better-auth 1.6.14 → 1.6.16

package/dist/api/dispatch.d.mts

@@ -0,0 +1,34 @@
+import { AuthContext } from "@better-auth/core";
+import { Endpoint, EndpointContext, InputContext } from "better-call";
+
+//#region src/api/dispatch.d.ts
+/**
+ * Input accepted by {@link dispatchAuthEndpoint}. `context` must already be a
+ * resolved `AuthContext`; the caller owns `baseURL` resolution. A fresh
+ * dispatch carries no `session` (the shared context has none), while a resumed
+ * dispatch carries the in-flight request's `session` through.
+ */
+type DispatchContext = Partial<InputContext<string, any> & EndpointContext<string, any>> & {
+  context: AuthContext & {
+    returned?: unknown | undefined;
+    responseHeaders?: Headers | undefined;
+  };
+  operationId?: string | undefined;
+};
+/**
+ * Run a single endpoint through the configured `hooks.before` / `hooks.after`
+ * pipeline, normalizing the response, headers, and `APIError`s the same way a
+ * router or `auth.api.*` dispatch does.
+ *
+ * This is the canonical hook runner. The HTTP router and `auth.api.*` reach it
+ * through {@link toAuthEndpoints}. Plugins call it directly when they need to
+ * re-enter the pipeline on purpose, such as resuming `/oauth2/authorize` after
+ * a fresh sign-in. Calling an endpoint as a plain function deliberately skips
+ * hooks; `dispatchAuthEndpoint` is the supported way to opt back in.
+ *
+ * @param endpoint The endpoint to dispatch.
+ * @param input Input context whose `context` is an already-resolved `AuthContext`.
+ */
+declare function dispatchAuthEndpoint(endpoint: Endpoint, input: DispatchContext): Promise<unknown>;
+//#endregion
+export { DispatchContext, dispatchAuthEndpoint };

package/dist/api/dispatch.mjs

@@ -0,0 +1,272 @@
+import { isAPIError } from "../utils/is-api-error.mjs";
+import { isRequestLike } from "../utils/url.mjs";
+import { runWithEndpointContext } from "@better-auth/core/context";
+import { shouldPublishLog } from "@better-auth/core/env";
+import { APIError } from "@better-auth/core/error";
+import { createDefu } from "defu";
+import { ATTR_CONTEXT, ATTR_HOOK_TYPE, ATTR_HTTP_ROUTE, ATTR_OPERATION_ID, withSpan } from "@better-auth/core/instrumentation";
+import { kAPIErrorHeaderSymbol, toResponse } from "better-call";
+//#region src/api/dispatch.ts
+const defuReplaceArrays = createDefu((obj, key, value) => {
+	if (Array.isArray(obj[key]) && Array.isArray(value)) {
+		obj[key] = value;
+		return true;
+	}
+});
+const hooksSourceWeakMap = /* @__PURE__ */ new WeakMap();
+/**
+* Resolves the operation id used for spans, preferring an explicit
+* `operationId`, then the OpenAPI one, then the caller's `fallback` (the
+* `auth.api.*` map key), and finally the route path.
+*/
+function getOperationId(endpoint, fallback) {
+	const opts = endpoint.options;
+	return opts?.operationId ?? opts?.metadata?.openapi?.operationId ?? fallback ?? endpoint.path ?? "/:virtual";
+}
+/**
+* Merge a set of response headers onto the dispatch's accumulator, appending
+* `set-cookie` (multiple cookies are legal) and replacing everything else.
+*/
+function mergeResponseHeaders(context, headers) {
+	if (!headers) return;
+	headers.forEach((value, key) => {
+		if (!context.responseHeaders) context.responseHeaders = new Headers({ [key]: value });
+		else if (key.toLowerCase() === "set-cookie") context.responseHeaders.append(key, value);
+		else context.responseHeaders.set(key, value);
+	});
+}
+/**
+* Combine the two header sources an `APIError` can carry into one set:
+* - `kAPIErrorHeaderSymbol`: `ctx.responseHeaders` accumulated via
+*   `c.setCookie` / `c.setHeader` before the throw.
+* - `e.headers`: explicit headers on the error (e.g. `location` from
+*   `c.redirect`).
+*
+* `c.redirect()` reuses `ctx.responseHeaders` as `e.headers`, so when both
+* point at the same object iterating each would duplicate every `set-cookie`;
+* the identity check skips that copy. Explicit error headers override
+* accumulated ones, while cookies from both accumulate.
+*/
+function mergeAPIErrorHeaders(error) {
+	const ctxHeaders = error[kAPIErrorHeaderSymbol];
+	const errHeaders = error.headers && error.headers !== ctxHeaders ? new Headers(error.headers) : null;
+	if (!ctxHeaders && !errHeaders) return null;
+	const headers = new Headers();
+	ctxHeaders?.forEach((value, key) => {
+		headers.append(key, value);
+	});
+	errHeaders?.forEach((value, key) => {
+		if (key.toLowerCase() === "set-cookie") headers.append(key, value);
+		else headers.set(key, value);
+	});
+	return headers;
+}
+async function runBeforeHooks(context, hooks, endpoint, operationId) {
+	let modifiedContext = {};
+	for (const hook of hooks) {
+		let matched = false;
+		try {
+			matched = hook.matcher(context);
+		} catch (error) {
+			const hookSource = hooksSourceWeakMap.get(hook.handler) ?? "unknown";
+			context.context.logger.error(`An error occurred during ${hookSource} hook matcher execution:`, error);
+			throw new APIError("INTERNAL_SERVER_ERROR", { message: "An error occurred during hook matcher execution. Check the logs for more details." });
+		}
+		if (!matched) continue;
+		const hookSource = hooksSourceWeakMap.get(hook.handler) ?? "unknown";
+		const route = endpoint.path ?? "/:virtual";
+		const result = await withSpan(`hook before ${route} ${hookSource}`, {
+			[ATTR_HOOK_TYPE]: "before",
+			[ATTR_HTTP_ROUTE]: route,
+			[ATTR_CONTEXT]: hookSource,
+			[ATTR_OPERATION_ID]: operationId
+		}, () => hook.handler({
+			...context,
+			returnHeaders: true
+		})).catch((e) => {
+			if (isAPIError(e) && shouldPublishLog(context.context.logger.level, "debug")) e.stack = e.errorStack;
+			throw e;
+		});
+		mergeResponseHeaders(context.context, result?.headers);
+		const hookReturn = result?.response;
+		if (hookReturn && typeof hookReturn === "object") {
+			if ("context" in hookReturn && typeof hookReturn.context === "object") {
+				const { headers, ...rest } = hookReturn.context;
+				if (headers instanceof Headers) if (modifiedContext.headers) headers.forEach((value, key) => {
+					modifiedContext.headers?.set(key, value);
+				});
+				else modifiedContext.headers = headers;
+				modifiedContext = defuReplaceArrays(rest, modifiedContext);
+				continue;
+			}
+			return hookReturn;
+		}
+	}
+	return { context: modifiedContext };
+}
+async function runAfterHooks(context, hooks, endpoint, operationId) {
+	for (const hook of hooks) {
+		if (!hook.matcher(context)) continue;
+		const hookSource = hooksSourceWeakMap.get(hook.handler) ?? "unknown";
+		const route = endpoint.path ?? "/:virtual";
+		const result = await withSpan(`hook after ${route} ${hookSource}`, {
+			[ATTR_HOOK_TYPE]: "after",
+			[ATTR_HTTP_ROUTE]: route,
+			[ATTR_CONTEXT]: hookSource,
+			[ATTR_OPERATION_ID]: operationId
+		}, () => hook.handler(context)).catch((e) => {
+			if (isAPIError(e)) {
+				if (shouldPublishLog(context.context.logger.level, "debug")) e.stack = e.errorStack;
+				return {
+					response: e,
+					headers: mergeAPIErrorHeaders(e)
+				};
+			}
+			throw e;
+		});
+		mergeResponseHeaders(context.context, result.headers);
+		if (result.response !== void 0) context.context.returned = result.response;
+	}
+	return {
+		response: context.context.returned,
+		headers: context.context.responseHeaders
+	};
+}
+function getHooks(authContext) {
+	const plugins = authContext.options.plugins || [];
+	const beforeHooks = [];
+	const afterHooks = [];
+	const beforeHookHandler = authContext.options.hooks?.before;
+	if (beforeHookHandler) {
+		hooksSourceWeakMap.set(beforeHookHandler, "user");
+		beforeHooks.push({
+			matcher: () => true,
+			handler: beforeHookHandler
+		});
+	}
+	const afterHookHandler = authContext.options.hooks?.after;
+	if (afterHookHandler) {
+		hooksSourceWeakMap.set(afterHookHandler, "user");
+		afterHooks.push({
+			matcher: () => true,
+			handler: afterHookHandler
+		});
+	}
+	const pluginBeforeHooks = plugins.flatMap((plugin) => (plugin.hooks?.before ?? []).map((h) => {
+		hooksSourceWeakMap.set(h.handler, `plugin:${plugin.id}`);
+		return h;
+	}));
+	const pluginAfterHooks = plugins.flatMap((plugin) => (plugin.hooks?.after ?? []).map((h) => {
+		hooksSourceWeakMap.set(h.handler, `plugin:${plugin.id}`);
+		return h;
+	}));
+	if (pluginBeforeHooks.length) beforeHooks.push(...pluginBeforeHooks);
+	if (pluginAfterHooks.length) afterHooks.push(...pluginAfterHooks);
+	return {
+		beforeHooks,
+		afterHooks
+	};
+}
+/**
+* Run a single endpoint through the configured `hooks.before` / `hooks.after`
+* pipeline, normalizing the response, headers, and `APIError`s the same way a
+* router or `auth.api.*` dispatch does.
+*
+* This is the canonical hook runner. The HTTP router and `auth.api.*` reach it
+* through {@link toAuthEndpoints}. Plugins call it directly when they need to
+* re-enter the pipeline on purpose, such as resuming `/oauth2/authorize` after
+* a fresh sign-in. Calling an endpoint as a plain function deliberately skips
+* hooks; `dispatchAuthEndpoint` is the supported way to opt back in.
+*
+* @param endpoint The endpoint to dispatch.
+* @param input Input context whose `context` is an already-resolved `AuthContext`.
+*/
+async function dispatchAuthEndpoint(endpoint, input) {
+	const operationId = input.operationId ?? getOperationId(endpoint);
+	const route = endpoint.path ?? "/:virtual";
+	const endpointMethod = endpoint.options?.method;
+	const defaultMethod = Array.isArray(endpointMethod) ? endpointMethod[0] : endpointMethod;
+	const methodName = input.method ?? input.request?.method ?? defaultMethod ?? "?";
+	const shouldReturnResponse = input.asResponse ?? isRequestLike(input.request);
+	let internalContext = {
+		...input,
+		context: {
+			...input.context,
+			returned: void 0,
+			responseHeaders: void 0,
+			session: input.context.session ?? null
+		},
+		path: endpoint.path,
+		headers: input.headers ? new Headers(input.headers) : void 0
+	};
+	return withSpan(`${methodName} ${route}`, {
+		[ATTR_HTTP_ROUTE]: route,
+		[ATTR_OPERATION_ID]: operationId
+	}, async () => runWithEndpointContext(internalContext, async () => {
+		const { beforeHooks, afterHooks } = getHooks(internalContext.context);
+		const before = await runBeforeHooks(internalContext, beforeHooks, endpoint, operationId);
+		if ("context" in before && before.context && typeof before.context === "object") {
+			const { headers, ...rest } = before.context;
+			if (headers) {
+				if (!internalContext.headers) internalContext.headers = new Headers();
+				const requestHeaders = internalContext.headers;
+				headers.forEach((value, key) => {
+					requestHeaders.set(key, value);
+				});
+			}
+			internalContext = defuReplaceArrays(rest, internalContext);
+		} else if (before) {
+			const responseHeaders = internalContext.context.responseHeaders;
+			return shouldReturnResponse ? toResponse(before, { headers: responseHeaders }) : input.returnHeaders ? {
+				headers: responseHeaders,
+				response: before
+			} : before;
+		}
+		internalContext.asResponse = false;
+		internalContext.returnHeaders = true;
+		internalContext.returnStatus = true;
+		const result = await runWithEndpointContext(internalContext, () => withSpan(`handler ${route}`, {
+			[ATTR_HTTP_ROUTE]: route,
+			[ATTR_OPERATION_ID]: operationId
+		}, () => endpoint(internalContext))).catch((e) => {
+			if (isAPIError(e)) return {
+				response: e,
+				status: e.statusCode,
+				headers: mergeAPIErrorHeaders(e)
+			};
+			throw e;
+		});
+		if (result instanceof Response) return result;
+		internalContext.context.returned = result.response;
+		internalContext.context.responseHeaders = result.headers ?? void 0;
+		const after = await runAfterHooks(internalContext, afterHooks, endpoint, operationId);
+		if (after.response !== void 0) result.response = after.response;
+		result.headers = after.headers ?? result.headers;
+		if (isAPIError(result.response) && shouldPublishLog(internalContext.context.logger.level, "debug")) result.response.stack = result.response.errorStack;
+		if (isAPIError(result.response) && !shouldReturnResponse) {
+			if (result.headers) Object.defineProperty(result.response, kAPIErrorHeaderSymbol, {
+				enumerable: false,
+				configurable: true,
+				writable: false,
+				value: result.headers
+			});
+			throw result.response;
+		}
+		return shouldReturnResponse ? toResponse(result.response, {
+			headers: result.headers ?? void 0,
+			status: result.status
+		}) : input.returnHeaders ? input.returnStatus ? {
+			headers: result.headers,
+			response: result.response,
+			status: result.status
+		} : {
+			headers: result.headers,
+			response: result.response
+		} : input.returnStatus ? {
+			response: result.response,
+			status: result.status
+		} : result.response;
+	}));
+}
+//#endregion
+export { dispatchAuthEndpoint, getOperationId };

package/dist/api/index.d.mts

@@ -2,6 +2,7 @@ import { OverrideMerge, Prettify as Prettify$1, UnionToIntersection } from "../t
 import { AdditionalSessionFieldsInput, AdditionalUserFieldsInput } from "../types/models.mjs";
 import { getIp } from "../utils/get-request-ip.mjs";
 import { isAPIError } from "../utils/is-api-error.mjs";
+import { DispatchContext, dispatchAuthEndpoint } from "./dispatch.mjs";
 import { requireOrgRole, requireResourceOwnership } from "./middlewares/authorization.mjs";
 import { formCsrfMiddleware, originCheck, originCheckMiddleware } from "./middlewares/origin-check.mjs";
 import { accountInfo, getAccessToken, linkSocialAccount, listUserAccounts, refreshToken, unlinkAccount } from "./routes/account.mjs";
@@ -3960,4 +3961,4 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
   } extends infer T_2 ? { [K in keyof T_2 as K extends keyof T_1 ? never : K]: T_2[K] } : never) & T_1> : never : never : never;
 };
 //#endregion
-export { APIError, type AuthEndpoint, type AuthMiddleware, accountInfo, callbackOAuth, changeEmail, changePassword, checkEndpointConflicts, createAuthEndpoint, createAuthMiddleware, createEmailVerificationToken, deleteUser, deleteUserCallback, error, formCsrfMiddleware, freshSessionMiddleware, getAccessToken, getEndpoints, getIp, getOAuthState, getSession, getSessionFromCtx, getShouldSkipSessionRefresh, isAPIError, linkSocialAccount, listSessions, listUserAccounts, ok, optionsMiddleware, originCheck, originCheckMiddleware, refreshToken, requestOnlySessionMiddleware, requestPasswordReset, requestPasswordResetCallback, requireOrgRole, requireResourceOwnership, resetPassword, revokeOtherSessions, revokeSession, revokeSessions, router, sendVerificationEmail, sendVerificationEmailFn, sensitiveSessionMiddleware, sessionMiddleware, setPassword, setShouldSkipSessionRefresh, signInEmail, signInSocial, signOut, signUpEmail, unlinkAccount, updateSession, updateUser, verifyEmail, verifyPassword };
+export { APIError, type AuthEndpoint, type AuthMiddleware, type DispatchContext, accountInfo, callbackOAuth, changeEmail, changePassword, checkEndpointConflicts, createAuthEndpoint, createAuthMiddleware, createEmailVerificationToken, deleteUser, deleteUserCallback, dispatchAuthEndpoint, error, formCsrfMiddleware, freshSessionMiddleware, getAccessToken, getEndpoints, getIp, getOAuthState, getSession, getSessionFromCtx, getShouldSkipSessionRefresh, isAPIError, linkSocialAccount, listSessions, listUserAccounts, ok, optionsMiddleware, originCheck, originCheckMiddleware, refreshToken, requestOnlySessionMiddleware, requestPasswordReset, requestPasswordResetCallback, requireOrgRole, requireResourceOwnership, resetPassword, revokeOtherSessions, revokeSession, revokeSessions, router, sendVerificationEmail, sendVerificationEmailFn, sensitiveSessionMiddleware, sessionMiddleware, setPassword, setShouldSkipSessionRefresh, signInEmail, signInSocial, signOut, signUpEmail, unlinkAccount, updateSession, updateUser, verifyEmail, verifyPassword };

package/dist/api/index.mjs

@@ -17,6 +17,7 @@ import { signOut } from "./routes/sign-out.mjs";
 import { signUpEmail } from "./routes/sign-up.mjs";
 import { updateSession } from "./routes/update-session.mjs";
 import { changeEmail, changePassword, deleteUser, deleteUserCallback, setPassword, updateUser } from "./routes/update-user.mjs";
+import { dispatchAuthEndpoint } from "./dispatch.mjs";
 import { toAuthEndpoints } from "./to-auth-endpoints.mjs";
 import { logger } from "@better-auth/core/env";
 import { APIError } from "@better-auth/core/error";
@@ -213,4 +214,4 @@ const router = (ctx, options) => {
 	});
 };
 //#endregion
-export { APIError, accountInfo, callbackOAuth, changeEmail, changePassword, checkEndpointConflicts, createAuthEndpoint, createAuthMiddleware, createEmailVerificationToken, deleteUser, deleteUserCallback, error, formCsrfMiddleware, freshSessionMiddleware, getAccessToken, getEndpoints, getIp, getOAuthState, getSession, getSessionFromCtx, getShouldSkipSessionRefresh, isAPIError, linkSocialAccount, listSessions, listUserAccounts, ok, optionsMiddleware, originCheck, originCheckMiddleware, refreshToken, requestOnlySessionMiddleware, requestPasswordReset, requestPasswordResetCallback, requireOrgRole, requireResourceOwnership, resetPassword, revokeOtherSessions, revokeSession, revokeSessions, router, sendVerificationEmail, sendVerificationEmailFn, sensitiveSessionMiddleware, sessionMiddleware, setPassword, setShouldSkipSessionRefresh, signInEmail, signInSocial, signOut, signUpEmail, unlinkAccount, updateSession, updateUser, verifyEmail, verifyPassword };
+export { APIError, accountInfo, callbackOAuth, changeEmail, changePassword, checkEndpointConflicts, createAuthEndpoint, createAuthMiddleware, createEmailVerificationToken, deleteUser, deleteUserCallback, dispatchAuthEndpoint, error, formCsrfMiddleware, freshSessionMiddleware, getAccessToken, getEndpoints, getIp, getOAuthState, getSession, getSessionFromCtx, getShouldSkipSessionRefresh, isAPIError, linkSocialAccount, listSessions, listUserAccounts, ok, optionsMiddleware, originCheck, originCheckMiddleware, refreshToken, requestOnlySessionMiddleware, requestPasswordReset, requestPasswordResetCallback, requireOrgRole, requireResourceOwnership, resetPassword, revokeOtherSessions, revokeSession, revokeSessions, router, sendVerificationEmail, sendVerificationEmailFn, sensitiveSessionMiddleware, sessionMiddleware, setPassword, setShouldSkipSessionRefresh, signInEmail, signInSocial, signOut, signUpEmail, unlinkAccount, updateSession, updateUser, verifyEmail, verifyPassword };

package/dist/api/middlewares/origin-check.mjs

@@ -141,6 +141,7 @@ async function validateFormCsrf(ctx) {
 		}
 		return await validateOrigin(ctx, true);
 	}
+	if (headers.get("origin") || headers.get("referer")) return await validateOrigin(ctx, true);
 }
 //#endregion
 export { formCsrfMiddleware, originCheck, originCheckMiddleware };

package/dist/api/routes/account.mjs

@@ -225,9 +225,15 @@ const unlinkAccount = createAuthEndpoint("/unlink-account", {
 * `userId` directly. Throws `UNAUTHORIZED` when an HTTP caller is
 * unauthenticated, and `USER_ID_OR_SESSION_REQUIRED` when neither a session
 * nor a `userId` is available.
+*
+* When a durable store is authoritative, bypasses the cookie cache: these
+* routes mint or refresh provider access tokens, so a server-side session
+* revocation must take effect immediately rather than waiting for the cached
+* cookie to expire. DB-less deployments keep the session in the cookie itself,
+* so the cache is left in place for them.
 */
 async function resolveUserId(ctx, userId) {
-	const session = await getSessionFromCtx(ctx);
+	const session = await getSessionFromCtx(ctx, { disableCookieCache: !!ctx.context.options.database || !!ctx.context.options.secondaryStorage });
 	if (!session && (ctx.request || ctx.headers)) throw ctx.error("UNAUTHORIZED");
 	const resolvedUserId = session?.user?.id || userId;
 	if (!resolvedUserId) throw APIError.from("BAD_REQUEST", {
@@ -382,12 +388,11 @@ const refreshToken = createAuthEndpoint("/refresh-token", {
 	});
 	let account = void 0;
 	const accountData = await getAccountCookie(ctx);
-	if (accountData && accountData.userId === resolvedUserId && (!providerId || providerId === accountData?.providerId)) account = accountData;
+	const usedAccountCookie = !!accountData && accountData.userId === resolvedUserId && providerId === accountData.providerId && (!accountId || accountData.accountId === accountId);
+	if (usedAccountCookie) account = accountData;
 	else account = (await ctx.context.internalAdapter.findAccounts(resolvedUserId)).find((acc) => accountId ? acc.accountId === accountId && acc.providerId === providerId : acc.providerId === providerId);
 	if (!account) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.ACCOUNT_NOT_FOUND);
-	let refreshToken = void 0;
-	if (accountData && providerId === accountData.providerId) refreshToken = accountData.refreshToken ?? void 0;
-	else refreshToken = account.refreshToken ?? void 0;
+	const refreshToken = account.refreshToken ?? void 0;
 	if (!refreshToken) throw APIError.from("BAD_REQUEST", {
 		message: "Refresh token not found",
 		code: "REFRESH_TOKEN_NOT_FOUND"
@@ -409,7 +414,7 @@ const refreshToken = createAuthEndpoint("/refresh-token", {
 			};
 			await ctx.context.internalAdapter.updateAccount(account.id, updateData);
 		}
-		if (accountData && providerId === accountData.providerId && ctx.context.options.account?.storeAccountCookie) await setAccountCookie(ctx, {
+		if (usedAccountCookie && ctx.context.options.account?.storeAccountCookie) await setAccountCookie(ctx, {
 			...accountData,
 			accessToken: await setTokenUtil(tokens.accessToken, ctx.context),
 			refreshToken: resolvedRefreshToken,

package/dist/api/routes/callback.mjs

@@ -81,7 +81,7 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 		...tokens,
 		user: parsedUserData ?? void 0
 	}).then((res) => res?.user);
-	if (!userInfo || userInfo.id === void 0 || userInfo.id === null) {
+	if (!userInfo || userInfo.id === void 0 || userInfo.id === null || userInfo.id === "") {
 		c.context.logger.error("Unable to get user info");
 		redirectOnError(c, resolvedErrorURL, "unable_to_get_user_info");
 	}

package/dist/api/routes/session.mjs

@@ -276,7 +276,9 @@ const getSessionFromCtx = async (ctx, config) => {
 		returnStatus: false,
 		query: {
 			...config,
-			...ctx.query
+			...ctx.query,
+			disableCookieCache: config?.disableCookieCache || ctx.query?.disableCookieCache,
+			disableRefresh: config?.disableRefresh || ctx.query?.disableRefresh
 		}
 	}).catch(() => {
 		return null;
@@ -355,7 +357,7 @@ const freshSessionMiddleware = createAuthMiddleware(async (ctx) => {
 const listSessions = () => createAuthEndpoint("/list-sessions", {
 	method: "GET",
 	operationId: "listUserSessions",
-	use: [sessionMiddleware],
+	use: [freshSessionMiddleware],
 	requireHeaders: true,
 	metadata: { openapi: {
 		operationId: "listUserSessions",

package/dist/api/routes/update-session.mjs

@@ -1,5 +1,5 @@
 import { parseSessionInput, parseSessionOutput } from "../../db/schema.mjs";
-import { setSessionCookie } from "../../cookies/index.mjs";
+import { deleteSessionCookie, setSessionCookie } from "../../cookies/index.mjs";
 import { sessionMiddleware } from "./session.mjs";
 import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
 import { createAuthEndpoint } from "@better-auth/core/api";
@@ -34,10 +34,16 @@ const updateSession = () => createAuthEndpoint("/update-session", {
 	const session = ctx.context.session;
 	const additionalFields = parseSessionInput(ctx.context.options, body, "update");
 	if (Object.keys(additionalFields).length === 0) throw APIError.fromStatus("BAD_REQUEST", { message: "No fields to update" });
-	const newSession = await ctx.context.internalAdapter.updateSession(session.session.token, {
+	const updatedSession = await ctx.context.internalAdapter.updateSession(session.session.token, {
 		...additionalFields,
 		updatedAt: /* @__PURE__ */ new Date()
-	}) ?? {
+	});
+	const isStateful = !!ctx.context.options.database || !!ctx.context.options.secondaryStorage;
+	if (!updatedSession && isStateful) {
+		deleteSessionCookie(ctx);
+		throw APIError.from("UNAUTHORIZED", BASE_ERROR_CODES.FAILED_TO_GET_SESSION);
+	}
+	const newSession = updatedSession ?? {
 		...session.session,
 		...additionalFields,
 		updatedAt: /* @__PURE__ */ new Date()