better-auth 1.6.14 → 1.6.15

package/dist/api/dispatch.d.mts

@@ -0,0 +1,34 @@
+import { AuthContext } from "@better-auth/core";
+import { Endpoint, EndpointContext, InputContext } from "better-call";
+
+//#region src/api/dispatch.d.ts
+/**
+ * Input accepted by {@link dispatchAuthEndpoint}. `context` must already be a
+ * resolved `AuthContext`; the caller owns `baseURL` resolution. A fresh
+ * dispatch carries no `session` (the shared context has none), while a resumed
+ * dispatch carries the in-flight request's `session` through.
+ */
+type DispatchContext = Partial<InputContext<string, any> & EndpointContext<string, any>> & {
+  context: AuthContext & {
+    returned?: unknown | undefined;
+    responseHeaders?: Headers | undefined;
+  };
+  operationId?: string | undefined;
+};
+/**
+ * Run a single endpoint through the configured `hooks.before` / `hooks.after`
+ * pipeline, normalizing the response, headers, and `APIError`s the same way a
+ * router or `auth.api.*` dispatch does.
+ *
+ * This is the canonical hook runner. The HTTP router and `auth.api.*` reach it
+ * through {@link toAuthEndpoints}. Plugins call it directly when they need to
+ * re-enter the pipeline on purpose, such as resuming `/oauth2/authorize` after
+ * a fresh sign-in. Calling an endpoint as a plain function deliberately skips
+ * hooks; `dispatchAuthEndpoint` is the supported way to opt back in.
+ *
+ * @param endpoint The endpoint to dispatch.
+ * @param input Input context whose `context` is an already-resolved `AuthContext`.
+ */
+declare function dispatchAuthEndpoint(endpoint: Endpoint, input: DispatchContext): Promise<unknown>;
+//#endregion
+export { DispatchContext, dispatchAuthEndpoint };

package/dist/api/dispatch.mjs

@@ -0,0 +1,272 @@
+import { isAPIError } from "../utils/is-api-error.mjs";
+import { isRequestLike } from "../utils/url.mjs";
+import { runWithEndpointContext } from "@better-auth/core/context";
+import { shouldPublishLog } from "@better-auth/core/env";
+import { APIError } from "@better-auth/core/error";
+import { createDefu } from "defu";
+import { ATTR_CONTEXT, ATTR_HOOK_TYPE, ATTR_HTTP_ROUTE, ATTR_OPERATION_ID, withSpan } from "@better-auth/core/instrumentation";
+import { kAPIErrorHeaderSymbol, toResponse } from "better-call";
+//#region src/api/dispatch.ts
+const defuReplaceArrays = createDefu((obj, key, value) => {
+	if (Array.isArray(obj[key]) && Array.isArray(value)) {
+		obj[key] = value;
+		return true;
+	}
+});
+const hooksSourceWeakMap = /* @__PURE__ */ new WeakMap();
+/**
+* Resolves the operation id used for spans, preferring an explicit
+* `operationId`, then the OpenAPI one, then the caller's `fallback` (the
+* `auth.api.*` map key), and finally the route path.
+*/
+function getOperationId(endpoint, fallback) {
+	const opts = endpoint.options;
+	return opts?.operationId ?? opts?.metadata?.openapi?.operationId ?? fallback ?? endpoint.path ?? "/:virtual";
+}
+/**
+* Merge a set of response headers onto the dispatch's accumulator, appending
+* `set-cookie` (multiple cookies are legal) and replacing everything else.
+*/
+function mergeResponseHeaders(context, headers) {
+	if (!headers) return;
+	headers.forEach((value, key) => {
+		if (!context.responseHeaders) context.responseHeaders = new Headers({ [key]: value });
+		else if (key.toLowerCase() === "set-cookie") context.responseHeaders.append(key, value);
+		else context.responseHeaders.set(key, value);
+	});
+}
+/**
+* Combine the two header sources an `APIError` can carry into one set:
+* - `kAPIErrorHeaderSymbol`: `ctx.responseHeaders` accumulated via
+*   `c.setCookie` / `c.setHeader` before the throw.
+* - `e.headers`: explicit headers on the error (e.g. `location` from
+*   `c.redirect`).
+*
+* `c.redirect()` reuses `ctx.responseHeaders` as `e.headers`, so when both
+* point at the same object iterating each would duplicate every `set-cookie`;
+* the identity check skips that copy. Explicit error headers override
+* accumulated ones, while cookies from both accumulate.
+*/
+function mergeAPIErrorHeaders(error) {
+	const ctxHeaders = error[kAPIErrorHeaderSymbol];
+	const errHeaders = error.headers && error.headers !== ctxHeaders ? new Headers(error.headers) : null;
+	if (!ctxHeaders && !errHeaders) return null;
+	const headers = new Headers();
+	ctxHeaders?.forEach((value, key) => {
+		headers.append(key, value);
+	});
+	errHeaders?.forEach((value, key) => {
+		if (key.toLowerCase() === "set-cookie") headers.append(key, value);
+		else headers.set(key, value);
+	});
+	return headers;
+}
+async function runBeforeHooks(context, hooks, endpoint, operationId) {
+	let modifiedContext = {};
+	for (const hook of hooks) {
+		let matched = false;
+		try {
+			matched = hook.matcher(context);
+		} catch (error) {
+			const hookSource = hooksSourceWeakMap.get(hook.handler) ?? "unknown";
+			context.context.logger.error(`An error occurred during ${hookSource} hook matcher execution:`, error);
+			throw new APIError("INTERNAL_SERVER_ERROR", { message: "An error occurred during hook matcher execution. Check the logs for more details." });
+		}
+		if (!matched) continue;
+		const hookSource = hooksSourceWeakMap.get(hook.handler) ?? "unknown";
+		const route = endpoint.path ?? "/:virtual";
+		const result = await withSpan(`hook before ${route} ${hookSource}`, {
+			[ATTR_HOOK_TYPE]: "before",
+			[ATTR_HTTP_ROUTE]: route,
+			[ATTR_CONTEXT]: hookSource,
+			[ATTR_OPERATION_ID]: operationId
+		}, () => hook.handler({
+			...context,
+			returnHeaders: true
+		})).catch((e) => {
+			if (isAPIError(e) && shouldPublishLog(context.context.logger.level, "debug")) e.stack = e.errorStack;
+			throw e;
+		});
+		mergeResponseHeaders(context.context, result?.headers);
+		const hookReturn = result?.response;
+		if (hookReturn && typeof hookReturn === "object") {
+			if ("context" in hookReturn && typeof hookReturn.context === "object") {
+				const { headers, ...rest } = hookReturn.context;
+				if (headers instanceof Headers) if (modifiedContext.headers) headers.forEach((value, key) => {
+					modifiedContext.headers?.set(key, value);
+				});
+				else modifiedContext.headers = headers;
+				modifiedContext = defuReplaceArrays(rest, modifiedContext);
+				continue;
+			}
+			return hookReturn;
+		}
+	}
+	return { context: modifiedContext };
+}
+async function runAfterHooks(context, hooks, endpoint, operationId) {
+	for (const hook of hooks) {
+		if (!hook.matcher(context)) continue;
+		const hookSource = hooksSourceWeakMap.get(hook.handler) ?? "unknown";
+		const route = endpoint.path ?? "/:virtual";
+		const result = await withSpan(`hook after ${route} ${hookSource}`, {
+			[ATTR_HOOK_TYPE]: "after",
+			[ATTR_HTTP_ROUTE]: route,
+			[ATTR_CONTEXT]: hookSource,
+			[ATTR_OPERATION_ID]: operationId
+		}, () => hook.handler(context)).catch((e) => {
+			if (isAPIError(e)) {
+				if (shouldPublishLog(context.context.logger.level, "debug")) e.stack = e.errorStack;
+				return {
+					response: e,
+					headers: mergeAPIErrorHeaders(e)
+				};
+			}
+			throw e;
+		});
+		mergeResponseHeaders(context.context, result.headers);
+		if (result.response !== void 0) context.context.returned = result.response;
+	}
+	return {
+		response: context.context.returned,
+		headers: context.context.responseHeaders
+	};
+}
+function getHooks(authContext) {
+	const plugins = authContext.options.plugins || [];
+	const beforeHooks = [];
+	const afterHooks = [];
+	const beforeHookHandler = authContext.options.hooks?.before;
+	if (beforeHookHandler) {
+		hooksSourceWeakMap.set(beforeHookHandler, "user");
+		beforeHooks.push({
+			matcher: () => true,
+			handler: beforeHookHandler
+		});
+	}
+	const afterHookHandler = authContext.options.hooks?.after;
+	if (afterHookHandler) {
+		hooksSourceWeakMap.set(afterHookHandler, "user");
+		afterHooks.push({
+			matcher: () => true,
+			handler: afterHookHandler
+		});
+	}
+	const pluginBeforeHooks = plugins.flatMap((plugin) => (plugin.hooks?.before ?? []).map((h) => {
+		hooksSourceWeakMap.set(h.handler, `plugin:${plugin.id}`);
+		return h;
+	}));
+	const pluginAfterHooks = plugins.flatMap((plugin) => (plugin.hooks?.after ?? []).map((h) => {
+		hooksSourceWeakMap.set(h.handler, `plugin:${plugin.id}`);
+		return h;
+	}));
+	if (pluginBeforeHooks.length) beforeHooks.push(...pluginBeforeHooks);
+	if (pluginAfterHooks.length) afterHooks.push(...pluginAfterHooks);
+	return {
+		beforeHooks,
+		afterHooks
+	};
+}
+/**
+* Run a single endpoint through the configured `hooks.before` / `hooks.after`
+* pipeline, normalizing the response, headers, and `APIError`s the same way a
+* router or `auth.api.*` dispatch does.
+*
+* This is the canonical hook runner. The HTTP router and `auth.api.*` reach it
+* through {@link toAuthEndpoints}. Plugins call it directly when they need to
+* re-enter the pipeline on purpose, such as resuming `/oauth2/authorize` after
+* a fresh sign-in. Calling an endpoint as a plain function deliberately skips
+* hooks; `dispatchAuthEndpoint` is the supported way to opt back in.
+*
+* @param endpoint The endpoint to dispatch.
+* @param input Input context whose `context` is an already-resolved `AuthContext`.
+*/
+async function dispatchAuthEndpoint(endpoint, input) {
+	const operationId = input.operationId ?? getOperationId(endpoint);
+	const route = endpoint.path ?? "/:virtual";
+	const endpointMethod = endpoint.options?.method;
+	const defaultMethod = Array.isArray(endpointMethod) ? endpointMethod[0] : endpointMethod;
+	const methodName = input.method ?? input.request?.method ?? defaultMethod ?? "?";
+	const shouldReturnResponse = input.asResponse ?? isRequestLike(input.request);
+	let internalContext = {
+		...input,
+		context: {
+			...input.context,
+			returned: void 0,
+			responseHeaders: void 0,
+			session: input.context.session ?? null
+		},
+		path: endpoint.path,
+		headers: input.headers ? new Headers(input.headers) : void 0
+	};
+	return withSpan(`${methodName} ${route}`, {
+		[ATTR_HTTP_ROUTE]: route,
+		[ATTR_OPERATION_ID]: operationId
+	}, async () => runWithEndpointContext(internalContext, async () => {
+		const { beforeHooks, afterHooks } = getHooks(internalContext.context);
+		const before = await runBeforeHooks(internalContext, beforeHooks, endpoint, operationId);
+		if ("context" in before && before.context && typeof before.context === "object") {
+			const { headers, ...rest } = before.context;
+			if (headers) {
+				if (!internalContext.headers) internalContext.headers = new Headers();
+				const requestHeaders = internalContext.headers;
+				headers.forEach((value, key) => {
+					requestHeaders.set(key, value);
+				});
+			}
+			internalContext = defuReplaceArrays(rest, internalContext);
+		} else if (before) {
+			const responseHeaders = internalContext.context.responseHeaders;
+			return shouldReturnResponse ? toResponse(before, { headers: responseHeaders }) : input.returnHeaders ? {
+				headers: responseHeaders,
+				response: before
+			} : before;
+		}
+		internalContext.asResponse = false;
+		internalContext.returnHeaders = true;
+		internalContext.returnStatus = true;
+		const result = await runWithEndpointContext(internalContext, () => withSpan(`handler ${route}`, {
+			[ATTR_HTTP_ROUTE]: route,
+			[ATTR_OPERATION_ID]: operationId
+		}, () => endpoint(internalContext))).catch((e) => {
+			if (isAPIError(e)) return {
+				response: e,
+				status: e.statusCode,
+				headers: mergeAPIErrorHeaders(e)
+			};
+			throw e;
+		});
+		if (result instanceof Response) return result;
+		internalContext.context.returned = result.response;
+		internalContext.context.responseHeaders = result.headers ?? void 0;
+		const after = await runAfterHooks(internalContext, afterHooks, endpoint, operationId);
+		if (after.response !== void 0) result.response = after.response;
+		result.headers = after.headers ?? result.headers;
+		if (isAPIError(result.response) && shouldPublishLog(internalContext.context.logger.level, "debug")) result.response.stack = result.response.errorStack;
+		if (isAPIError(result.response) && !shouldReturnResponse) {
+			if (result.headers) Object.defineProperty(result.response, kAPIErrorHeaderSymbol, {
+				enumerable: false,
+				configurable: true,
+				writable: false,
+				value: result.headers
+			});
+			throw result.response;
+		}
+		return shouldReturnResponse ? toResponse(result.response, {
+			headers: result.headers ?? void 0,
+			status: result.status
+		}) : input.returnHeaders ? input.returnStatus ? {
+			headers: result.headers,
+			response: result.response,
+			status: result.status
+		} : {
+			headers: result.headers,
+			response: result.response
+		} : input.returnStatus ? {
+			response: result.response,
+			status: result.status
+		} : result.response;
+	}));
+}
+//#endregion
+export { dispatchAuthEndpoint, getOperationId };

package/dist/api/index.d.mts

@@ -2,6 +2,7 @@ import { OverrideMerge, Prettify as Prettify$1, UnionToIntersection } from "../t
 import { AdditionalSessionFieldsInput, AdditionalUserFieldsInput } from "../types/models.mjs";
 import { getIp } from "../utils/get-request-ip.mjs";
 import { isAPIError } from "../utils/is-api-error.mjs";
+import { DispatchContext, dispatchAuthEndpoint } from "./dispatch.mjs";
 import { requireOrgRole, requireResourceOwnership } from "./middlewares/authorization.mjs";
 import { formCsrfMiddleware, originCheck, originCheckMiddleware } from "./middlewares/origin-check.mjs";
 import { accountInfo, getAccessToken, linkSocialAccount, listUserAccounts, refreshToken, unlinkAccount } from "./routes/account.mjs";
@@ -3960,4 +3961,4 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
   } extends infer T_2 ? { [K in keyof T_2 as K extends keyof T_1 ? never : K]: T_2[K] } : never) & T_1> : never : never : never;
 };
 //#endregion
-export { APIError, type AuthEndpoint, type AuthMiddleware, accountInfo, callbackOAuth, changeEmail, changePassword, checkEndpointConflicts, createAuthEndpoint, createAuthMiddleware, createEmailVerificationToken, deleteUser, deleteUserCallback, error, formCsrfMiddleware, freshSessionMiddleware, getAccessToken, getEndpoints, getIp, getOAuthState, getSession, getSessionFromCtx, getShouldSkipSessionRefresh, isAPIError, linkSocialAccount, listSessions, listUserAccounts, ok, optionsMiddleware, originCheck, originCheckMiddleware, refreshToken, requestOnlySessionMiddleware, requestPasswordReset, requestPasswordResetCallback, requireOrgRole, requireResourceOwnership, resetPassword, revokeOtherSessions, revokeSession, revokeSessions, router, sendVerificationEmail, sendVerificationEmailFn, sensitiveSessionMiddleware, sessionMiddleware, setPassword, setShouldSkipSessionRefresh, signInEmail, signInSocial, signOut, signUpEmail, unlinkAccount, updateSession, updateUser, verifyEmail, verifyPassword };
+export { APIError, type AuthEndpoint, type AuthMiddleware, type DispatchContext, accountInfo, callbackOAuth, changeEmail, changePassword, checkEndpointConflicts, createAuthEndpoint, createAuthMiddleware, createEmailVerificationToken, deleteUser, deleteUserCallback, dispatchAuthEndpoint, error, formCsrfMiddleware, freshSessionMiddleware, getAccessToken, getEndpoints, getIp, getOAuthState, getSession, getSessionFromCtx, getShouldSkipSessionRefresh, isAPIError, linkSocialAccount, listSessions, listUserAccounts, ok, optionsMiddleware, originCheck, originCheckMiddleware, refreshToken, requestOnlySessionMiddleware, requestPasswordReset, requestPasswordResetCallback, requireOrgRole, requireResourceOwnership, resetPassword, revokeOtherSessions, revokeSession, revokeSessions, router, sendVerificationEmail, sendVerificationEmailFn, sensitiveSessionMiddleware, sessionMiddleware, setPassword, setShouldSkipSessionRefresh, signInEmail, signInSocial, signOut, signUpEmail, unlinkAccount, updateSession, updateUser, verifyEmail, verifyPassword };

package/dist/api/index.mjs

@@ -17,6 +17,7 @@ import { signOut } from "./routes/sign-out.mjs";
 import { signUpEmail } from "./routes/sign-up.mjs";
 import { updateSession } from "./routes/update-session.mjs";
 import { changeEmail, changePassword, deleteUser, deleteUserCallback, setPassword, updateUser } from "./routes/update-user.mjs";
+import { dispatchAuthEndpoint } from "./dispatch.mjs";
 import { toAuthEndpoints } from "./to-auth-endpoints.mjs";
 import { logger } from "@better-auth/core/env";
 import { APIError } from "@better-auth/core/error";
@@ -213,4 +214,4 @@ const router = (ctx, options) => {
 	});
 };
 //#endregion
-export { APIError, accountInfo, callbackOAuth, changeEmail, changePassword, checkEndpointConflicts, createAuthEndpoint, createAuthMiddleware, createEmailVerificationToken, deleteUser, deleteUserCallback, error, formCsrfMiddleware, freshSessionMiddleware, getAccessToken, getEndpoints, getIp, getOAuthState, getSession, getSessionFromCtx, getShouldSkipSessionRefresh, isAPIError, linkSocialAccount, listSessions, listUserAccounts, ok, optionsMiddleware, originCheck, originCheckMiddleware, refreshToken, requestOnlySessionMiddleware, requestPasswordReset, requestPasswordResetCallback, requireOrgRole, requireResourceOwnership, resetPassword, revokeOtherSessions, revokeSession, revokeSessions, router, sendVerificationEmail, sendVerificationEmailFn, sensitiveSessionMiddleware, sessionMiddleware, setPassword, setShouldSkipSessionRefresh, signInEmail, signInSocial, signOut, signUpEmail, unlinkAccount, updateSession, updateUser, verifyEmail, verifyPassword };
+export { APIError, accountInfo, callbackOAuth, changeEmail, changePassword, checkEndpointConflicts, createAuthEndpoint, createAuthMiddleware, createEmailVerificationToken, deleteUser, deleteUserCallback, dispatchAuthEndpoint, error, formCsrfMiddleware, freshSessionMiddleware, getAccessToken, getEndpoints, getIp, getOAuthState, getSession, getSessionFromCtx, getShouldSkipSessionRefresh, isAPIError, linkSocialAccount, listSessions, listUserAccounts, ok, optionsMiddleware, originCheck, originCheckMiddleware, refreshToken, requestOnlySessionMiddleware, requestPasswordReset, requestPasswordResetCallback, requireOrgRole, requireResourceOwnership, resetPassword, revokeOtherSessions, revokeSession, revokeSessions, router, sendVerificationEmail, sendVerificationEmailFn, sensitiveSessionMiddleware, sessionMiddleware, setPassword, setShouldSkipSessionRefresh, signInEmail, signInSocial, signOut, signUpEmail, unlinkAccount, updateSession, updateUser, verifyEmail, verifyPassword };

package/dist/api/routes/session.mjs

@@ -355,7 +355,7 @@ const freshSessionMiddleware = createAuthMiddleware(async (ctx) => {
 const listSessions = () => createAuthEndpoint("/list-sessions", {
 	method: "GET",
 	operationId: "listUserSessions",
-	use: [sessionMiddleware],
+	use: [freshSessionMiddleware],
 	requireHeaders: true,
 	metadata: { openapi: {
 		operationId: "listUserSessions",

package/dist/api/to-auth-endpoints.mjs

@@ -1,25 +1,9 @@
-import { isAPIError } from "../utils/is-api-error.mjs";
 import { isDynamicBaseURLConfig, isRequestLike } from "../utils/url.mjs";
 import { pickSource, resolveDynamicTrustedProxyHeaders, resolveRequestContext } from "../context/helpers.mjs";
-import { hasRequestState, runWithEndpointContext, runWithRequestState } from "@better-auth/core/context";
-import { shouldPublishLog } from "@better-auth/core/env";
+import { dispatchAuthEndpoint, getOperationId } from "./dispatch.mjs";
+import { hasRequestState, runWithRequestState } from "@better-auth/core/context";
 import { APIError, BetterAuthError } from "@better-auth/core/error";
-import { createDefu } from "defu";
-import { ATTR_CONTEXT, ATTR_HOOK_TYPE, ATTR_HTTP_ROUTE, ATTR_OPERATION_ID, withSpan } from "@better-auth/core/instrumentation";
-import { kAPIErrorHeaderSymbol, toResponse } from "better-call";
 //#region src/api/to-auth-endpoints.ts
-const defuReplaceArrays = createDefu((obj, key, value) => {
-	if (Array.isArray(obj[key]) && Array.isArray(value)) {
-		obj[key] = value;
-		return true;
-	}
-});
-const hooksSourceWeakMap = /* @__PURE__ */ new WeakMap();
-function getOperationId(endpoint, key) {
-	if (!endpoint?.options) return key;
-	const opts = endpoint.options;
-	return opts.operationId ?? opts.metadata?.openapi?.operationId ?? key;
-}
 /**
 * Resolves the per-call `AuthContext` for endpoints with a dynamic `baseURL`.
 *
@@ -41,269 +25,34 @@ async function resolveDynamicContext(rawCtx, input) {
 		throw err;
 	}
 }
+/**
+* Wraps each raw endpoint so a router or `auth.api.*` call runs it through the
+* configured hook pipeline. Per-call work that is specific to this entry point
+* (dynamic `baseURL` resolution, request-state initialization) happens here;
+* the hook pipeline itself lives in {@link dispatchAuthEndpoint}.
+*/
 function toAuthEndpoints(endpoints, ctx) {
 	const api = {};
 	for (const [key, endpoint] of Object.entries(endpoints)) {
 		api[key] = async (context) => {
 			const operationId = getOperationId(endpoint, key);
-			const endpointMethod = endpoint?.options?.method;
-			const defaultMethod = Array.isArray(endpointMethod) ? endpointMethod[0] : endpointMethod;
 			const run = async () => {
 				const rawContext = await ctx;
-				const methodName = context?.method ?? context?.request?.method ?? defaultMethod ?? "?";
-				const route = endpoint.path ?? "/:virtual";
 				const authContext = isDynamicBaseURLConfig(rawContext.options.baseURL) ? await resolveDynamicContext(rawContext, context) : rawContext;
-				let internalContext = {
+				return dispatchAuthEndpoint(endpoint, {
 					...context,
-					context: {
-						...authContext,
-						returned: void 0,
-						responseHeaders: void 0,
-						session: null
-					},
-					path: endpoint.path,
-					headers: context?.headers ? new Headers(context?.headers) : void 0
-				};
-				const hasRequest = isRequestLike(context?.request);
-				const shouldReturnResponse = context?.asResponse ?? hasRequest;
-				return withSpan(`${methodName} ${route}`, {
-					[ATTR_HTTP_ROUTE]: route,
-					[ATTR_OPERATION_ID]: operationId
-				}, async () => runWithEndpointContext(internalContext, async () => {
-					const { beforeHooks, afterHooks } = getHooks(authContext);
-					const before = await runBeforeHooks(internalContext, beforeHooks, endpoint, operationId);
-					/**
-					* If `before.context` is returned, it should
-					* get merged with the original context
-					*/
-					if ("context" in before && before.context && typeof before.context === "object") {
-						const { headers, ...rest } = before.context;
-						/**
-						* Headers should be merged differently
-						* so the hook doesn't override the whole
-						* header
-						*/
-						if (headers) headers.forEach((value, key) => {
-							internalContext.headers.set(key, value);
-						});
-						internalContext = defuReplaceArrays(rest, internalContext);
-					} else if (before) return shouldReturnResponse ? toResponse(before, { headers: context?.headers }) : context?.returnHeaders ? {
-						headers: context?.headers,
-						response: before
-					} : before;
-					internalContext.asResponse = false;
-					internalContext.returnHeaders = true;
-					internalContext.returnStatus = true;
-					const result = await runWithEndpointContext(internalContext, () => withSpan(`handler ${route}`, {
-						[ATTR_HTTP_ROUTE]: route,
-						[ATTR_OPERATION_ID]: operationId
-					}, () => endpoint(internalContext))).catch((e) => {
-						if (isAPIError(e)) {
-							/**
-							* API Errors from response are caught
-							* and returned to hooks.
-							*
-							* Headers come from two sources that must both
-							* survive:
-							* - `kAPIErrorHeaderSymbol`: ctx.responseHeaders
-							*   accumulated via c.setCookie / c.setHeader
-							*   before the throw.
-							* - `e.headers`: explicit headers on the APIError
-							*   (e.g. `location` from c.redirect).
-							*
-							* Start from the accumulated ctx headers, then
-							* apply e.headers on top — appending `set-cookie`
-							* and setting others — so explicit APIError
-							* headers override while cookies accumulate.
-							*/
-							const ctxHeaders = e[kAPIErrorHeaderSymbol];
-							/**
-							* `c.redirect()` (and similar APIError throws) reuse
-							* `ctx.responseHeaders` as `e.headers`, so when both sources
-							* reference the same Headers, iterating both duplicates every
-							* `set-cookie`. Skip the `errHeaders` copy in that case.
-							*/
-							const errHeaders = e.headers && e.headers !== ctxHeaders ? new Headers(e.headers) : null;
-							let headers = null;
-							if (ctxHeaders || errHeaders) {
-								headers = new Headers();
-								ctxHeaders?.forEach((value, key) => {
-									headers.append(key, value);
-								});
-								errHeaders?.forEach((value, key) => {
-									if (key.toLowerCase() === "set-cookie") headers.append(key, value);
-									else headers.set(key, value);
-								});
-							}
-							return {
-								response: e,
-								status: e.statusCode,
-								headers
-							};
-						}
-						throw e;
-					});
-					if (result && result instanceof Response) return result;
-					internalContext.context.returned = result.response;
-					internalContext.context.responseHeaders = result.headers;
-					const after = await runAfterHooks(internalContext, afterHooks, endpoint, operationId);
-					if (after.response) result.response = after.response;
-					if (isAPIError(result.response) && shouldPublishLog(authContext.logger.level, "debug")) result.response.stack = result.response.errorStack;
-					if (isAPIError(result.response) && !shouldReturnResponse) {
-						/**
-						* Non-response path: we re-throw the raw APIError
-						* to callers of `auth.api.*`. `result.headers`
-						* holds the merged ctx + explicit headers (see
-						* catch block above) — rewrite
-						* `kAPIErrorHeaderSymbol` with the merged set so
-						* downstream pipelines (e.g. better-call's
-						* response builder, or an outer hook catch) see
-						* the same headers we'd have written on the
-						* response.
-						*/
-						if (result.headers) Object.defineProperty(result.response, kAPIErrorHeaderSymbol, {
-							enumerable: false,
-							configurable: true,
-							writable: false,
-							value: result.headers
-						});
-						throw result.response;
-					}
-					return shouldReturnResponse ? toResponse(result.response, {
-						headers: result.headers,
-						status: result.status
-					}) : context?.returnHeaders ? context?.returnStatus ? {
-						headers: result.headers,
-						response: result.response,
-						status: result.status
-					} : {
-						headers: result.headers,
-						response: result.response
-					} : context?.returnStatus ? {
-						response: result.response,
-						status: result.status
-					} : result.response;
-				}));
+					context: authContext,
+					operationId,
+					asResponse: context?.asResponse ?? isRequestLike(context?.request)
+				});
 			};
 			if (await hasRequestState()) return run();
-			else return runWithRequestState(/* @__PURE__ */ new WeakMap(), run);
+			return runWithRequestState(/* @__PURE__ */ new WeakMap(), run);
 		};
 		api[key].path = endpoint.path;
 		api[key].options = endpoint.options;
 	}
 	return api;
 }
-async function runBeforeHooks(context, hooks, endpoint, operationId) {
-	let modifiedContext = {};
-	for (const hook of hooks) {
-		let matched = false;
-		try {
-			matched = hook.matcher(context);
-		} catch (error) {
-			const hookSource = hooksSourceWeakMap.get(hook.handler) ?? "unknown";
-			context.context.logger.error(`An error occurred during ${hookSource} hook matcher execution:`, error);
-			throw new APIError("INTERNAL_SERVER_ERROR", { message: `An error occurred during hook matcher execution. Check the logs for more details.` });
-		}
-		if (matched) {
-			const hookSource = hooksSourceWeakMap.get(hook.handler) ?? "unknown";
-			const route = endpoint.path ?? "/:virtual";
-			const result = await withSpan(`hook before ${route} ${hookSource}`, {
-				[ATTR_HOOK_TYPE]: "before",
-				[ATTR_HTTP_ROUTE]: route,
-				[ATTR_CONTEXT]: hookSource,
-				[ATTR_OPERATION_ID]: operationId
-			}, () => hook.handler({
-				...context,
-				returnHeaders: false
-			})).catch((e) => {
-				if (isAPIError(e) && shouldPublishLog(context.context.logger.level, "debug")) e.stack = e.errorStack;
-				throw e;
-			});
-			if (result && typeof result === "object") {
-				if ("context" in result && typeof result.context === "object") {
-					const { headers, ...rest } = result.context;
-					if (headers instanceof Headers) if (modifiedContext.headers) headers.forEach((value, key) => {
-						modifiedContext.headers?.set(key, value);
-					});
-					else modifiedContext.headers = headers;
-					modifiedContext = defuReplaceArrays(rest, modifiedContext);
-					continue;
-				}
-				return result;
-			}
-		}
-	}
-	return { context: modifiedContext };
-}
-async function runAfterHooks(context, hooks, endpoint, operationId) {
-	for (const hook of hooks) if (hook.matcher(context)) {
-		const hookSource = hooksSourceWeakMap.get(hook.handler) ?? "unknown";
-		const route = endpoint.path ?? "/:virtual";
-		const result = await withSpan(`hook after ${route} ${hookSource}`, {
-			[ATTR_HOOK_TYPE]: "after",
-			[ATTR_HTTP_ROUTE]: route,
-			[ATTR_CONTEXT]: hookSource,
-			[ATTR_OPERATION_ID]: operationId
-		}, () => hook.handler(context)).catch((e) => {
-			if (isAPIError(e)) {
-				const headers = e[kAPIErrorHeaderSymbol];
-				if (shouldPublishLog(context.context.logger.level, "debug")) e.stack = e.errorStack;
-				return {
-					response: e,
-					headers: headers ? headers : e.headers ? new Headers(e.headers) : null
-				};
-			}
-			throw e;
-		});
-		if (result.headers) result.headers.forEach((value, key) => {
-			if (!context.context.responseHeaders) context.context.responseHeaders = new Headers({ [key]: value });
-			else if (key.toLowerCase() === "set-cookie") context.context.responseHeaders.append(key, value);
-			else context.context.responseHeaders.set(key, value);
-		});
-		if (result.response) context.context.returned = result.response;
-	}
-	return {
-		response: context.context.returned,
-		headers: context.context.responseHeaders
-	};
-}
-function getHooks(authContext) {
-	const plugins = authContext.options.plugins || [];
-	const beforeHooks = [];
-	const afterHooks = [];
-	const beforeHookHandler = authContext.options.hooks?.before;
-	if (beforeHookHandler) {
-		hooksSourceWeakMap.set(beforeHookHandler, "user");
-		beforeHooks.push({
-			matcher: () => true,
-			handler: beforeHookHandler
-		});
-	}
-	const afterHookHandler = authContext.options.hooks?.after;
-	if (afterHookHandler) {
-		hooksSourceWeakMap.set(afterHookHandler, "user");
-		afterHooks.push({
-			matcher: () => true,
-			handler: afterHookHandler
-		});
-	}
-	const pluginBeforeHooks = plugins.flatMap((plugin) => (plugin.hooks?.before ?? []).map((h) => {
-		hooksSourceWeakMap.set(h.handler, `plugin:${plugin.id}`);
-		return h;
-	}));
-	const pluginAfterHooks = plugins.flatMap((plugin) => (plugin.hooks?.after ?? []).map((h) => {
-		hooksSourceWeakMap.set(h.handler, `plugin:${plugin.id}`);
-		return h;
-	}));
-	/**
-	* Add plugin added hooks at last
-	*/
-	if (pluginBeforeHooks.length) beforeHooks.push(...pluginBeforeHooks);
-	if (pluginAfterHooks.length) afterHooks.push(...pluginAfterHooks);
-	return {
-		beforeHooks,
-		afterHooks
-	};
-}
 //#endregion
 export { toAuthEndpoints };

package/dist/cookies/cookie-utils.mjs

@@ -108,14 +108,14 @@ function toCookieOptions(attributes) {
 *
 * @see https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6
 */
-const cookieNameRegex = /^[\w!#$%&'*.^`|~+-]+$/;
+const cookieNameRegex = /^[\x21\x23-\x27\x2A\x2B\x2D\x2E\x30-\x39\x41-\x5A\x5E\x5F\x60\x61-\x7A\x7C\x7E]+$/;
 /**
 * Cookie-value char set per RFC 6265 §4.1.1, plus space and comma.
 *
 * @see https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.1
 * @see https://github.com/golang/go/issues/7243
 */
-const cookieValueRegex = /^[ !#-:<-[\]-~]*$/;
+const cookieValueRegex = /^[\x20\x21\x23-\x3A\x3C-\x5B\x5D-\x7E]*$/;
 /**
 * Strip surrounding double-quotes per RFC 6265 §4.1.1 quoted-string form.
 *

package/dist/package.mjs

@@ -1,4 +1,4 @@
 //#region package.json
-var version = "1.6.14";
+var version = "1.6.15";
 //#endregion
 export { version };

package/dist/plugins/admin/routes.mjs

@@ -72,6 +72,7 @@ const setRole = (opts) => createAuthEndpoint("/admin/set-role", {
 		const inputRoles = Array.isArray(ctx.body.role) ? ctx.body.role : [ctx.body.role];
 		for (const role of inputRoles) if (!roles[role]) throw APIError.from("BAD_REQUEST", ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_SET_NON_EXISTENT_VALUE);
 	}
+	if (!await ctx.context.internalAdapter.findUserById(ctx.body.userId)) throw APIError.from("NOT_FOUND", BASE_ERROR_CODES.USER_NOT_FOUND);
 	const updatedUser = await ctx.context.internalAdapter.updateUser(ctx.body.userId, { role: parseRoles(ctx.body.role) });
 	return ctx.json({ user: parseUserOutput(ctx.context.options, updatedUser) });
 });
@@ -234,6 +235,7 @@ const adminUpdateUser = (opts) => createAuthEndpoint("/admin/update-user", {
 		}
 		ctx.body.data.role = parseRoles(inputRoles);
 	}
+	if (!await ctx.context.internalAdapter.findUserById(ctx.body.userId)) throw APIError.from("NOT_FOUND", BASE_ERROR_CODES.USER_NOT_FOUND);
 	const updatedUser = await ctx.context.internalAdapter.updateUser(ctx.body.userId, ctx.body.data);
 	return ctx.json(parseUserOutput(ctx.context.options, updatedUser));
 });
@@ -402,6 +404,7 @@ const unbanUser = (opts) => createAuthEndpoint("/admin/unban-user", {
 		options: opts,
 		permissions: { user: ["ban"] }
 	})) throw APIError.from("FORBIDDEN", ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_BAN_USERS);
+	if (!await ctx.context.internalAdapter.findUserById(ctx.body.userId)) throw APIError.from("NOT_FOUND", BASE_ERROR_CODES.USER_NOT_FOUND);
 	const user = await ctx.context.internalAdapter.updateUser(ctx.body.userId, {
 		banned: false,
 		banExpires: null,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "better-auth",
-  "version": "1.6.14",
+  "version": "1.6.15",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "license": "MIT",
@@ -489,13 +489,13 @@
     "kysely": "^0.28.17 || ^0.29.0",
     "nanostores": "^1.1.1",
     "zod": "^4.3.6",
-    "@better-auth/core": "1.6.14",
-    "@better-auth/drizzle-adapter": "1.6.14",
-    "@better-auth/kysely-adapter": "1.6.14",
-    "@better-auth/memory-adapter": "1.6.14",
-    "@better-auth/mongo-adapter": "1.6.14",
-    "@better-auth/prisma-adapter": "1.6.14",
-    "@better-auth/telemetry": "1.6.14"
+    "@better-auth/core": "1.6.15",
+    "@better-auth/drizzle-adapter": "1.6.15",
+    "@better-auth/kysely-adapter": "1.6.15",
+    "@better-auth/memory-adapter": "1.6.15",
+    "@better-auth/mongo-adapter": "1.6.15",
+    "@better-auth/prisma-adapter": "1.6.15",
+    "@better-auth/telemetry": "1.6.15"
   },
   "devDependencies": {
     "@lynx-js/react": "^0.116.3",