind the account's identity, and
+* `updateUser` drops `undefined` fields, so a provider that omits one leaves
+* the existing column intact.
+*
+* Returns the updated user so a caller that issues a session can seed the
+* cookie cache with the fresh row. Returns `undefined` when the policy is
+* disabled or the update fails: a failed profile sync must not abort the link.
+*/
+async function applyUpdateUserInfoOnLink(c, userId, userInfo) {
+	if (c.context.options.account?.accountLinking?.updateUserInfoOnLink !== true) return;
+	const { id: _id, email: _email, emailVerified: _emailVerified, ...profile } = userInfo;
+	try {
+		return await c.context.internalAdapter.updateUser(userId, profile);
+	} catch (e) {
+		c.context.logger.warn("Could not update user info on account link", e);
+		return;
+	}
+}
 //#endregion
-export { handleOAuthUserInfo };
+export { applyUpdateUserInfoOnLink, handleOAuthUserInfo };

package/dist/package.mjs

@@ -1,4 +1,4 @@
 //#region package.json
-var version = "1.6.12";
+var version = "1.6.14";
 //#endregion
 export { version };

package/dist/plugins/admin/routes.mjs

@@ -462,7 +462,7 @@ const banUser = (opts) => createAuthEndpoint("/admin/ban-user", {
 		banExpires: ctx.body.banExpiresIn ? getDate(ctx.body.banExpiresIn, "sec") : opts?.defaultBanExpiresIn ? getDate(opts.defaultBanExpiresIn, "sec") : void 0,
 		updatedAt: /* @__PURE__ */ new Date()
 	});
-	await ctx.context.internalAdapter.deleteSessions(ctx.body.userId);
+	await ctx.context.internalAdapter.deleteUserSessions(ctx.body.userId);
 	return ctx.json({ user: parseUserOutput(ctx.context.options, user) });
 });
 const impersonateUserBodySchema = z.object({ userId: z.coerce.string().meta({ description: "The user id" }) });
@@ -658,7 +658,7 @@ const revokeUserSessions = (opts) => createAuthEndpoint("/admin/revoke-user-sess
 		options: opts,
 		permissions: { session: ["revoke"] }
 	})) throw APIError.from("FORBIDDEN", ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_REVOKE_USERS_SESSIONS);
-	await ctx.context.internalAdapter.deleteSessions(ctx.body.userId);
+	await ctx.context.internalAdapter.deleteUserSessions(ctx.body.userId);
 	return ctx.json({ success: true });
 });
 const removeUserBodySchema = z.object({ userId: z.coerce.string().meta({ description: "The user id" }) });
@@ -703,7 +703,7 @@ const removeUser = (opts) => createAuthEndpoint("/admin/remove-user", {
 	})) throw APIError.from("FORBIDDEN", ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_DELETE_USERS);
 	if (ctx.body.userId === ctx.context.session.user.id) throw APIError.from("BAD_REQUEST", ADMIN_ERROR_CODES.YOU_CANNOT_REMOVE_YOURSELF);
 	if (!await ctx.context.internalAdapter.findUserById(ctx.body.userId)) throw APIError.from("NOT_FOUND", BASE_ERROR_CODES.USER_NOT_FOUND);
-	await ctx.context.internalAdapter.deleteSessions(ctx.body.userId);
+	await ctx.context.internalAdapter.deleteUserSessions(ctx.body.userId);
 	await ctx.context.internalAdapter.deleteUser(ctx.body.userId);
 	return ctx.json({ success: true });
 });

package/dist/plugins/anonymous/index.mjs

@@ -102,7 +102,7 @@ const anonymous = (options) => {
 				if (options?.disableDeleteAnonymousUser) throw APIError.from("BAD_REQUEST", ANONYMOUS_ERROR_CODES.DELETE_ANONYMOUS_USER_DISABLED);
 				if (!session.user.isAnonymous) throw APIError.from("FORBIDDEN", ANONYMOUS_ERROR_CODES.USER_IS_NOT_ANONYMOUS);
 				try {
-					await ctx.context.internalAdapter.deleteSessions(session.user.id);
+					await ctx.context.internalAdapter.deleteUserSessions(session.user.id);
 				} catch (error) {
 					ctx.context.logger.error("Failed to delete anonymous user sessions", error);
 					throw APIError.from("INTERNAL_SERVER_ERROR", ANONYMOUS_ERROR_CODES.FAILED_TO_DELETE_ANONYMOUS_USER_SESSIONS);
@@ -154,7 +154,7 @@ const anonymous = (options) => {
 				const newSessionIsAnonymous = Boolean(newSessionUser?.isAnonymous);
 				if (options?.disableDeleteAnonymousUser || isSameUser || newSessionIsAnonymous) return;
 				try {
-					await ctx.context.internalAdapter.deleteSessions(session.user.id);
+					await ctx.context.internalAdapter.deleteUserSessions(session.user.id);
 					await ctx.context.internalAdapter.deleteUser(session.user.id);
 				} catch (error) {
 					ctx.context.logger.error("Failed to clean up anonymous user during post-link cleanup", {

package/dist/plugins/email-otp/routes.mjs

@@ -585,7 +585,7 @@ const resetPasswordEmailOTP = (opts) => createAuthEndpoint("/email-otp/reset-pas
 	else await ctx.context.internalAdapter.updatePassword(user.user.id, passwordHash);
 	if (ctx.context.options.emailAndPassword?.onPasswordReset) await ctx.context.options.emailAndPassword.onPasswordReset({ user: user.user }, ctx.request);
 	if (!user.user.emailVerified) await ctx.context.internalAdapter.updateUser(user.user.id, { emailVerified: true });
-	if (ctx.context.options.emailAndPassword?.revokeSessionsOnPasswordReset) await ctx.context.internalAdapter.deleteSessions(user.user.id);
+	if (ctx.context.options.emailAndPassword?.revokeSessionsOnPasswordReset) await ctx.context.internalAdapter.deleteUserSessions(user.user.id);
 	return ctx.json({ success: true });
 });
 const requestEmailChangeEmailOTPBodySchema = z.object({

package/dist/plugins/generic-oauth/routes.mjs

@@ -1,10 +1,10 @@
 import { isAPIError } from "../../utils/is-api-error.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
 import { missingEmailLogMessage, redirectOnError } from "../../oauth2/errors.mjs";
-import { generateState, parseState } from "../../oauth2/state.mjs";
 import { setTokenUtil } from "../../oauth2/utils.mjs";
+import { applyUpdateUserInfoOnLink, handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
+import { generateState, parseState } from "../../oauth2/state.mjs";
 import { sessionMiddleware } from "../../api/routes/session.mjs";
-import { handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
 import { HIDE_METADATA } from "../../utils/hide-metadata.mjs";
 import { APIError as APIError$1 } from "../../api/index.mjs";
 import { GENERIC_OAUTH_ERROR_CODES } from "./error-codes.mjs";
@@ -248,6 +248,7 @@ const oAuth2Callback = (options) => createAuthEndpoint("/oauth2/callback/:provid
 			refreshToken: await setTokenUtil(tokens.refreshToken, ctx.context),
 			idToken: tokens.idToken
 		})) redirectOnError(ctx, resolvedErrorURL, "unable_to_link_account");
+		await applyUpdateUserInfoOnLink(ctx, link.userId, userInfo);
 		let toRedirectTo;
 		try {
 			toRedirectTo = callbackURL.toString();

package/dist/plugins/mcp/index.mjs

@@ -14,6 +14,7 @@ import { oidcProvider } from "../oidc-provider/index.mjs";
 import { authorizeMCPOAuth } from "./authorize.mjs";
 import { isProduction, logger } from "@better-auth/core/env";
 import { safeJSONParse } from "@better-auth/core/utils/json";
+import { isSafeUrlScheme } from "@better-auth/core/utils/url";
 import { createAuthEndpoint, createAuthMiddleware } from "@better-auth/core/api";
 import * as z from "zod";
 import { base64 } from "@better-auth/utils/base64";
@@ -86,7 +87,7 @@ const getMCPProtectedResourceMetadata = (ctx, options) => {
 	};
 };
 const registerMcpClientBodySchema = z.object({
-	redirect_uris: z.array(z.string()),
+	redirect_uris: z.array(z.string().refine(isSafeUrlScheme, { message: "redirect_uri cannot use a javascript:, data:, or vbscript: scheme" })),
 	token_endpoint_auth_method: z.enum([
 		"none",
 		"client_secret_basic",

package/dist/plugins/oauth-proxy/index.mjs

@@ -5,8 +5,8 @@ import { parseSetCookieHeader } from "../../cookies/cookie-utils.mjs";
 import { symmetricDecrypt, symmetricEncrypt } from "../../crypto/index.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
 import { redirectOnError } from "../../oauth2/errors.mjs";
-import { parseGenericState } from "../../state.mjs";
 import { handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
+import { parseGenericState } from "../../state.mjs";
 import { PACKAGE_VERSION } from "../../version.mjs";
 import { parseJSON } from "../../client/parser.mjs";
 import { checkSkipProxy, resolveCurrentURL, stripTrailingSlash } from "./utils.mjs";

package/dist/plugins/oidc-provider/index.mjs

@@ -15,6 +15,7 @@ import { authorize } from "./authorize.mjs";
 import { schema } from "./schema.mjs";
 import { defaultClientSecretHasher } from "./utils.mjs";
 import { getCurrentAuthContext } from "@better-auth/core/context";
+import { isSafeUrlScheme } from "@better-auth/core/utils/url";
 import { createAuthEndpoint, createAuthMiddleware } from "@better-auth/core/api";
 import { deprecate } from "@better-auth/core/utils/deprecate";
 import * as z from "zod";
@@ -101,7 +102,7 @@ const oAuthConsentBodySchema = z.object({
 });
 const oAuth2TokenBodySchema = z.record(z.any(), z.any());
 const registerOAuthApplicationBodySchema = z.object({
-	redirect_uris: z.array(z.string()).meta({ description: "A list of redirect URIs. Eg: [\"https://client.example.com/callback\"]" }),
+	redirect_uris: z.array(z.string().refine(isSafeUrlScheme, { message: "redirect_uri cannot use a javascript:, data:, or vbscript: scheme" })).meta({ description: "A list of redirect URIs. Eg: [\"https://client.example.com/callback\"]" }),
 	token_endpoint_auth_method: z.enum([
 		"none",
 		"client_secret_basic",

package/dist/plugins/one-tap/client.mjs

@@ -1,4 +1,5 @@
 import { PACKAGE_VERSION } from "../../version.mjs";
+import { isSafeUrlScheme } from "@better-auth/core/utils/url";
 //#region src/plugins/one-tap/client.ts
 let isRequestInProgress = false;
 function isFedCMSupported() {
@@ -49,7 +50,10 @@ const oneTapClient = (options) => {
 							...opts?.fetchOptions,
 							...fetchOptions
 						});
-						if (!opts?.fetchOptions && !fetchOptions || opts?.callbackURL) window.location.href = opts?.callbackURL ?? "/";
+						if (!opts?.fetchOptions && !fetchOptions || opts?.callbackURL) {
+							const target = opts?.callbackURL ?? "/";
+							if (isSafeUrlScheme(target)) window.location.href = target;
+						}
 					}
 					const { autoSelect, cancelOnTapOutside, context } = opts ?? {};
 					const contextValue = context ?? options.context ?? "signin";
@@ -82,7 +86,10 @@ const oneTapClient = (options) => {
 						...opts?.fetchOptions,
 						...fetchOptions
 					});
-					if (!opts?.fetchOptions && !fetchOptions || opts?.callbackURL) window.location.href = opts?.callbackURL ?? "/";
+					if (!opts?.fetchOptions && !fetchOptions || opts?.callbackURL) {
+						const target = opts?.callbackURL ?? "/";
+						if (isSafeUrlScheme(target)) window.location.href = target;
+					}
 				}
 				const { autoSelect, cancelOnTapOutside, context } = opts ?? {};
 				const contextValue = context ?? options.context ?? "signin";

package/dist/plugins/one-tap/index.mjs

@@ -1,5 +1,6 @@
 import { parseUserOutput } from "../../db/schema.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
+import { handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
 import { APIError } from "../../api/index.mjs";
 import { PACKAGE_VERSION } from "../../version.mjs";
 import { toBoolean } from "../../utils/boolean.mjs";
@@ -47,51 +48,27 @@ const oneTap = (options) => ({
 		}
 		const { email: rawEmail, email_verified, name, picture, sub } = payload;
 		if (!rawEmail) return ctx.json({ error: "Email not available in token" });
-		const email = rawEmail.toLowerCase();
-		const user = await ctx.context.internalAdapter.findUserByEmail(email);
-		if (!user) {
-			if (options?.disableSignup) throw new APIError("BAD_GATEWAY", { message: "User not found" });
-			const newUser = await ctx.context.internalAdapter.createOAuthUser({
-				email,
+		const result = await handleOAuthUserInfo(ctx, {
+			userInfo: {
+				id: sub,
+				email: rawEmail.toLowerCase(),
 				emailVerified: typeof email_verified === "boolean" ? email_verified : toBoolean(email_verified),
-				name,
+				name: name ?? "",
 				image: picture
-			}, {
-				providerId: "google",
-				accountId: sub
-			});
-			if (!newUser) throw new APIError("INTERNAL_SERVER_ERROR", { message: "Could not create user" });
-			const session = await ctx.context.internalAdapter.createSession(newUser.user.id);
-			await setSessionCookie(ctx, {
-				user: newUser.user,
-				session
-			});
-			return ctx.json({
-				token: session.token,
-				user: parseUserOutput(ctx.context.options, newUser.user)
-			});
-		}
-		if (!await ctx.context.internalAdapter.findAccount(sub)) {
-			const accountLinking = ctx.context.options.account?.accountLinking;
-			const providerEmailVerified = typeof email_verified === "boolean" ? email_verified : toBoolean(email_verified);
-			const requireLocalEmailVerified = accountLinking?.requireLocalEmailVerified ?? true;
-			if (accountLinking?.enabled !== false && accountLinking?.disableImplicitLinking !== true && (!requireLocalEmailVerified || user.user.emailVerified) && (ctx.context.trustedProviders.includes("google") || providerEmailVerified)) await ctx.context.internalAdapter.linkAccount({
-				userId: user.user.id,
+			},
+			account: {
 				providerId: "google",
 				accountId: sub,
-				scope: "openid,profile,email",
-				idToken
-			});
-			else throw new APIError("UNAUTHORIZED", { message: "Google identity cannot be linked: implicit account-linking is disabled, the local email is not verified, or the Google email_verified claim is false and Google is not a trusted provider" });
-		}
-		const session = await ctx.context.internalAdapter.createSession(user.user.id);
-		await setSessionCookie(ctx, {
-			user: user.user,
-			session
+				idToken,
+				scope: "openid,profile,email"
+			},
+			disableSignUp: options?.disableSignup
 		});
+		if (result.error) throw new APIError("UNAUTHORIZED", { message: result.error });
+		await setSessionCookie(ctx, result.data);
 		return ctx.json({
-			token: session.token,
-			user: parseUserOutput(ctx.context.options, user.user)
+			token: result.data.session.token,
+			user: parseUserOutput(ctx.context.options, result.data.user)
 		});
 	}) },
 	options

package/dist/plugins/organization/adapter.mjs

@@ -550,9 +550,11 @@ const getOrgAdapter = (context, options) => {
 		createInvitation: async ({ invitation, user }) => {
 			const adapter = await getCurrentAdapter(baseAdapter);
 			const expiresAt = getDate(options?.invitationExpiresIn || 3600 * 48, "sec");
+			const invitationId = context.generateId({ model: "invitation" });
 			return await adapter.create({
 				model: "invitation",
 				data: {
+					...invitationId !== false ? { id: invitationId } : {},
 					status: "pending",
 					expiresAt,
 					createdAt: /* @__PURE__ */ new Date(),

package/dist/plugins/organization/routes/crud-access-control.d.mts

@@ -14,7 +14,7 @@ declare const createOrgRole: <O extends OrganizationOptions>(options: O) => bett
     role: z.ZodString;
     permission: z.ZodRecord<z.ZodString, z.ZodArray<z.ZodString>>;
     additionalFields: z.ZodOptional<z.ZodObject<{
-      [x: string]: z.ZodOptional<z.ZodAny>;
+      [x: string]: z.ZodAny;
     }, z.core.$strip>>;
   }, z.core.$strip>;
   metadata: {

package/dist/plugins/organization/routes/crud-invites.mjs

@@ -19,6 +19,20 @@ const baseInvitationSchema = z.object({
 	resend: z.boolean().meta({ description: "Resend the invitation email, if the user is already invited. Eg: true" }).optional(),
 	teamId: z.union([z.string().meta({ description: "The team ID to invite the user to" }).optional(), z.array(z.string()).meta({ description: "The team IDs to invite the user to" }).optional()])
 });
+const getAdvancedGenerateId = (advancedOptions) => {
+	if (typeof advancedOptions !== "object" || advancedOptions === null) return;
+	const generateId = advancedOptions.generateId;
+	if (typeof generateId !== "function") return;
+	return generateId;
+};
+const hasBuiltInOpaqueInvitationIdGeneration = ({ advancedGenerateId, databaseGenerateId }) => advancedGenerateId === void 0 && (databaseGenerateId === void 0 || databaseGenerateId === "uuid");
+const shouldRequireVerifiedEmailForInvitationIdAction = ({ organizationOptions, advancedGenerateId, databaseGenerateId }) => {
+	if (organizationOptions.requireEmailVerificationOnInvitation !== void 0) return organizationOptions.requireEmailVerificationOnInvitation;
+	return !hasBuiltInOpaqueInvitationIdGeneration({
+		advancedGenerateId,
+		databaseGenerateId
+	});
+};
 const createInvitation = (option) => {
 	const additionalFieldsSchema = toZodSchema({
 		fields: option?.schema?.invitation?.additionalFields || {},
@@ -247,7 +261,11 @@ const acceptInvitation = (options) => createAuthEndpoint("/organization/accept-i
 	const invitation = await adapter.findInvitationById(ctx.body.invitationId);
 	if (!invitation || invitation.expiresAt < /* @__PURE__ */ new Date() || invitation.status !== "pending") throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.INVITATION_NOT_FOUND);
 	if (invitation.email.toLowerCase() !== session.user.email.toLowerCase()) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION);
-	if ((ctx.context.orgOptions.requireEmailVerificationOnInvitation ?? true) && !session.user.emailVerified) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION);
+	if (shouldRequireVerifiedEmailForInvitationIdAction({
+		organizationOptions: ctx.context.orgOptions,
+		advancedGenerateId: getAdvancedGenerateId(ctx.context.options.advanced),
+		databaseGenerateId: ctx.context.options.advanced?.database?.generateId
+	}) && !session.user.emailVerified) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION);
 	const membershipLimit = ctx.context.orgOptions?.membershipLimit || 100;
 	const membersCount = await adapter.countMembers({ organizationId: invitation.organizationId });
 	const organization = await adapter.findOrganizationById(invitation.organizationId);
@@ -336,7 +354,11 @@ const rejectInvitation = (options) => createAuthEndpoint("/organization/reject-i
 		code: "INVITATION_NOT_FOUND"
 	});
 	if (invitation.email.toLowerCase() !== session.user.email.toLowerCase()) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION);
-	if ((ctx.context.orgOptions.requireEmailVerificationOnInvitation ?? true) && !session.user.emailVerified) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION);
+	if (shouldRequireVerifiedEmailForInvitationIdAction({
+		organizationOptions: ctx.context.orgOptions,
+		advancedGenerateId: getAdvancedGenerateId(ctx.context.options.advanced),
+		databaseGenerateId: ctx.context.options.advanced?.database?.generateId
+	}) && !session.user.emailVerified) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION);
 	const organization = await adapter.findOrganizationById(invitation.organizationId);
 	if (!organization) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.ORGANIZATION_NOT_FOUND);
 	if (options?.organizationHooks?.beforeRejectInvitation) await options?.organizationHooks.beforeRejectInvitation({
@@ -455,7 +477,11 @@ const getInvitation = (options) => createAuthEndpoint("/organization/get-invitat
 	const invitation = await adapter.findInvitationById(ctx.query.id);
 	if (!invitation || invitation.status !== "pending" || invitation.expiresAt < /* @__PURE__ */ new Date()) throw APIError.fromStatus("BAD_REQUEST", { message: "Invitation not found!" });
 	if (invitation.email.toLowerCase() !== session.user.email.toLowerCase()) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION);
-	if ((ctx.context.orgOptions.requireEmailVerificationOnInvitation ?? true) && !session.user.emailVerified) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.EMAIL_VERIFICATION_REQUIRED_FOR_INVITATION);
+	if (shouldRequireVerifiedEmailForInvitationIdAction({
+		organizationOptions: ctx.context.orgOptions,
+		advancedGenerateId: getAdvancedGenerateId(ctx.context.options.advanced),
+		databaseGenerateId: ctx.context.options.advanced?.database?.generateId
+	}) && !session.user.emailVerified) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.EMAIL_VERIFICATION_REQUIRED_FOR_INVITATION);
 	const organization = await adapter.findOrganizationById(invitation.organizationId);
 	if (!organization) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.ORGANIZATION_NOT_FOUND);
 	const member = await adapter.findMemberByOrgId({
@@ -541,7 +567,7 @@ const listUserInvitations = (options) => createAuthEndpoint("/organization/list-
 }, async (ctx) => {
 	const session = await getSessionFromCtx(ctx);
 	if (ctx.request && ctx.query?.email) throw APIError.fromStatus("BAD_REQUEST", { message: "User email cannot be passed for client side API calls." });
-	if (session && (ctx.context.orgOptions.requireEmailVerificationOnInvitation ?? true) && !session.user.emailVerified) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.EMAIL_VERIFICATION_REQUIRED_FOR_INVITATION);
+	if (session && !session.user.emailVerified) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.EMAIL_VERIFICATION_REQUIRED_FOR_INVITATION);
 	const userEmail = session?.user.email || ctx.query?.email;
 	if (!userEmail) throw APIError.fromStatus("BAD_REQUEST", { message: "Missing session headers, or email query parameter." });
 	const pendingInvitations = (await getOrgAdapter(ctx.context, options).listUserInvitations(userEmail)).filter((inv) => inv.status === "pending");

package/dist/plugins/organization/routes/crud-org.d.mts

@@ -15,7 +15,7 @@ declare const createOrganization: <O extends OrganizationOptions>(options?: O |
     name: z.ZodString;
     slug: z.ZodString;
     userId: z.ZodOptional<z.ZodCoercedString<unknown>>;
-    logo: z.ZodOptional<z.ZodString>;
+    logo: z.ZodOptional<z.ZodNullable<z.ZodString>>;
     metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
     keepCurrentActiveOrganization: z.ZodOptional<z.ZodBoolean>;
   }, z.core.$strip>;
@@ -55,7 +55,7 @@ declare const createOrganization: <O extends OrganizationOptions>(options?: O |
         name: string;
         slug: string;
         userId?: string | undefined;
-        logo?: string | undefined;
+        logo?: string | null | undefined;
         metadata?: Record<string, any> | undefined;
         keepCurrentActiveOrganization?: boolean | undefined;
       };
@@ -165,7 +165,7 @@ declare const updateOrganization: <O extends OrganizationOptions>(options?: O |
     data: z.ZodObject<{
       name: z.ZodOptional<z.ZodOptional<z.ZodString>>;
       slug: z.ZodOptional<z.ZodOptional<z.ZodString>>;
-      logo: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+      logo: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
       metadata: z.ZodOptional<z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>>;
     }, z.core.$strip>;
     organizationId: z.ZodOptional<z.ZodString>;
@@ -207,7 +207,7 @@ declare const updateOrganization: <O extends OrganizationOptions>(options?: O |
         data: {
           name?: string | undefined;
           slug?: string | undefined;
-          logo?: string | undefined;
+          logo?: string | null | undefined;
           metadata?: Record<string, any> | undefined;
         } & Partial<InferAdditionalFieldsFromPluginOptions<"organization", O>>;
         organizationId?: string | undefined;

package/dist/plugins/organization/routes/crud-org.mjs

@@ -13,7 +13,7 @@ const baseOrganizationSchema = z.object({
 	name: z.string().min(1).meta({ description: "The name of the organization" }),
 	slug: z.string().min(1).meta({ description: "The slug of the organization" }),
 	userId: z.coerce.string().meta({ description: "The user id of the organization creator. If not provided, the current user will be used. Should only be used by admins or when called by the server. server-only. Eg: \"user-id\"" }).optional(),
-	logo: z.string().meta({ description: "The logo of the organization" }).optional(),
+	logo: z.string().meta({ description: "The logo of the organization" }).nullish(),
 	metadata: z.record(z.string(), z.any()).meta({ description: "The metadata of the organization" }).optional(),
 	keepCurrentActiveOrganization: z.boolean().meta({ description: "Whether to keep the current active organization active after creating a new one. Eg: true" }).optional()
 });
@@ -160,7 +160,7 @@ const checkOrganizationSlug = (options) => createAuthEndpoint("/organization/che
 const baseUpdateOrganizationSchema = z.object({
 	name: z.string().min(1).meta({ description: "The name of the organization" }).optional(),
 	slug: z.string().min(1).meta({ description: "The slug of the organization" }).optional(),
-	logo: z.string().meta({ description: "The logo of the organization" }).optional(),
+	logo: z.string().meta({ description: "The logo of the organization" }).nullish(),
 	metadata: z.record(z.string(), z.any()).meta({ description: "The metadata of the organization" }).optional()
 });
 const updateOrganization = (options) => {

package/dist/plugins/organization/types.d.mts

@@ -165,19 +165,26 @@ interface OrganizationOptions {
    */
   cancelPendingInvitationsOnReInvite?: boolean | undefined;
   /**
-   * Require email verification on session-authenticated recipient invitation
-   * calls (accept, reject, get, list). Defaults to `true` so unverified
-   * accounts registered against a victim's email cannot accept, read, or
-   * enumerate invitations targeted at that email. Server-side
-   * `listUserInvitations` calls without a session (caller passes
-   * `ctx.query.email`) continue to bypass the gate because the caller is
-   * trusted. Set to `false` for backward compatibility on apps that do not
-   * require email verification; understand the takeover risk before doing so.
+   * Require email verification before session-authenticated recipient
+   * invitation calls that carry an invitation ID (accept, reject, get).
    *
-   * @default true
+   * When unset, Better Auth preserves the normal emailed-invitation flow for
+   * built-in opaque invitation IDs, including the default generator and
+   * `advanced.database.generateId: "uuid"`. It requires verification for
+   * externally controlled or predictable invitation IDs, such as
+   * `advanced.database.generateId: "serial"` / `false` or custom ID
+   * generation.
+   *
+   * Set this option to `true` when invitation IDs may be visible outside the
+   * invited user's mailbox, when organization invitation lists are exposed to
+   * members, or when verified email should be the ownership proof for by-ID
+   * invitation actions. Client-side `listUserInvitations` calls always require
+   * a verified session email because they enumerate invitation IDs from
+   * `session.user.email`. Server-side `listUserInvitations` calls without a
+   * session (caller passes `ctx.query.email`) continue to bypass the gate
+   * because the caller is trusted.
    *
-   * @deprecated The option will be removed on the next minor; the gate will
-   * become unconditional. Plan to verify emails before invitation acceptance.
+   * @default undefined
    */
   requireEmailVerificationOnInvitation?: boolean | undefined;
   /**
@@ -317,7 +324,7 @@ interface OrganizationOptions {
       organization: {
         name?: string;
         slug?: string;
-        logo?: string;
+        logo?: string | null;
         metadata?: Record<string, any>;
         [key: string]: any;
       };
@@ -348,7 +355,7 @@ interface OrganizationOptions {
       organization: {
         name?: string;
         slug?: string;
-        logo?: string;
+        logo?: string | null;
         metadata?: Record<string, any>;
         [key: string]: any;
       };
@@ -358,7 +365,7 @@ interface OrganizationOptions {
       data: {
         name?: string;
         slug?: string;
-        logo?: string;
+        logo?: string | null;
         metadata?: Record<string, any>;
         [key: string]: any;
       };

package/dist/plugins/phone-number/routes.mjs

@@ -470,7 +470,7 @@ const resetPasswordPhoneNumber = (opts) => createAuthEndpoint("/phone-number/res
 	else await ctx.context.internalAdapter.updatePassword(user.id, hashedPassword);
 	await ctx.context.internalAdapter.deleteVerificationByIdentifier(phoneResetIdentifier);
 	if (ctx.context.options.emailAndPassword?.onPasswordReset) await ctx.context.options.emailAndPassword.onPasswordReset({ user }, ctx.request);
-	if (ctx.context.options.emailAndPassword?.revokeSessionsOnPasswordReset) await ctx.context.internalAdapter.deleteSessions(user.id);
+	if (ctx.context.options.emailAndPassword?.revokeSessionsOnPasswordReset) await ctx.context.internalAdapter.deleteUserSessions(user.id);
 	return ctx.json({ status: true });
 });
 function generateOTP(size) {

package/dist/plugins/two-factor/backup-codes/index.d.mts

@@ -264,9 +264,10 @@ declare const backupCode2fa: (opts: BackupCodeOptions) => {
       backupCodes: string[];
     }>;
     /**
-     * ### Endpoint
-     *
-     * POST `/two-factor/view-backup-codes`
+     * A server-only function that returns a user's decrypted two-factor
+     * backup codes. It is not exposed over HTTP and has no client method;
+     * call it from trusted server code with a `userId` taken from an
+     * authenticated session.
      *
      * ### API Methods
      *

package/dist/plugins/two-factor/client.mjs

@@ -1,5 +1,6 @@
 import { PACKAGE_VERSION } from "../../version.mjs";
 import { TWO_FACTOR_ERROR_CODES } from "./error-code.mjs";
+import { isSafeUrlScheme } from "@better-auth/core/utils/url";
 //#region src/plugins/two-factor/client.ts
 const twoFactorClient = (options) => {
 	return {
@@ -29,7 +30,7 @@ const twoFactorClient = (options) => {
 						await options.onTwoFactorRedirect({ twoFactorMethods: context.data.twoFactorMethods });
 						return;
 					}
-					if (options?.twoFactorPage && typeof window !== "undefined") window.location.href = options.twoFactorPage;
+					if (options?.twoFactorPage && typeof window !== "undefined" && isSafeUrlScheme(options.twoFactorPage)) window.location.href = options.twoFactorPage;
 				}
 			} }
 		}],