better-auth 1.6.13 → 1.6.15

package/dist/api/dispatch.d.mts

@@ -0,0 +1,34 @@
+import { AuthContext } from "@better-auth/core";
+import { Endpoint, EndpointContext, InputContext } from "better-call";
+
+//#region src/api/dispatch.d.ts
+/**
+ * Input accepted by {@link dispatchAuthEndpoint}. `context` must already be a
+ * resolved `AuthContext`; the caller owns `baseURL` resolution. A fresh
+ * dispatch carries no `session` (the shared context has none), while a resumed
+ * dispatch carries the in-flight request's `session` through.
+ */
+type DispatchContext = Partial<InputContext<string, any> & EndpointContext<string, any>> & {
+  context: AuthContext & {
+    returned?: unknown | undefined;
+    responseHeaders?: Headers | undefined;
+  };
+  operationId?: string | undefined;
+};
+/**
+ * Run a single endpoint through the configured `hooks.before` / `hooks.after`
+ * pipeline, normalizing the response, headers, and `APIError`s the same way a
+ * router or `auth.api.*` dispatch does.
+ *
+ * This is the canonical hook runner. The HTTP router and `auth.api.*` reach it
+ * through {@link toAuthEndpoints}. Plugins call it directly when they need to
+ * re-enter the pipeline on purpose, such as resuming `/oauth2/authorize` after
+ * a fresh sign-in. Calling an endpoint as a plain function deliberately skips
+ * hooks; `dispatchAuthEndpoint` is the supported way to opt back in.
+ *
+ * @param endpoint The endpoint to dispatch.
+ * @param input Input context whose `context` is an already-resolved `AuthContext`.
+ */
+declare function dispatchAuthEndpoint(endpoint: Endpoint, input: DispatchContext): Promise<unknown>;
+//#endregion
+export { DispatchContext, dispatchAuthEndpoint };

package/dist/api/dispatch.mjs

@@ -0,0 +1,272 @@
+import { isAPIError } from "../utils/is-api-error.mjs";
+import { isRequestLike } from "../utils/url.mjs";
+import { runWithEndpointContext } from "@better-auth/core/context";
+import { shouldPublishLog } from "@better-auth/core/env";
+import { APIError } from "@better-auth/core/error";
+import { createDefu } from "defu";
+import { ATTR_CONTEXT, ATTR_HOOK_TYPE, ATTR_HTTP_ROUTE, ATTR_OPERATION_ID, withSpan } from "@better-auth/core/instrumentation";
+import { kAPIErrorHeaderSymbol, toResponse } from "better-call";
+//#region src/api/dispatch.ts
+const defuReplaceArrays = createDefu((obj, key, value) => {
+	if (Array.isArray(obj[key]) && Array.isArray(value)) {
+		obj[key] = value;
+		return true;
+	}
+});
+const hooksSourceWeakMap = /* @__PURE__ */ new WeakMap();
+/**
+* Resolves the operation id used for spans, preferring an explicit
+* `operationId`, then the OpenAPI one, then the caller's `fallback` (the
+* `auth.api.*` map key), and finally the route path.
+*/
+function getOperationId(endpoint, fallback) {
+	const opts = endpoint.options;
+	return opts?.operationId ?? opts?.metadata?.openapi?.operationId ?? fallback ?? endpoint.path ?? "/:virtual";
+}
+/**
+* Merge a set of response headers onto the dispatch's accumulator, appending
+* `set-cookie` (multiple cookies are legal) and replacing everything else.
+*/
+function mergeResponseHeaders(context, headers) {
+	if (!headers) return;
+	headers.forEach((value, key) => {
+		if (!context.responseHeaders) context.responseHeaders = new Headers({ [key]: value });
+		else if (key.toLowerCase() === "set-cookie") context.responseHeaders.append(key, value);
+		else context.responseHeaders.set(key, value);
+	});
+}
+/**
+* Combine the two header sources an `APIError` can carry into one set:
+* - `kAPIErrorHeaderSymbol`: `ctx.responseHeaders` accumulated via
+*   `c.setCookie` / `c.setHeader` before the throw.
+* - `e.headers`: explicit headers on the error (e.g. `location` from
+*   `c.redirect`).
+*
+* `c.redirect()` reuses `ctx.responseHeaders` as `e.headers`, so when both
+* point at the same object iterating each would duplicate every `set-cookie`;
+* the identity check skips that copy. Explicit error headers override
+* accumulated ones, while cookies from both accumulate.
+*/
+function mergeAPIErrorHeaders(error) {
+	const ctxHeaders = error[kAPIErrorHeaderSymbol];
+	const errHeaders = error.headers && error.headers !== ctxHeaders ? new Headers(error.headers) : null;
+	if (!ctxHeaders && !errHeaders) return null;
+	const headers = new Headers();
+	ctxHeaders?.forEach((value, key) => {
+		headers.append(key, value);
+	});
+	errHeaders?.forEach((value, key) => {
+		if (key.toLowerCase() === "set-cookie") headers.append(key, value);
+		else headers.set(key, value);
+	});
+	return headers;
+}
+async function runBeforeHooks(context, hooks, endpoint, operationId) {
+	let modifiedContext = {};
+	for (const hook of hooks) {
+		let matched = false;
+		try {
+			matched = hook.matcher(context);
+		} catch (error) {
+			const hookSource = hooksSourceWeakMap.get(hook.handler) ?? "unknown";
+			context.context.logger.error(`An error occurred during ${hookSource} hook matcher execution:`, error);
+			throw new APIError("INTERNAL_SERVER_ERROR", { message: "An error occurred during hook matcher execution. Check the logs for more details." });
+		}
+		if (!matched) continue;
+		const hookSource = hooksSourceWeakMap.get(hook.handler) ?? "unknown";
+		const route = endpoint.path ?? "/:virtual";
+		const result = await withSpan(`hook before ${route} ${hookSource}`, {
+			[ATTR_HOOK_TYPE]: "before",
+			[ATTR_HTTP_ROUTE]: route,
+			[ATTR_CONTEXT]: hookSource,
+			[ATTR_OPERATION_ID]: operationId
+		}, () => hook.handler({
+			...context,
+			returnHeaders: true
+		})).catch((e) => {
+			if (isAPIError(e) && shouldPublishLog(context.context.logger.level, "debug")) e.stack = e.errorStack;
+			throw e;
+		});
+		mergeResponseHeaders(context.context, result?.headers);
+		const hookReturn = result?.response;
+		if (hookReturn && typeof hookReturn === "object") {
+			if ("context" in hookReturn && typeof hookReturn.context === "object") {
+				const { headers, ...rest } = hookReturn.context;
+				if (headers instanceof Headers) if (modifiedContext.headers) headers.forEach((value, key) => {
+					modifiedContext.headers?.set(key, value);
+				});
+				else modifiedContext.headers = headers;
+				modifiedContext = defuReplaceArrays(rest, modifiedContext);
+				continue;
+			}
+			return hookReturn;
+		}
+	}
+	return { context: modifiedContext };
+}
+async function runAfterHooks(context, hooks, endpoint, operationId) {
+	for (const hook of hooks) {
+		if (!hook.matcher(context)) continue;
+		const hookSource = hooksSourceWeakMap.get(hook.handler) ?? "unknown";
+		const route = endpoint.path ?? "/:virtual";
+		const result = await withSpan(`hook after ${route} ${hookSource}`, {
+			[ATTR_HOOK_TYPE]: "after",
+			[ATTR_HTTP_ROUTE]: route,
+			[ATTR_CONTEXT]: hookSource,
+			[ATTR_OPERATION_ID]: operationId
+		}, () => hook.handler(context)).catch((e) => {
+			if (isAPIError(e)) {
+				if (shouldPublishLog(context.context.logger.level, "debug")) e.stack = e.errorStack;
+				return {
+					response: e,
+					headers: mergeAPIErrorHeaders(e)
+				};
+			}
+			throw e;
+		});
+		mergeResponseHeaders(context.context, result.headers);
+		if (result.response !== void 0) context.context.returned = result.response;
+	}
+	return {
+		response: context.context.returned,
+		headers: context.context.responseHeaders
+	};
+}
+function getHooks(authContext) {
+	const plugins = authContext.options.plugins || [];
+	const beforeHooks = [];
+	const afterHooks = [];
+	const beforeHookHandler = authContext.options.hooks?.before;
+	if (beforeHookHandler) {
+		hooksSourceWeakMap.set(beforeHookHandler, "user");
+		beforeHooks.push({
+			matcher: () => true,
+			handler: beforeHookHandler
+		});
+	}
+	const afterHookHandler = authContext.options.hooks?.after;
+	if (afterHookHandler) {
+		hooksSourceWeakMap.set(afterHookHandler, "user");
+		afterHooks.push({
+			matcher: () => true,
+			handler: afterHookHandler
+		});
+	}
+	const pluginBeforeHooks = plugins.flatMap((plugin) => (plugin.hooks?.before ?? []).map((h) => {
+		hooksSourceWeakMap.set(h.handler, `plugin:${plugin.id}`);
+		return h;
+	}));
+	const pluginAfterHooks = plugins.flatMap((plugin) => (plugin.hooks?.after ?? []).map((h) => {
+		hooksSourceWeakMap.set(h.handler, `plugin:${plugin.id}`);
+		return h;
+	}));
+	if (pluginBeforeHooks.length) beforeHooks.push(...pluginBeforeHooks);
+	if (pluginAfterHooks.length) afterHooks.push(...pluginAfterHooks);
+	return {
+		beforeHooks,
+		afterHooks
+	};
+}
+/**
+* Run a single endpoint through the configured `hooks.before` / `hooks.after`
+* pipeline, normalizing the response, headers, and `APIError`s the same way a
+* router or `auth.api.*` dispatch does.
+*
+* This is the canonical hook runner. The HTTP router and `auth.api.*` reach it
+* through {@link toAuthEndpoints}. Plugins call it directly when they need to
+* re-enter the pipeline on purpose, such as resuming `/oauth2/authorize` after
+* a fresh sign-in. Calling an endpoint as a plain function deliberately skips
+* hooks; `dispatchAuthEndpoint` is the supported way to opt back in.
+*
+* @param endpoint The endpoint to dispatch.
+* @param input Input context whose `context` is an already-resolved `AuthContext`.
+*/
+async function dispatchAuthEndpoint(endpoint, input) {
+	const operationId = input.operationId ?? getOperationId(endpoint);
+	const route = endpoint.path ?? "/:virtual";
+	const endpointMethod = endpoint.options?.method;
+	const defaultMethod = Array.isArray(endpointMethod) ? endpointMethod[0] : endpointMethod;
+	const methodName = input.method ?? input.request?.method ?? defaultMethod ?? "?";
+	const shouldReturnResponse = input.asResponse ?? isRequestLike(input.request);
+	let internalContext = {
+		...input,
+		context: {
+			...input.context,
+			returned: void 0,
+			responseHeaders: void 0,
+			session: input.context.session ?? null
+		},
+		path: endpoint.path,
+		headers: input.headers ? new Headers(input.headers) : void 0
+	};
+	return withSpan(`${methodName} ${route}`, {
+		[ATTR_HTTP_ROUTE]: route,
+		[ATTR_OPERATION_ID]: operationId
+	}, async () => runWithEndpointContext(internalContext, async () => {
+		const { beforeHooks, afterHooks } = getHooks(internalContext.context);
+		const before = await runBeforeHooks(internalContext, beforeHooks, endpoint, operationId);
+		if ("context" in before && before.context && typeof before.context === "object") {
+			const { headers, ...rest } = before.context;
+			if (headers) {
+				if (!internalContext.headers) internalContext.headers = new Headers();
+				const requestHeaders = internalContext.headers;
+				headers.forEach((value, key) => {
+					requestHeaders.set(key, value);
+				});
+			}
+			internalContext = defuReplaceArrays(rest, internalContext);
+		} else if (before) {
+			const responseHeaders = internalContext.context.responseHeaders;
+			return shouldReturnResponse ? toResponse(before, { headers: responseHeaders }) : input.returnHeaders ? {
+				headers: responseHeaders,
+				response: before
+			} : before;
+		}
+		internalContext.asResponse = false;
+		internalContext.returnHeaders = true;
+		internalContext.returnStatus = true;
+		const result = await runWithEndpointContext(internalContext, () => withSpan(`handler ${route}`, {
+			[ATTR_HTTP_ROUTE]: route,
+			[ATTR_OPERATION_ID]: operationId
+		}, () => endpoint(internalContext))).catch((e) => {
+			if (isAPIError(e)) return {
+				response: e,
+				status: e.statusCode,
+				headers: mergeAPIErrorHeaders(e)
+			};
+			throw e;
+		});
+		if (result instanceof Response) return result;
+		internalContext.context.returned = result.response;
+		internalContext.context.responseHeaders = result.headers ?? void 0;
+		const after = await runAfterHooks(internalContext, afterHooks, endpoint, operationId);
+		if (after.response !== void 0) result.response = after.response;
+		result.headers = after.headers ?? result.headers;
+		if (isAPIError(result.response) && shouldPublishLog(internalContext.context.logger.level, "debug")) result.response.stack = result.response.errorStack;
+		if (isAPIError(result.response) && !shouldReturnResponse) {
+			if (result.headers) Object.defineProperty(result.response, kAPIErrorHeaderSymbol, {
+				enumerable: false,
+				configurable: true,
+				writable: false,
+				value: result.headers
+			});
+			throw result.response;
+		}
+		return shouldReturnResponse ? toResponse(result.response, {
+			headers: result.headers ?? void 0,
+			status: result.status
+		}) : input.returnHeaders ? input.returnStatus ? {
+			headers: result.headers,
+			response: result.response,
+			status: result.status
+		} : {
+			headers: result.headers,
+			response: result.response
+		} : input.returnStatus ? {
+			response: result.response,
+			status: result.status
+		} : result.response;
+	}));
+}
+//#endregion
+export { dispatchAuthEndpoint, getOperationId };

package/dist/api/index.d.mts

@@ -2,6 +2,7 @@ import { OverrideMerge, Prettify as Prettify$1, UnionToIntersection } from "../t
 import { AdditionalSessionFieldsInput, AdditionalUserFieldsInput } from "../types/models.mjs";
 import { getIp } from "../utils/get-request-ip.mjs";
 import { isAPIError } from "../utils/is-api-error.mjs";
+import { DispatchContext, dispatchAuthEndpoint } from "./dispatch.mjs";
 import { requireOrgRole, requireResourceOwnership } from "./middlewares/authorization.mjs";
 import { formCsrfMiddleware, originCheck, originCheckMiddleware } from "./middlewares/origin-check.mjs";
 import { accountInfo, getAccessToken, linkSocialAccount, listUserAccounts, refreshToken, unlinkAccount } from "./routes/account.mjs";
@@ -3960,4 +3961,4 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
   } extends infer T_2 ? { [K in keyof T_2 as K extends keyof T_1 ? never : K]: T_2[K] } : never) & T_1> : never : never : never;
 };
 //#endregion
-export { APIError, type AuthEndpoint, type AuthMiddleware, accountInfo, callbackOAuth, changeEmail, changePassword, checkEndpointConflicts, createAuthEndpoint, createAuthMiddleware, createEmailVerificationToken, deleteUser, deleteUserCallback, error, formCsrfMiddleware, freshSessionMiddleware, getAccessToken, getEndpoints, getIp, getOAuthState, getSession, getSessionFromCtx, getShouldSkipSessionRefresh, isAPIError, linkSocialAccount, listSessions, listUserAccounts, ok, optionsMiddleware, originCheck, originCheckMiddleware, refreshToken, requestOnlySessionMiddleware, requestPasswordReset, requestPasswordResetCallback, requireOrgRole, requireResourceOwnership, resetPassword, revokeOtherSessions, revokeSession, revokeSessions, router, sendVerificationEmail, sendVerificationEmailFn, sensitiveSessionMiddleware, sessionMiddleware, setPassword, setShouldSkipSessionRefresh, signInEmail, signInSocial, signOut, signUpEmail, unlinkAccount, updateSession, updateUser, verifyEmail, verifyPassword };
+export { APIError, type AuthEndpoint, type AuthMiddleware, type DispatchContext, accountInfo, callbackOAuth, changeEmail, changePassword, checkEndpointConflicts, createAuthEndpoint, createAuthMiddleware, createEmailVerificationToken, deleteUser, deleteUserCallback, dispatchAuthEndpoint, error, formCsrfMiddleware, freshSessionMiddleware, getAccessToken, getEndpoints, getIp, getOAuthState, getSession, getSessionFromCtx, getShouldSkipSessionRefresh, isAPIError, linkSocialAccount, listSessions, listUserAccounts, ok, optionsMiddleware, originCheck, originCheckMiddleware, refreshToken, requestOnlySessionMiddleware, requestPasswordReset, requestPasswordResetCallback, requireOrgRole, requireResourceOwnership, resetPassword, revokeOtherSessions, revokeSession, revokeSessions, router, sendVerificationEmail, sendVerificationEmailFn, sensitiveSessionMiddleware, sessionMiddleware, setPassword, setShouldSkipSessionRefresh, signInEmail, signInSocial, signOut, signUpEmail, unlinkAccount, updateSession, updateUser, verifyEmail, verifyPassword };

package/dist/api/index.mjs

@@ -17,6 +17,7 @@ import { signOut } from "./routes/sign-out.mjs";
 import { signUpEmail } from "./routes/sign-up.mjs";
 import { updateSession } from "./routes/update-session.mjs";
 import { changeEmail, changePassword, deleteUser, deleteUserCallback, setPassword, updateUser } from "./routes/update-user.mjs";
+import { dispatchAuthEndpoint } from "./dispatch.mjs";
 import { toAuthEndpoints } from "./to-auth-endpoints.mjs";
 import { logger } from "@better-auth/core/env";
 import { APIError } from "@better-auth/core/error";
@@ -213,4 +214,4 @@ const router = (ctx, options) => {
 	});
 };
 //#endregion
-export { APIError, accountInfo, callbackOAuth, changeEmail, changePassword, checkEndpointConflicts, createAuthEndpoint, createAuthMiddleware, createEmailVerificationToken, deleteUser, deleteUserCallback, error, formCsrfMiddleware, freshSessionMiddleware, getAccessToken, getEndpoints, getIp, getOAuthState, getSession, getSessionFromCtx, getShouldSkipSessionRefresh, isAPIError, linkSocialAccount, listSessions, listUserAccounts, ok, optionsMiddleware, originCheck, originCheckMiddleware, refreshToken, requestOnlySessionMiddleware, requestPasswordReset, requestPasswordResetCallback, requireOrgRole, requireResourceOwnership, resetPassword, revokeOtherSessions, revokeSession, revokeSessions, router, sendVerificationEmail, sendVerificationEmailFn, sensitiveSessionMiddleware, sessionMiddleware, setPassword, setShouldSkipSessionRefresh, signInEmail, signInSocial, signOut, signUpEmail, unlinkAccount, updateSession, updateUser, verifyEmail, verifyPassword };
+export { APIError, accountInfo, callbackOAuth, changeEmail, changePassword, checkEndpointConflicts, createAuthEndpoint, createAuthMiddleware, createEmailVerificationToken, deleteUser, deleteUserCallback, dispatchAuthEndpoint, error, formCsrfMiddleware, freshSessionMiddleware, getAccessToken, getEndpoints, getIp, getOAuthState, getSession, getSessionFromCtx, getShouldSkipSessionRefresh, isAPIError, linkSocialAccount, listSessions, listUserAccounts, ok, optionsMiddleware, originCheck, originCheckMiddleware, refreshToken, requestOnlySessionMiddleware, requestPasswordReset, requestPasswordResetCallback, requireOrgRole, requireResourceOwnership, resetPassword, revokeOtherSessions, revokeSession, revokeSessions, router, sendVerificationEmail, sendVerificationEmailFn, sensitiveSessionMiddleware, sessionMiddleware, setPassword, setShouldSkipSessionRefresh, signInEmail, signInSocial, signOut, signUpEmail, unlinkAccount, updateSession, updateUser, verifyEmail, verifyPassword };

package/dist/api/routes/session.mjs

@@ -355,7 +355,7 @@ const freshSessionMiddleware = createAuthMiddleware(async (ctx) => {
 const listSessions = () => createAuthEndpoint("/list-sessions", {
 	method: "GET",
 	operationId: "listUserSessions",
-	use: [sessionMiddleware],
+	use: [freshSessionMiddleware],
 	requireHeaders: true,
 	metadata: { openapi: {
 		operationId: "listUserSessions",

package/dist/api/to-auth-endpoints.mjs

@@ -1,25 +1,9 @@
-import { isAPIError } from "../utils/is-api-error.mjs";
 import { isDynamicBaseURLConfig, isRequestLike } from "../utils/url.mjs";
 import { pickSource, resolveDynamicTrustedProxyHeaders, resolveRequestContext } from "../context/helpers.mjs";
-import { hasRequestState, runWithEndpointContext, runWithRequestState } from "@better-auth/core/context";
-import { shouldPublishLog } from "@better-auth/core/env";
+import { dispatchAuthEndpoint, getOperationId } from "./dispatch.mjs";
+import { hasRequestState, runWithRequestState } from "@better-auth/core/context";
 import { APIError, BetterAuthError } from "@better-auth/core/error";
-import { createDefu } from "defu";
-import { ATTR_CONTEXT, ATTR_HOOK_TYPE, ATTR_HTTP_ROUTE, ATTR_OPERATION_ID, withSpan } from "@better-auth/core/instrumentation";
-import { kAPIErrorHeaderSymbol, toResponse } from "better-call";
 //#region src/api/to-auth-endpoints.ts
-const defuReplaceArrays = createDefu((obj, key, value) => {
-	if (Array.isArray(obj[key]) && Array.isArray(value)) {
-		obj[key] = value;
-		return true;
-	}
-});
-const hooksSourceWeakMap = /* @__PURE__ */ new WeakMap();
-function getOperationId(endpoint, key) {
-	if (!endpoint?.options) return key;
-	const opts = endpoint.options;
-	return opts.operationId ?? opts.metadata?.openapi?.operationId ?? key;
-}
 /**
 * Resolves the per-call `AuthContext` for endpoints with a dynamic `baseURL`.
 *
@@ -41,269 +25,34 @@ async function resolveDynamicContext(rawCtx, input) {
 		throw err;
 	}
 }
+/**
+* Wraps each raw endpoint so a router or `auth.api.*` call runs it through the
+* configured hook pipeline. Per-call work that is specific to this entry point
+* (dynamic `baseURL` resolution, request-state initialization) happens here;
+* the hook pipeline itself lives in {@link dispatchAuthEndpoint}.
+*/
 function toAuthEndpoints(endpoints, ctx) {
 	const api = {};
 	for (const [key, endpoint] of Object.entries(endpoints)) {
 		api[key] = async (context) => {
 			const operationId = getOperationId(endpoint, key);
-			const endpointMethod = endpoint?.options?.method;
-			const defaultMethod = Array.isArray(endpointMethod) ? endpointMethod[0] : endpointMethod;
 			const run = async () => {
 				const rawContext = await ctx;
-				const methodName = context?.method ?? context?.request?.method ?? defaultMethod ?? "?";
-				const route = endpoint.path ?? "/:virtual";
 				const authContext = isDynamicBaseURLConfig(rawContext.options.baseURL) ? await resolveDynamicContext(rawContext, context) : rawContext;
-				let internalContext = {
+				return dispatchAuthEndpoint(endpoint, {
 					...context,
-					context: {
-						...authContext,
-						returned: void 0,
-						responseHeaders: void 0,
-						session: null
-					},
-					path: endpoint.path,
-					headers: context?.headers ? new Headers(context?.headers) : void 0
-				};
-				const hasRequest = isRequestLike(context?.request);
-				const shouldReturnResponse = context?.asResponse ?? hasRequest;
-				return withSpan(`${methodName} ${route}`, {
-					[ATTR_HTTP_ROUTE]: route,
-					[ATTR_OPERATION_ID]: operationId
-				}, async () => runWithEndpointContext(internalContext, async () => {
-					const { beforeHooks, afterHooks } = getHooks(authContext);
-					const before = await runBeforeHooks(internalContext, beforeHooks, endpoint, operationId);
-					/**
-					* If `before.context` is returned, it should
-					* get merged with the original context
-					*/
-					if ("context" in before && before.context && typeof before.context === "object") {
-						const { headers, ...rest } = before.context;
-						/**
-						* Headers should be merged differently
-						* so the hook doesn't override the whole
-						* header
-						*/
-						if (headers) headers.forEach((value, key) => {
-							internalContext.headers.set(key, value);
-						});
-						internalContext = defuReplaceArrays(rest, internalContext);
-					} else if (before) return shouldReturnResponse ? toResponse(before, { headers: context?.headers }) : context?.returnHeaders ? {
-						headers: context?.headers,
-						response: before
-					} : before;
-					internalContext.asResponse = false;
-					internalContext.returnHeaders = true;
-					internalContext.returnStatus = true;
-					const result = await runWithEndpointContext(internalContext, () => withSpan(`handler ${route}`, {
-						[ATTR_HTTP_ROUTE]: route,
-						[ATTR_OPERATION_ID]: operationId
-					}, () => endpoint(internalContext))).catch((e) => {
-						if (isAPIError(e)) {
-							/**
-							* API Errors from response are caught
-							* and returned to hooks.
-							*
-							* Headers come from two sources that must both
-							* survive:
-							* - `kAPIErrorHeaderSymbol`: ctx.responseHeaders
-							*   accumulated via c.setCookie / c.setHeader
-							*   before the throw.
-							* - `e.headers`: explicit headers on the APIError
-							*   (e.g. `location` from c.redirect).
-							*
-							* Start from the accumulated ctx headers, then
-							* apply e.headers on top — appending `set-cookie`
-							* and setting others — so explicit APIError
-							* headers override while cookies accumulate.
-							*/
-							const ctxHeaders = e[kAPIErrorHeaderSymbol];
-							/**
-							* `c.redirect()` (and similar APIError throws) reuse
-							* `ctx.responseHeaders` as `e.headers`, so when both sources
-							* reference the same Headers, iterating both duplicates every
-							* `set-cookie`. Skip the `errHeaders` copy in that case.
-							*/
-							const errHeaders = e.headers && e.headers !== ctxHeaders ? new Headers(e.headers) : null;
-							let headers = null;
-							if (ctxHeaders || errHeaders) {
-								headers = new Headers();
-								ctxHeaders?.forEach((value, key) => {
-									headers.append(key, value);
-								});
-								errHeaders?.forEach((value, key) => {
-									if (key.toLowerCase() === "set-cookie") headers.append(key, value);
-									else headers.set(key, value);
-								});
-							}
-							return {
-								response: e,
-								status: e.statusCode,
-								headers
-							};
-						}
-						throw e;
-					});
-					if (result && result instanceof Response) return result;
-					internalContext.context.returned = result.response;
-					internalContext.context.responseHeaders = result.headers;
-					const after = await runAfterHooks(internalContext, afterHooks, endpoint, operationId);
-					if (after.response) result.response = after.response;
-					if (isAPIError(result.response) && shouldPublishLog(authContext.logger.level, "debug")) result.response.stack = result.response.errorStack;
-					if (isAPIError(result.response) && !shouldReturnResponse) {
-						/**
-						* Non-response path: we re-throw the raw APIError
-						* to callers of `auth.api.*`. `result.headers`
-						* holds the merged ctx + explicit headers (see
-						* catch block above) — rewrite
-						* `kAPIErrorHeaderSymbol` with the merged set so
-						* downstream pipelines (e.g. better-call's
-						* response builder, or an outer hook catch) see
-						* the same headers we'd have written on the
-						* response.
-						*/
-						if (result.headers) Object.defineProperty(result.response, kAPIErrorHeaderSymbol, {
-							enumerable: false,
-							configurable: true,
-							writable: false,
-							value: result.headers
-						});
-						throw result.response;
-					}
-					return shouldReturnResponse ? toResponse(result.response, {
-						headers: result.headers,
-						status: result.status
-					}) : context?.returnHeaders ? context?.returnStatus ? {
-						headers: result.headers,
-						response: result.response,
-						status: result.status
-					} : {
-						headers: result.headers,
-						response: result.response
-					} : context?.returnStatus ? {
-						response: result.response,
-						status: result.status
-					} : result.response;
-				}));
+					context: authContext,
+					operationId,
+					asResponse: context?.asResponse ?? isRequestLike(context?.request)
+				});
 			};
 			if (await hasRequestState()) return run();
-			else return runWithRequestState(/* @__PURE__ */ new WeakMap(), run);
+			return runWithRequestState(/* @__PURE__ */ new WeakMap(), run);
 		};
 		api[key].path = endpoint.path;
 		api[key].options = endpoint.options;
 	}
 	return api;
 }
-async function runBeforeHooks(context, hooks, endpoint, operationId) {
-	let modifiedContext = {};
-	for (const hook of hooks) {
-		let matched = false;
-		try {
-			matched = hook.matcher(context);
-		} catch (error) {
-			const hookSource = hooksSourceWeakMap.get(hook.handler) ?? "unknown";
-			context.context.logger.error(`An error occurred during ${hookSource} hook matcher execution:`, error);
-			throw new APIError("INTERNAL_SERVER_ERROR", { message: `An error occurred during hook matcher execution. Check the logs for more details.` });
-		}
-		if (matched) {
-			const hookSource = hooksSourceWeakMap.get(hook.handler) ?? "unknown";
-			const route = endpoint.path ?? "/:virtual";
-			const result = await withSpan(`hook before ${route} ${hookSource}`, {
-				[ATTR_HOOK_TYPE]: "before",
-				[ATTR_HTTP_ROUTE]: route,
-				[ATTR_CONTEXT]: hookSource,
-				[ATTR_OPERATION_ID]: operationId
-			}, () => hook.handler({
-				...context,
-				returnHeaders: false
-			})).catch((e) => {
-				if (isAPIError(e) && shouldPublishLog(context.context.logger.level, "debug")) e.stack = e.errorStack;
-				throw e;
-			});
-			if (result && typeof result === "object") {
-				if ("context" in result && typeof result.context === "object") {
-					const { headers, ...rest } = result.context;
-					if (headers instanceof Headers) if (modifiedContext.headers) headers.forEach((value, key) => {
-						modifiedContext.headers?.set(key, value);
-					});
-					else modifiedContext.headers = headers;
-					modifiedContext = defuReplaceArrays(rest, modifiedContext);
-					continue;
-				}
-				return result;
-			}
-		}
-	}
-	return { context: modifiedContext };
-}
-async function runAfterHooks(context, hooks, endpoint, operationId) {
-	for (const hook of hooks) if (hook.matcher(context)) {
-		const hookSource = hooksSourceWeakMap.get(hook.handler) ?? "unknown";
-		const route = endpoint.path ?? "/:virtual";
-		const result = await withSpan(`hook after ${route} ${hookSource}`, {
-			[ATTR_HOOK_TYPE]: "after",
-			[ATTR_HTTP_ROUTE]: route,
-			[ATTR_CONTEXT]: hookSource,
-			[ATTR_OPERATION_ID]: operationId
-		}, () => hook.handler(context)).catch((e) => {
-			if (isAPIError(e)) {
-				const headers = e[kAPIErrorHeaderSymbol];
-				if (shouldPublishLog(context.context.logger.level, "debug")) e.stack = e.errorStack;
-				return {
-					response: e,
-					headers: headers ? headers : e.headers ? new Headers(e.headers) : null
-				};
-			}
-			throw e;
-		});
-		if (result.headers) result.headers.forEach((value, key) => {
-			if (!context.context.responseHeaders) context.context.responseHeaders = new Headers({ [key]: value });
-			else if (key.toLowerCase() === "set-cookie") context.context.responseHeaders.append(key, value);
-			else context.context.responseHeaders.set(key, value);
-		});
-		if (result.response) context.context.returned = result.response;
-	}
-	return {
-		response: context.context.returned,
-		headers: context.context.responseHeaders
-	};
-}
-function getHooks(authContext) {
-	const plugins = authContext.options.plugins || [];
-	const beforeHooks = [];
-	const afterHooks = [];
-	const beforeHookHandler = authContext.options.hooks?.before;
-	if (beforeHookHandler) {
-		hooksSourceWeakMap.set(beforeHookHandler, "user");
-		beforeHooks.push({
-			matcher: () => true,
-			handler: beforeHookHandler
-		});
-	}
-	const afterHookHandler = authContext.options.hooks?.after;
-	if (afterHookHandler) {
-		hooksSourceWeakMap.set(afterHookHandler, "user");
-		afterHooks.push({
-			matcher: () => true,
-			handler: afterHookHandler
-		});
-	}
-	const pluginBeforeHooks = plugins.flatMap((plugin) => (plugin.hooks?.before ?? []).map((h) => {
-		hooksSourceWeakMap.set(h.handler, `plugin:${plugin.id}`);
-		return h;
-	}));
-	const pluginAfterHooks = plugins.flatMap((plugin) => (plugin.hooks?.after ?? []).map((h) => {
-		hooksSourceWeakMap.set(h.handler, `plugin:${plugin.id}`);
-		return h;
-	}));
-	/**
-	* Add plugin added hooks at last
-	*/
-	if (pluginBeforeHooks.length) beforeHooks.push(...pluginBeforeHooks);
-	if (pluginAfterHooks.length) afterHooks.push(...pluginAfterHooks);
-	return {
-		beforeHooks,
-		afterHooks
-	};
-}
 //#endregion
 export { toAuthEndpoints };

package/dist/cookies/cookie-utils.mjs

@@ -108,14 +108,14 @@ function toCookieOptions(attributes) {
 *
 * @see https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6
 */
-const cookieNameRegex = /^[\w!#$%&'*.^`|~+-]+$/;
+const cookieNameRegex = /^[\x21\x23-\x27\x2A\x2B\x2D\x2E\x30-\x39\x41-\x5A\x5E\x5F\x60\x61-\x7A\x7C\x7E]+$/;
 /**
 * Cookie-value char set per RFC 6265 §4.1.1, plus space and comma.
 *
 * @see https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.1
 * @see https://github.com/golang/go/issues/7243
 */
-const cookieValueRegex = /^[ !#-:<-[\]-~]*$/;
+const cookieValueRegex = /^[\x20\x21\x23-\x3A\x3C-\x5B\x5D-\x7E]*$/;
 /**
 * Strip surrounding double-quotes per RFC 6265 §4.1.1 quoted-string form.
 *

package/dist/cookies/index.mjs

@@ -199,7 +199,7 @@ const getSessionCookie = (request, config) => {
 	if (!cookies) return null;
 	const { cookieName = "session_token", cookiePrefix = "better-auth" } = config || {};
 	const parsedCookie = parseCookies(cookies);
-	const getCookie = (name) => parsedCookie.get(name) || parsedCookie.get(`__Secure-${name}`);
+	const getCookie = (name) => parsedCookie.get(`__Secure-${name}`) ?? parsedCookie.get(name);
 	const sessionToken = getCookie(`${cookiePrefix}.${cookieName}`) || getCookie(`${cookiePrefix}-${cookieName}`);
 	if (sessionToken) return sessionToken;
 	return null;

package/dist/db/to-zod.d.mts

@@ -25,8 +25,8 @@ type GetType<F extends DBFieldAttribute> = F extends {
   type: "date";
 } ? z.ZodDate : z.ZodAny;
 type GetRequired<F extends DBFieldAttribute, Schema extends z.core.SomeType> = F extends {
-  required: true;
-} ? Schema : z.ZodOptional<Schema>;
+  required: false;
+} ? z.ZodOptional<z.ZodNullable<Schema>> : Schema;
 type GetInput<isClientSide extends boolean, Field extends DBFieldAttribute, Schema extends z.core.SomeType> = Field extends {
   input: false;
 } ? isClientSide extends true ? never : Schema : Schema;

package/dist/db/to-zod.mjs

@@ -10,7 +10,7 @@ function toZodSchema({ fields, isClientSide }) {
 		else if (field.type === "string[]" || field.type === "number[]") schema = z.array(field.type === "string[]" ? z.string() : z.number());
 		else if (Array.isArray(field.type)) schema = z.any();
 		else schema = z[field.type]();
-		if (field?.required === false) schema = schema.optional();
+		if (field?.required === false) schema = schema.nullish();
 		if (!isClientSide && field?.returned === false) return acc;
 		return {
 			...acc,

package/dist/package.mjs

@@ -1,4 +1,4 @@
 //#region package.json
-var version = "1.6.13";
+var version = "1.6.15";
 //#endregion
 export { version };

package/dist/plugins/admin/routes.mjs

@@ -72,6 +72,7 @@ const setRole = (opts) => createAuthEndpoint("/admin/set-role", {
 		const inputRoles = Array.isArray(ctx.body.role) ? ctx.body.role : [ctx.body.role];
 		for (const role of inputRoles) if (!roles[role]) throw APIError.from("BAD_REQUEST", ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_SET_NON_EXISTENT_VALUE);
 	}
+	if (!await ctx.context.internalAdapter.findUserById(ctx.body.userId)) throw APIError.from("NOT_FOUND", BASE_ERROR_CODES.USER_NOT_FOUND);
 	const updatedUser = await ctx.context.internalAdapter.updateUser(ctx.body.userId, { role: parseRoles(ctx.body.role) });
 	return ctx.json({ user: parseUserOutput(ctx.context.options, updatedUser) });
 });
@@ -234,6 +235,7 @@ const adminUpdateUser = (opts) => createAuthEndpoint("/admin/update-user", {
 		}
 		ctx.body.data.role = parseRoles(inputRoles);
 	}
+	if (!await ctx.context.internalAdapter.findUserById(ctx.body.userId)) throw APIError.from("NOT_FOUND", BASE_ERROR_CODES.USER_NOT_FOUND);
 	const updatedUser = await ctx.context.internalAdapter.updateUser(ctx.body.userId, ctx.body.data);
 	return ctx.json(parseUserOutput(ctx.context.options, updatedUser));
 });
@@ -402,6 +404,7 @@ const unbanUser = (opts) => createAuthEndpoint("/admin/unban-user", {
 		options: opts,
 		permissions: { user: ["ban"] }
 	})) throw APIError.from("FORBIDDEN", ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_BAN_USERS);
+	if (!await ctx.context.internalAdapter.findUserById(ctx.body.userId)) throw APIError.from("NOT_FOUND", BASE_ERROR_CODES.USER_NOT_FOUND);
 	const user = await ctx.context.internalAdapter.updateUser(ctx.body.userId, {
 		banned: false,
 		banExpires: null,

package/dist/plugins/organization/adapter.mjs

@@ -550,9 +550,11 @@ const getOrgAdapter = (context, options) => {
 		createInvitation: async ({ invitation, user }) => {
 			const adapter = await getCurrentAdapter(baseAdapter);
 			const expiresAt = getDate(options?.invitationExpiresIn || 3600 * 48, "sec");
+			const invitationId = context.generateId({ model: "invitation" });
 			return await adapter.create({
 				model: "invitation",
 				data: {
+					...invitationId !== false ? { id: invitationId } : {},
 					status: "pending",
 					expiresAt,
 					createdAt: /* @__PURE__ */ new Date(),

package/dist/plugins/organization/routes/crud-access-control.d.mts

@@ -14,7 +14,7 @@ declare const createOrgRole: <O extends OrganizationOptions>(options: O) => bett
     role: z.ZodString;
     permission: z.ZodRecord<z.ZodString, z.ZodArray<z.ZodString>>;
     additionalFields: z.ZodOptional<z.ZodObject<{
-      [x: string]: z.ZodOptional<z.ZodAny>;
+      [x: string]: z.ZodAny;
     }, z.core.$strip>>;
   }, z.core.$strip>;
   metadata: {

package/dist/plugins/organization/routes/crud-invites.mjs

@@ -19,6 +19,20 @@ const baseInvitationSchema = z.object({
 	resend: z.boolean().meta({ description: "Resend the invitation email, if the user is already invited. Eg: true" }).optional(),
 	teamId: z.union([z.string().meta({ description: "The team ID to invite the user to" }).optional(), z.array(z.string()).meta({ description: "The team IDs to invite the user to" }).optional()])
 });
+const getAdvancedGenerateId = (advancedOptions) => {
+	if (typeof advancedOptions !== "object" || advancedOptions === null) return;
+	const generateId = advancedOptions.generateId;
+	if (typeof generateId !== "function") return;
+	return generateId;
+};
+const hasBuiltInOpaqueInvitationIdGeneration = ({ advancedGenerateId, databaseGenerateId }) => advancedGenerateId === void 0 && (databaseGenerateId === void 0 || databaseGenerateId === "uuid");
+const shouldRequireVerifiedEmailForInvitationIdAction = ({ organizationOptions, advancedGenerateId, databaseGenerateId }) => {
+	if (organizationOptions.requireEmailVerificationOnInvitation !== void 0) return organizationOptions.requireEmailVerificationOnInvitation;
+	return !hasBuiltInOpaqueInvitationIdGeneration({
+		advancedGenerateId,
+		databaseGenerateId
+	});
+};
 const createInvitation = (option) => {
 	const additionalFieldsSchema = toZodSchema({
 		fields: option?.schema?.invitation?.additionalFields || {},
@@ -247,7 +261,11 @@ const acceptInvitation = (options) => createAuthEndpoint("/organization/accept-i
 	const invitation = await adapter.findInvitationById(ctx.body.invitationId);
 	if (!invitation || invitation.expiresAt < /* @__PURE__ */ new Date() || invitation.status !== "pending") throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.INVITATION_NOT_FOUND);
 	if (invitation.email.toLowerCase() !== session.user.email.toLowerCase()) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION);
-	if ((ctx.context.orgOptions.requireEmailVerificationOnInvitation ?? true) && !session.user.emailVerified) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION);
+	if (shouldRequireVerifiedEmailForInvitationIdAction({
+		organizationOptions: ctx.context.orgOptions,
+		advancedGenerateId: getAdvancedGenerateId(ctx.context.options.advanced),
+		databaseGenerateId: ctx.context.options.advanced?.database?.generateId
+	}) && !session.user.emailVerified) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION);
 	const membershipLimit = ctx.context.orgOptions?.membershipLimit || 100;
 	const membersCount = await adapter.countMembers({ organizationId: invitation.organizationId });
 	const organization = await adapter.findOrganizationById(invitation.organizationId);
@@ -336,7 +354,11 @@ const rejectInvitation = (options) => createAuthEndpoint("/organization/reject-i
 		code: "INVITATION_NOT_FOUND"
 	});
 	if (invitation.email.toLowerCase() !== session.user.email.toLowerCase()) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION);
-	if ((ctx.context.orgOptions.requireEmailVerificationOnInvitation ?? true) && !session.user.emailVerified) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION);
+	if (shouldRequireVerifiedEmailForInvitationIdAction({
+		organizationOptions: ctx.context.orgOptions,
+		advancedGenerateId: getAdvancedGenerateId(ctx.context.options.advanced),
+		databaseGenerateId: ctx.context.options.advanced?.database?.generateId
+	}) && !session.user.emailVerified) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION);
 	const organization = await adapter.findOrganizationById(invitation.organizationId);
 	if (!organization) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.ORGANIZATION_NOT_FOUND);
 	if (options?.organizationHooks?.beforeRejectInvitation) await options?.organizationHooks.beforeRejectInvitation({
@@ -455,7 +477,11 @@ const getInvitation = (options) => createAuthEndpoint("/organization/get-invitat
 	const invitation = await adapter.findInvitationById(ctx.query.id);
 	if (!invitation || invitation.status !== "pending" || invitation.expiresAt < /* @__PURE__ */ new Date()) throw APIError.fromStatus("BAD_REQUEST", { message: "Invitation not found!" });
 	if (invitation.email.toLowerCase() !== session.user.email.toLowerCase()) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION);
-	if ((ctx.context.orgOptions.requireEmailVerificationOnInvitation ?? true) && !session.user.emailVerified) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.EMAIL_VERIFICATION_REQUIRED_FOR_INVITATION);
+	if (shouldRequireVerifiedEmailForInvitationIdAction({
+		organizationOptions: ctx.context.orgOptions,
+		advancedGenerateId: getAdvancedGenerateId(ctx.context.options.advanced),
+		databaseGenerateId: ctx.context.options.advanced?.database?.generateId
+	}) && !session.user.emailVerified) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.EMAIL_VERIFICATION_REQUIRED_FOR_INVITATION);
 	const organization = await adapter.findOrganizationById(invitation.organizationId);
 	if (!organization) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.ORGANIZATION_NOT_FOUND);
 	const member = await adapter.findMemberByOrgId({
@@ -541,7 +567,7 @@ const listUserInvitations = (options) => createAuthEndpoint("/organization/list-
 }, async (ctx) => {
 	const session = await getSessionFromCtx(ctx);
 	if (ctx.request && ctx.query?.email) throw APIError.fromStatus("BAD_REQUEST", { message: "User email cannot be passed for client side API calls." });
-	if (session && (ctx.context.orgOptions.requireEmailVerificationOnInvitation ?? true) && !session.user.emailVerified) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.EMAIL_VERIFICATION_REQUIRED_FOR_INVITATION);
+	if (session && !session.user.emailVerified) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.EMAIL_VERIFICATION_REQUIRED_FOR_INVITATION);
 	const userEmail = session?.user.email || ctx.query?.email;
 	if (!userEmail) throw APIError.fromStatus("BAD_REQUEST", { message: "Missing session headers, or email query parameter." });
 	const pendingInvitations = (await getOrgAdapter(ctx.context, options).listUserInvitations(userEmail)).filter((inv) => inv.status === "pending");

package/dist/plugins/organization/types.d.mts

@@ -165,19 +165,26 @@ interface OrganizationOptions {
    */
   cancelPendingInvitationsOnReInvite?: boolean | undefined;
   /**
-   * Require email verification on session-authenticated recipient invitation
-   * calls (accept, reject, get, list). Defaults to `true` so unverified
-   * accounts registered against a victim's email cannot accept, read, or
-   * enumerate invitations targeted at that email. Server-side
-   * `listUserInvitations` calls without a session (caller passes
-   * `ctx.query.email`) continue to bypass the gate because the caller is
-   * trusted. Set to `false` for backward compatibility on apps that do not
-   * require email verification; understand the takeover risk before doing so.
+   * Require email verification before session-authenticated recipient
+   * invitation calls that carry an invitation ID (accept, reject, get).
    *
-   * @default true
+   * When unset, Better Auth preserves the normal emailed-invitation flow for
+   * built-in opaque invitation IDs, including the default generator and
+   * `advanced.database.generateId: "uuid"`. It requires verification for
+   * externally controlled or predictable invitation IDs, such as
+   * `advanced.database.generateId: "serial"` / `false` or custom ID
+   * generation.
+   *
+   * Set this option to `true` when invitation IDs may be visible outside the
+   * invited user's mailbox, when organization invitation lists are exposed to
+   * members, or when verified email should be the ownership proof for by-ID
+   * invitation actions. Client-side `listUserInvitations` calls always require
+   * a verified session email because they enumerate invitation IDs from
+   * `session.user.email`. Server-side `listUserInvitations` calls without a
+   * session (caller passes `ctx.query.email`) continue to bypass the gate
+   * because the caller is trusted.
    *
-   * @deprecated The option will be removed on the next minor; the gate will
-   * become unconditional. Plan to verify emails before invitation acceptance.
+   * @default undefined
    */
   requireEmailVerificationOnInvitation?: boolean | undefined;
   /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "better-auth",
-  "version": "1.6.13",
+  "version": "1.6.15",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "license": "MIT",
@@ -489,13 +489,13 @@
     "kysely": "^0.28.17 || ^0.29.0",
     "nanostores": "^1.1.1",
     "zod": "^4.3.6",
-    "@better-auth/core": "1.6.13",
-    "@better-auth/drizzle-adapter": "1.6.13",
-    "@better-auth/kysely-adapter": "1.6.13",
-    "@better-auth/memory-adapter": "1.6.13",
-    "@better-auth/mongo-adapter": "1.6.13",
-    "@better-auth/prisma-adapter": "1.6.13",
-    "@better-auth/telemetry": "1.6.13"
+    "@better-auth/core": "1.6.15",
+    "@better-auth/drizzle-adapter": "1.6.15",
+    "@better-auth/kysely-adapter": "1.6.15",
+    "@better-auth/memory-adapter": "1.6.15",
+    "@better-auth/mongo-adapter": "1.6.15",
+    "@better-auth/prisma-adapter": "1.6.15",
+    "@better-auth/telemetry": "1.6.15"
   },
   "devDependencies": {
     "@lynx-js/react": "^0.116.3",