better-auth 1.6.14 → 1.6.16

package/dist/api/to-auth-endpoints.mjs

@@ -1,25 +1,9 @@
-import { isAPIError } from "../utils/is-api-error.mjs";
 import { isDynamicBaseURLConfig, isRequestLike } from "../utils/url.mjs";
 import { pickSource, resolveDynamicTrustedProxyHeaders, resolveRequestContext } from "../context/helpers.mjs";
-import { hasRequestState, runWithEndpointContext, runWithRequestState } from "@better-auth/core/context";
-import { shouldPublishLog } from "@better-auth/core/env";
+import { dispatchAuthEndpoint, getOperationId } from "./dispatch.mjs";
+import { hasRequestState, runWithRequestState } from "@better-auth/core/context";
 import { APIError, BetterAuthError } from "@better-auth/core/error";
-import { createDefu } from "defu";
-import { ATTR_CONTEXT, ATTR_HOOK_TYPE, ATTR_HTTP_ROUTE, ATTR_OPERATION_ID, withSpan } from "@better-auth/core/instrumentation";
-import { kAPIErrorHeaderSymbol, toResponse } from "better-call";
 //#region src/api/to-auth-endpoints.ts
-const defuReplaceArrays = createDefu((obj, key, value) => {
-	if (Array.isArray(obj[key]) && Array.isArray(value)) {
-		obj[key] = value;
-		return true;
-	}
-});
-const hooksSourceWeakMap = /* @__PURE__ */ new WeakMap();
-function getOperationId(endpoint, key) {
-	if (!endpoint?.options) return key;
-	const opts = endpoint.options;
-	return opts.operationId ?? opts.metadata?.openapi?.operationId ?? key;
-}
 /**
 * Resolves the per-call `AuthContext` for endpoints with a dynamic `baseURL`.
 *
@@ -41,269 +25,34 @@ async function resolveDynamicContext(rawCtx, input) {
 		throw err;
 	}
 }
+/**
+* Wraps each raw endpoint so a router or `auth.api.*` call runs it through the
+* configured hook pipeline. Per-call work that is specific to this entry point
+* (dynamic `baseURL` resolution, request-state initialization) happens here;
+* the hook pipeline itself lives in {@link dispatchAuthEndpoint}.
+*/
 function toAuthEndpoints(endpoints, ctx) {
 	const api = {};
 	for (const [key, endpoint] of Object.entries(endpoints)) {
 		api[key] = async (context) => {
 			const operationId = getOperationId(endpoint, key);
-			const endpointMethod = endpoint?.options?.method;
-			const defaultMethod = Array.isArray(endpointMethod) ? endpointMethod[0] : endpointMethod;
 			const run = async () => {
 				const rawContext = await ctx;
-				const methodName = context?.method ?? context?.request?.method ?? defaultMethod ?? "?";
-				const route = endpoint.path ?? "/:virtual";
 				const authContext = isDynamicBaseURLConfig(rawContext.options.baseURL) ? await resolveDynamicContext(rawContext, context) : rawContext;
-				let internalContext = {
+				return dispatchAuthEndpoint(endpoint, {
 					...context,
-					context: {
-						...authContext,
-						returned: void 0,
-						responseHeaders: void 0,
-						session: null
-					},
-					path: endpoint.path,
-					headers: context?.headers ? new Headers(context?.headers) : void 0
-				};
-				const hasRequest = isRequestLike(context?.request);
-				const shouldReturnResponse = context?.asResponse ?? hasRequest;
-				return withSpan(`${methodName} ${route}`, {
-					[ATTR_HTTP_ROUTE]: route,
-					[ATTR_OPERATION_ID]: operationId
-				}, async () => runWithEndpointContext(internalContext, async () => {
-					const { beforeHooks, afterHooks } = getHooks(authContext);
-					const before = await runBeforeHooks(internalContext, beforeHooks, endpoint, operationId);
-					/**
-					* If `before.context` is returned, it should
-					* get merged with the original context
-					*/
-					if ("context" in before && before.context && typeof before.context === "object") {
-						const { headers, ...rest } = before.context;
-						/**
-						* Headers should be merged differently
-						* so the hook doesn't override the whole
-						* header
-						*/
-						if (headers) headers.forEach((value, key) => {
-							internalContext.headers.set(key, value);
-						});
-						internalContext = defuReplaceArrays(rest, internalContext);
-					} else if (before) return shouldReturnResponse ? toResponse(before, { headers: context?.headers }) : context?.returnHeaders ? {
-						headers: context?.headers,
-						response: before
-					} : before;
-					internalContext.asResponse = false;
-					internalContext.returnHeaders = true;
-					internalContext.returnStatus = true;
-					const result = await runWithEndpointContext(internalContext, () => withSpan(`handler ${route}`, {
-						[ATTR_HTTP_ROUTE]: route,
-						[ATTR_OPERATION_ID]: operationId
-					}, () => endpoint(internalContext))).catch((e) => {
-						if (isAPIError(e)) {
-							/**
-							* API Errors from response are caught
-							* and returned to hooks.
-							*
-							* Headers come from two sources that must both
-							* survive:
-							* - `kAPIErrorHeaderSymbol`: ctx.responseHeaders
-							*   accumulated via c.setCookie / c.setHeader
-							*   before the throw.
-							* - `e.headers`: explicit headers on the APIError
-							*   (e.g. `location` from c.redirect).
-							*
-							* Start from the accumulated ctx headers, then
-							* apply e.headers on top — appending `set-cookie`
-							* and setting others — so explicit APIError
-							* headers override while cookies accumulate.
-							*/
-							const ctxHeaders = e[kAPIErrorHeaderSymbol];
-							/**
-							* `c.redirect()` (and similar APIError throws) reuse
-							* `ctx.responseHeaders` as `e.headers`, so when both sources
-							* reference the same Headers, iterating both duplicates every
-							* `set-cookie`. Skip the `errHeaders` copy in that case.
-							*/
-							const errHeaders = e.headers && e.headers !== ctxHeaders ? new Headers(e.headers) : null;
-							let headers = null;
-							if (ctxHeaders || errHeaders) {
-								headers = new Headers();
-								ctxHeaders?.forEach((value, key) => {
-									headers.append(key, value);
-								});
-								errHeaders?.forEach((value, key) => {
-									if (key.toLowerCase() === "set-cookie") headers.append(key, value);
-									else headers.set(key, value);
-								});
-							}
-							return {
-								response: e,
-								status: e.statusCode,
-								headers
-							};
-						}
-						throw e;
-					});
-					if (result && result instanceof Response) return result;
-					internalContext.context.returned = result.response;
-					internalContext.context.responseHeaders = result.headers;
-					const after = await runAfterHooks(internalContext, afterHooks, endpoint, operationId);
-					if (after.response) result.response = after.response;
-					if (isAPIError(result.response) && shouldPublishLog(authContext.logger.level, "debug")) result.response.stack = result.response.errorStack;
-					if (isAPIError(result.response) && !shouldReturnResponse) {
-						/**
-						* Non-response path: we re-throw the raw APIError
-						* to callers of `auth.api.*`. `result.headers`
-						* holds the merged ctx + explicit headers (see
-						* catch block above) — rewrite
-						* `kAPIErrorHeaderSymbol` with the merged set so
-						* downstream pipelines (e.g. better-call's
-						* response builder, or an outer hook catch) see
-						* the same headers we'd have written on the
-						* response.
-						*/
-						if (result.headers) Object.defineProperty(result.response, kAPIErrorHeaderSymbol, {
-							enumerable: false,
-							configurable: true,
-							writable: false,
-							value: result.headers
-						});
-						throw result.response;
-					}
-					return shouldReturnResponse ? toResponse(result.response, {
-						headers: result.headers,
-						status: result.status
-					}) : context?.returnHeaders ? context?.returnStatus ? {
-						headers: result.headers,
-						response: result.response,
-						status: result.status
-					} : {
-						headers: result.headers,
-						response: result.response
-					} : context?.returnStatus ? {
-						response: result.response,
-						status: result.status
-					} : result.response;
-				}));
+					context: authContext,
+					operationId,
+					asResponse: context?.asResponse ?? isRequestLike(context?.request)
+				});
 			};
 			if (await hasRequestState()) return run();
-			else return runWithRequestState(/* @__PURE__ */ new WeakMap(), run);
+			return runWithRequestState(/* @__PURE__ */ new WeakMap(), run);
 		};
 		api[key].path = endpoint.path;
 		api[key].options = endpoint.options;
 	}
 	return api;
 }
-async function runBeforeHooks(context, hooks, endpoint, operationId) {
-	let modifiedContext = {};
-	for (const hook of hooks) {
-		let matched = false;
-		try {
-			matched = hook.matcher(context);
-		} catch (error) {
-			const hookSource = hooksSourceWeakMap.get(hook.handler) ?? "unknown";
-			context.context.logger.error(`An error occurred during ${hookSource} hook matcher execution:`, error);
-			throw new APIError("INTERNAL_SERVER_ERROR", { message: `An error occurred during hook matcher execution. Check the logs for more details.` });
-		}
-		if (matched) {
-			const hookSource = hooksSourceWeakMap.get(hook.handler) ?? "unknown";
-			const route = endpoint.path ?? "/:virtual";
-			const result = await withSpan(`hook before ${route} ${hookSource}`, {
-				[ATTR_HOOK_TYPE]: "before",
-				[ATTR_HTTP_ROUTE]: route,
-				[ATTR_CONTEXT]: hookSource,
-				[ATTR_OPERATION_ID]: operationId
-			}, () => hook.handler({
-				...context,
-				returnHeaders: false
-			})).catch((e) => {
-				if (isAPIError(e) && shouldPublishLog(context.context.logger.level, "debug")) e.stack = e.errorStack;
-				throw e;
-			});
-			if (result && typeof result === "object") {
-				if ("context" in result && typeof result.context === "object") {
-					const { headers, ...rest } = result.context;
-					if (headers instanceof Headers) if (modifiedContext.headers) headers.forEach((value, key) => {
-						modifiedContext.headers?.set(key, value);
-					});
-					else modifiedContext.headers = headers;
-					modifiedContext = defuReplaceArrays(rest, modifiedContext);
-					continue;
-				}
-				return result;
-			}
-		}
-	}
-	return { context: modifiedContext };
-}
-async function runAfterHooks(context, hooks, endpoint, operationId) {
-	for (const hook of hooks) if (hook.matcher(context)) {
-		const hookSource = hooksSourceWeakMap.get(hook.handler) ?? "unknown";
-		const route = endpoint.path ?? "/:virtual";
-		const result = await withSpan(`hook after ${route} ${hookSource}`, {
-			[ATTR_HOOK_TYPE]: "after",
-			[ATTR_HTTP_ROUTE]: route,
-			[ATTR_CONTEXT]: hookSource,
-			[ATTR_OPERATION_ID]: operationId
-		}, () => hook.handler(context)).catch((e) => {
-			if (isAPIError(e)) {
-				const headers = e[kAPIErrorHeaderSymbol];
-				if (shouldPublishLog(context.context.logger.level, "debug")) e.stack = e.errorStack;
-				return {
-					response: e,
-					headers: headers ? headers : e.headers ? new Headers(e.headers) : null
-				};
-			}
-			throw e;
-		});
-		if (result.headers) result.headers.forEach((value, key) => {
-			if (!context.context.responseHeaders) context.context.responseHeaders = new Headers({ [key]: value });
-			else if (key.toLowerCase() === "set-cookie") context.context.responseHeaders.append(key, value);
-			else context.context.responseHeaders.set(key, value);
-		});
-		if (result.response) context.context.returned = result.response;
-	}
-	return {
-		response: context.context.returned,
-		headers: context.context.responseHeaders
-	};
-}
-function getHooks(authContext) {
-	const plugins = authContext.options.plugins || [];
-	const beforeHooks = [];
-	const afterHooks = [];
-	const beforeHookHandler = authContext.options.hooks?.before;
-	if (beforeHookHandler) {
-		hooksSourceWeakMap.set(beforeHookHandler, "user");
-		beforeHooks.push({
-			matcher: () => true,
-			handler: beforeHookHandler
-		});
-	}
-	const afterHookHandler = authContext.options.hooks?.after;
-	if (afterHookHandler) {
-		hooksSourceWeakMap.set(afterHookHandler, "user");
-		afterHooks.push({
-			matcher: () => true,
-			handler: afterHookHandler
-		});
-	}
-	const pluginBeforeHooks = plugins.flatMap((plugin) => (plugin.hooks?.before ?? []).map((h) => {
-		hooksSourceWeakMap.set(h.handler, `plugin:${plugin.id}`);
-		return h;
-	}));
-	const pluginAfterHooks = plugins.flatMap((plugin) => (plugin.hooks?.after ?? []).map((h) => {
-		hooksSourceWeakMap.set(h.handler, `plugin:${plugin.id}`);
-		return h;
-	}));
-	/**
-	* Add plugin added hooks at last
-	*/
-	if (pluginBeforeHooks.length) beforeHooks.push(...pluginBeforeHooks);
-	if (pluginAfterHooks.length) afterHooks.push(...pluginAfterHooks);
-	return {
-		beforeHooks,
-		afterHooks
-	};
-}
 //#endregion
 export { toAuthEndpoints };

package/dist/client/lynx/index.d.mts

@@ -69,11 +69,6 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
     priority?: RequestPriority | undefined;
     cache?: RequestCache | undefined;
     credentials?: RequestCredentials;
-    headers?: (HeadersInit & (HeadersInit | {
-      accept: "application/json" | "text/plain" | "application/octet-stream";
-      "content-type": "application/json" | "text/plain" | "application/x-www-form-urlencoded" | "multipart/form-data" | "application/octet-stream";
-      authorization: "Bearer" | "Basic";
-    })) | undefined;
     integrity?: string | undefined;
     keepalive?: boolean | undefined;
     method: string;
@@ -103,6 +98,12 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
       prefix: string | (() => string | undefined) | undefined;
       value: string | (() => string | undefined) | undefined;
     }) | undefined;
+    headers?: {} | {
+      [x: string]: string | undefined;
+      accept?: ((string & {}) | "application/json" | "text/plain" | "application/octet-stream") | undefined;
+      "content-type"?: ((string & {}) | "application/x-www-form-urlencoded" | "application/json" | "text/plain" | "application/octet-stream" | "multipart/form-data") | undefined;
+      authorization?: ((string & {}) | `Bearer ${string}` | `Basic ${string}`) | undefined;
+    } | undefined;
     body?: any;
     query?: any;
     params?: any;

package/dist/client/react/index.d.mts

@@ -70,11 +70,6 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
     priority?: RequestPriority | undefined;
     cache?: RequestCache | undefined;
     credentials?: RequestCredentials;
-    headers?: (HeadersInit & (HeadersInit | {
-      accept: "application/json" | "text/plain" | "application/octet-stream";
-      "content-type": "application/json" | "text/plain" | "application/x-www-form-urlencoded" | "multipart/form-data" | "application/octet-stream";
-      authorization: "Bearer" | "Basic";
-    })) | undefined;
     integrity?: string | undefined;
     keepalive?: boolean | undefined;
     method: string;
@@ -104,6 +99,12 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
       prefix: string | (() => string | undefined) | undefined;
       value: string | (() => string | undefined) | undefined;
     }) | undefined;
+    headers?: {} | {
+      [x: string]: string | undefined;
+      accept?: ((string & {}) | "application/json" | "text/plain" | "application/octet-stream") | undefined;
+      "content-type"?: ((string & {}) | "application/x-www-form-urlencoded" | "application/json" | "text/plain" | "application/octet-stream" | "multipart/form-data") | undefined;
+      authorization?: ((string & {}) | `Bearer ${string}` | `Basic ${string}`) | undefined;
+    } | undefined;
     body?: any;
     query?: any;
     params?: any;

package/dist/client/solid/index.d.mts

@@ -69,11 +69,6 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
     priority?: RequestPriority | undefined;
     cache?: RequestCache | undefined;
     credentials?: RequestCredentials;
-    headers?: (HeadersInit & (HeadersInit | {
-      accept: "application/json" | "text/plain" | "application/octet-stream";
-      "content-type": "application/json" | "text/plain" | "application/x-www-form-urlencoded" | "multipart/form-data" | "application/octet-stream";
-      authorization: "Bearer" | "Basic";
-    })) | undefined;
     integrity?: string | undefined;
     keepalive?: boolean | undefined;
     method: string;
@@ -103,6 +98,12 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
       prefix: string | (() => string | undefined) | undefined;
       value: string | (() => string | undefined) | undefined;
     }) | undefined;
+    headers?: {} | {
+      [x: string]: string | undefined;
+      accept?: ((string & {}) | "application/json" | "text/plain" | "application/octet-stream") | undefined;
+      "content-type"?: ((string & {}) | "application/x-www-form-urlencoded" | "application/json" | "text/plain" | "application/octet-stream" | "multipart/form-data") | undefined;
+      authorization?: ((string & {}) | `Bearer ${string}` | `Basic ${string}`) | undefined;
+    } | undefined;
     body?: any;
     query?: any;
     params?: any;

package/dist/client/svelte/index.d.mts

@@ -55,11 +55,6 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
     priority?: RequestPriority | undefined;
     cache?: RequestCache | undefined;
     credentials?: RequestCredentials;
-    headers?: (HeadersInit & (HeadersInit | {
-      accept: "application/json" | "text/plain" | "application/octet-stream";
-      "content-type": "application/json" | "text/plain" | "application/x-www-form-urlencoded" | "multipart/form-data" | "application/octet-stream";
-      authorization: "Bearer" | "Basic";
-    })) | undefined;
     integrity?: string | undefined;
     keepalive?: boolean | undefined;
     method: string;
@@ -89,6 +84,12 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
       prefix: string | (() => string | undefined) | undefined;
       value: string | (() => string | undefined) | undefined;
     }) | undefined;
+    headers?: {} | {
+      [x: string]: string | undefined;
+      accept?: ((string & {}) | "application/json" | "text/plain" | "application/octet-stream") | undefined;
+      "content-type"?: ((string & {}) | "application/x-www-form-urlencoded" | "application/json" | "text/plain" | "application/octet-stream" | "multipart/form-data") | undefined;
+      authorization?: ((string & {}) | `Bearer ${string}` | `Basic ${string}`) | undefined;
+    } | undefined;
     body?: any;
     query?: any;
     params?: any;

package/dist/client/vanilla.d.mts

@@ -53,11 +53,6 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
     priority?: RequestPriority | undefined;
     cache?: RequestCache | undefined;
     credentials?: RequestCredentials;
-    headers?: (HeadersInit & (HeadersInit | {
-      accept: "application/json" | "text/plain" | "application/octet-stream";
-      "content-type": "application/json" | "text/plain" | "application/x-www-form-urlencoded" | "multipart/form-data" | "application/octet-stream";
-      authorization: "Bearer" | "Basic";
-    })) | undefined;
     integrity?: string | undefined;
     keepalive?: boolean | undefined;
     method: string;
@@ -87,6 +82,12 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
       prefix: string | (() => string | undefined) | undefined;
       value: string | (() => string | undefined) | undefined;
     }) | undefined;
+    headers?: {} | {
+      [x: string]: string | undefined;
+      accept?: ((string & {}) | "application/json" | "text/plain" | "application/octet-stream") | undefined;
+      "content-type"?: ((string & {}) | "application/x-www-form-urlencoded" | "application/json" | "text/plain" | "application/octet-stream" | "multipart/form-data") | undefined;
+      authorization?: ((string & {}) | `Bearer ${string}` | `Basic ${string}`) | undefined;
+    } | undefined;
     body?: any;
     query?: any;
     params?: any;

package/dist/client/vue/index.d.mts

@@ -93,11 +93,6 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
     priority?: RequestPriority | undefined;
     cache?: RequestCache | undefined;
     credentials?: RequestCredentials;
-    headers?: (HeadersInit & (HeadersInit | {
-      accept: "application/json" | "text/plain" | "application/octet-stream";
-      "content-type": "application/json" | "text/plain" | "application/x-www-form-urlencoded" | "multipart/form-data" | "application/octet-stream";
-      authorization: "Bearer" | "Basic";
-    })) | undefined;
     integrity?: string | undefined;
     keepalive?: boolean | undefined;
     method: string;
@@ -127,6 +122,12 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
       prefix: string | (() => string | undefined) | undefined;
       value: string | (() => string | undefined) | undefined;
     }) | undefined;
+    headers?: {} | {
+      [x: string]: string | undefined;
+      accept?: ((string & {}) | "application/json" | "text/plain" | "application/octet-stream") | undefined;
+      "content-type"?: ((string & {}) | "application/x-www-form-urlencoded" | "application/json" | "text/plain" | "application/octet-stream" | "multipart/form-data") | undefined;
+      authorization?: ((string & {}) | `Bearer ${string}` | `Basic ${string}`) | undefined;
+    } | undefined;
     body?: any;
     query?: any;
     params?: any;

package/dist/context/create-context.mjs

@@ -59,7 +59,7 @@ async function createAuthContext(adapter, options, getDatabaseType) {
 		if (!allowedHosts || allowedHosts.length === 0) throw new BetterAuthError("baseURL.allowedHosts cannot be empty. Provide at least one allowed host pattern (e.g., [\"myapp.com\", \"*.vercel.app\"]).");
 	}
 	const baseURL = isDynamicConfig ? void 0 : getBaseURL(typeof options.baseURL === "string" ? options.baseURL : void 0, options.basePath);
-	if (!baseURL && !isDynamicConfig) logger.warn(`[better-auth] Base URL could not be determined. Please set a valid base URL using the baseURL config option or the BETTER_AUTH_URL environment variable. Without this, callbacks and redirects may not work correctly.`);
+	if (!baseURL && !isDynamicConfig) logger.warn(`[better-auth] Base URL is not set. Set the baseURL option or BETTER_AUTH_URL env, or use a dynamic baseURL with allowedHosts for multi-host setups. Without it the origin is derived from the incoming request, and callbacks and redirects may not work correctly.`);
 	if (adapter.id === "memory" && options.advanced?.database?.generateId === false) logger.error(`[better-auth] Misconfiguration detected.
 You are using the memory DB with generateId: false.
 This will cause no id to be generated for any model.

package/dist/cookies/cookie-utils.mjs

@@ -108,14 +108,14 @@ function toCookieOptions(attributes) {
 *
 * @see https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6
 */
-const cookieNameRegex = /^[\w!#$%&'*.^`|~+-]+$/;
+const cookieNameRegex = /^[\x21\x23-\x27\x2A\x2B\x2D\x2E\x30-\x39\x41-\x5A\x5E\x5F\x60\x61-\x7A\x7C\x7E]+$/;
 /**
 * Cookie-value char set per RFC 6265 §4.1.1, plus space and comma.
 *
 * @see https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.1
 * @see https://github.com/golang/go/issues/7243
 */
-const cookieValueRegex = /^[ !#-:<-[\]-~]*$/;
+const cookieValueRegex = /^[\x20\x21\x23-\x3A\x3C-\x5B\x5D-\x7E]*$/;
 /**
 * Strip surrounding double-quotes per RFC 6265 §4.1.1 quoted-string form.
 *

package/dist/cookies/index.mjs

@@ -116,7 +116,12 @@ async function setCookieCache(ctx, session, dontRememberMe) {
 	}
 	if (ctx.context.options.account?.storeAccountCookie) {
 		const accountData = await getAccountCookie(ctx);
-		if (accountData) await setAccountCookie(ctx, accountData);
+		if (accountData) if (accountData.userId === session.user.id) await setAccountCookie(ctx, accountData);
+		else {
+			expireCookie(ctx, ctx.context.authCookies.accountData);
+			const accountStore = createAccountStore(ctx.context.authCookies.accountData.name, ctx.context.authCookies.accountData.attributes, ctx);
+			accountStore.setCookies(accountStore.clean());
+		}
 	}
 }
 async function setSessionCookie(ctx, session, dontRememberMe, overrides) {

package/dist/db/internal-adapter.mjs

@@ -16,6 +16,7 @@ const createInternalAdapter = (adapter, ctx) => {
 	const options = ctx.options;
 	const secondaryStorage = options.secondaryStorage;
 	const verificationConsumeLocks = /* @__PURE__ */ new Map();
+	let warnedNonAtomicConsume = false;
 	const sessionExpiration = options.session?.expiresIn || 3600 * 24 * 7;
 	const { createWithHooks, updateWithHooks, updateManyWithHooks, deleteWithHooks, deleteManyWithHooks, consumeOneWithHooks } = getWithHooks(adapter, ctx);
 	async function refreshUserSessions(user) {
@@ -653,6 +654,10 @@ const createInternalAdapter = (adapter, ctx) => {
 			if (secondaryStorage && !options.verification?.storeInDatabase) {
 				const consumeCacheKey = async (key) => {
 					if (secondaryStorage.getAndDelete) return hydrateCachedVerification(await secondaryStorage.getAndDelete(key));
+					if (!warnedNonAtomicConsume) {
+						warnedNonAtomicConsume = true;
+						logger.warn("Secondary storage does not implement `getAndDelete`, so single-use verification values cannot be consumed atomically across processes. Implement `getAndDelete` or use database-backed verification storage to guarantee single use.");
+					}
 					return withVerificationConsumeLock(key, async () => {
 						const parsed = hydrateCachedVerification(await secondaryStorage.get(key));
 						if (!parsed) return null;

package/dist/oauth2/link-account.d.mts

@@ -9,6 +9,19 @@ declare function handleOAuthUserInfo(c: GenericEndpointContext, opts: {
   disableSignUp?: boolean | undefined;
   overrideUserInfo?: boolean | undefined;
   isTrustedProvider?: boolean | undefined;
+  /**
+   * Whether `account.providerId` may be matched against the globally
+   * configured `accountLinking.trustedProviders` list to infer trust.
+   *
+   * Defaults to `true` for built-in social/OAuth providers, whose
+   * `providerId` namespace is controlled by the developer's config. Callers
+   * whose `providerId` is user-controlled (e.g. the SSO plugin, where any
+   * authenticated user can register a provider with an arbitrary id) must
+   * pass `false` so a provider named after a trusted social provider can't
+   * launder that trust. Such callers should supply their own
+   * `isTrustedProvider` signal instead.
+   */
+  trustProviderByName?: boolean | undefined;
 }): Promise<{
   error: string;
   data: null;

package/dist/oauth2/link-account.mjs

@@ -17,7 +17,7 @@ async function handleOAuthUserInfo(c, opts) {
 		const linkedAccount = dbUser.linkedAccount ?? dbUser.accounts.find((acc) => acc.providerId === account.providerId && acc.accountId === account.accountId);
 		if (!linkedAccount) {
 			const accountLinking = c.context.options.account?.accountLinking;
-			const isTrustedProvider = opts.isTrustedProvider || c.context.trustedProviders.includes(account.providerId);
+			const isTrustedProvider = opts.isTrustedProvider || opts.trustProviderByName !== false && c.context.trustedProviders.includes(account.providerId);
 			const requireLocalEmailVerified = accountLinking?.requireLocalEmailVerified ?? true;
 			if (!isTrustedProvider && !userInfo.emailVerified || requireLocalEmailVerified && !dbUser.user.emailVerified || accountLinking?.enabled === false || accountLinking?.disableImplicitLinking === true) {
 				if (isDevelopment()) logger.warn(`User already exist but account isn't linked to ${account.providerId}. To read more about how account linking works in Better Auth see https://www.better-auth.com/docs/concepts/users-accounts#account-linking.`);

package/dist/package.mjs

@@ -1,4 +1,4 @@
 //#region package.json
-var version = "1.6.14";
+var version = "1.6.16";
 //#endregion
 export { version };

package/dist/plugins/admin/access/statement.d.mts

@@ -1,49 +1,49 @@
 import { ExactRoleStatements, Role, RoleInput, Statements } from "../../access/types.mjs";
 //#region src/plugins/admin/access/statement.d.ts
 declare const defaultStatements: {
-  readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
+  readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "set-email", "get", "update"];
   readonly session: readonly ["list", "revoke", "delete"];
 };
 declare const defaultAc: {
   newRole<const TRoleStatements extends Statements>(statements: RoleInput<{
-    readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
+    readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "set-email", "get", "update"];
     readonly session: readonly ["list", "revoke", "delete"];
   }, TRoleStatements>): Role<ExactRoleStatements<TRoleStatements>, {
-    readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
+    readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "set-email", "get", "update"];
     readonly session: readonly ["list", "revoke", "delete"];
   }>;
   statements: {
-    readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
+    readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "set-email", "get", "update"];
     readonly session: readonly ["list", "revoke", "delete"];
   };
 };
 declare const adminAc: Role<ExactRoleStatements<{
-  readonly user: ["create", "list", "set-role", "ban", "impersonate", "delete", "set-password", "get", "update"];
+  readonly user: ["create", "list", "set-role", "ban", "impersonate", "delete", "set-password", "set-email", "get", "update"];
   readonly session: ["list", "revoke", "delete"];
 }>, {
-  readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
+  readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "set-email", "get", "update"];
   readonly session: readonly ["list", "revoke", "delete"];
 }>;
 declare const userAc: Role<ExactRoleStatements<{
   readonly user: [];
   readonly session: [];
 }>, {
-  readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
+  readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "set-email", "get", "update"];
   readonly session: readonly ["list", "revoke", "delete"];
 }>;
 declare const defaultRoles: {
   admin: Role<ExactRoleStatements<{
-    readonly user: ["create", "list", "set-role", "ban", "impersonate", "delete", "set-password", "get", "update"];
+    readonly user: ["create", "list", "set-role", "ban", "impersonate", "delete", "set-password", "set-email", "get", "update"];
     readonly session: ["list", "revoke", "delete"];
   }>, {
-    readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
+    readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "set-email", "get", "update"];
     readonly session: readonly ["list", "revoke", "delete"];
   }>;
   user: Role<ExactRoleStatements<{
     readonly user: [];
     readonly session: [];
   }>, {
-    readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
+    readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "set-email", "get", "update"];
     readonly session: readonly ["list", "revoke", "delete"];
   }>;
 };

package/dist/plugins/admin/access/statement.mjs

@@ -10,6 +10,7 @@ const defaultStatements = {
 		"impersonate-admins",
 		"delete",
 		"set-password",
+		"set-email",
 		"get",
 		"update"
 	],
@@ -29,6 +30,7 @@ const adminAc = defaultAc.newRole({
 		"impersonate",
 		"delete",
 		"set-password",
+		"set-email",
 		"get",
 		"update"
 	],