better-auth 1.6.14 → 1.6.16

package/dist/plugins/admin/admin.d.mts

@@ -824,13 +824,13 @@ declare const admin: <O extends AdminOptions>(options?: O | undefined) => {
         $Infer: {
           body: {
             permissions: { [key in keyof (O["ac"] extends AccessControl<infer S extends Statements> ? S : {
-              readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
+              readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "set-email", "get", "update"];
               readonly session: readonly ["list", "revoke", "delete"];
             })]?: ((O["ac"] extends AccessControl<infer S extends Statements> ? S : {
-              readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
+              readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "set-email", "get", "update"];
               readonly session: readonly ["list", "revoke", "delete"];
             })[key] extends readonly unknown[] ? ArrayElement<(O["ac"] extends AccessControl<infer S extends Statements> ? S : {
-              readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
+              readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "set-email", "get", "update"];
               readonly session: readonly ["list", "revoke", "delete"];
             })[key]> : never)[] | undefined };
           } & {
@@ -866,6 +866,8 @@ declare const admin: <O extends AdminOptions>(options?: O | undefined) => {
     YOU_ARE_NOT_ALLOWED_TO_SET_NON_EXISTENT_VALUE: _better_auth_core_utils_error_codes0.RawError<"YOU_ARE_NOT_ALLOWED_TO_SET_NON_EXISTENT_VALUE">;
     YOU_CANNOT_IMPERSONATE_ADMINS: _better_auth_core_utils_error_codes0.RawError<"YOU_CANNOT_IMPERSONATE_ADMINS">;
     INVALID_ROLE_TYPE: _better_auth_core_utils_error_codes0.RawError<"INVALID_ROLE_TYPE">;
+    YOU_ARE_NOT_ALLOWED_TO_SET_USERS_EMAIL: _better_auth_core_utils_error_codes0.RawError<"YOU_ARE_NOT_ALLOWED_TO_SET_USERS_EMAIL">;
+    PASSWORD_CANNOT_BE_UPDATED_VIA_UPDATE_USER: _better_auth_core_utils_error_codes0.RawError<"PASSWORD_CANNOT_BE_UPDATED_VIA_UPDATE_USER">;
   };
   schema: {
     user: {
@@ -898,6 +900,7 @@ declare const admin: <O extends AdminOptions>(options?: O | undefined) => {
         impersonatedBy: {
           type: "string";
           required: false;
+          input: false;
         };
       };
     };

package/dist/plugins/admin/client.d.mts

@@ -14,7 +14,7 @@ declare const adminClient: <O extends AdminClientOptions>(options?: O | undefine
   version: string;
   $InferServerPlugin: ReturnType<typeof admin<{
     ac: O["ac"] extends AccessControl ? O["ac"] : AccessControl<{
-      readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
+      readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "set-email", "get", "update"];
       readonly session: readonly ["list", "revoke", "delete"];
     }>;
     roles: O["roles"] extends Record<string, Role> ? O["roles"] : {
@@ -28,13 +28,13 @@ declare const adminClient: <O extends AdminClientOptions>(options?: O | undefine
         roles: any;
       } ? keyof O["roles"] : "admin" | "user")>(data: {
         permissions: { [key in keyof (O["ac"] extends AccessControl<infer S extends Statements> ? S : {
-          readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
+          readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "set-email", "get", "update"];
           readonly session: readonly ["list", "revoke", "delete"];
         })]?: ((O["ac"] extends AccessControl<infer S extends Statements> ? S : {
-          readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
+          readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "set-email", "get", "update"];
           readonly session: readonly ["list", "revoke", "delete"];
         })[key] extends readonly unknown[] ? ArrayElement<(O["ac"] extends AccessControl<infer S extends Statements> ? S : {
-          readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
+          readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "set-email", "get", "update"];
           readonly session: readonly ["list", "revoke", "delete"];
         })[key]> : never)[] | undefined };
       } & {
@@ -73,6 +73,8 @@ declare const adminClient: <O extends AdminClientOptions>(options?: O | undefine
     YOU_ARE_NOT_ALLOWED_TO_SET_NON_EXISTENT_VALUE: _better_auth_core_utils_error_codes0.RawError<"YOU_ARE_NOT_ALLOWED_TO_SET_NON_EXISTENT_VALUE">;
     YOU_CANNOT_IMPERSONATE_ADMINS: _better_auth_core_utils_error_codes0.RawError<"YOU_CANNOT_IMPERSONATE_ADMINS">;
     INVALID_ROLE_TYPE: _better_auth_core_utils_error_codes0.RawError<"INVALID_ROLE_TYPE">;
+    YOU_ARE_NOT_ALLOWED_TO_SET_USERS_EMAIL: _better_auth_core_utils_error_codes0.RawError<"YOU_ARE_NOT_ALLOWED_TO_SET_USERS_EMAIL">;
+    PASSWORD_CANNOT_BE_UPDATED_VIA_UPDATE_USER: _better_auth_core_utils_error_codes0.RawError<"PASSWORD_CANNOT_BE_UPDATED_VIA_UPDATE_USER">;
   };
 };
 //#endregion

package/dist/plugins/admin/error-codes.d.mts

@@ -23,6 +23,8 @@ declare const ADMIN_ERROR_CODES: {
   YOU_ARE_NOT_ALLOWED_TO_SET_NON_EXISTENT_VALUE: _better_auth_core_utils_error_codes0.RawError<"YOU_ARE_NOT_ALLOWED_TO_SET_NON_EXISTENT_VALUE">;
   YOU_CANNOT_IMPERSONATE_ADMINS: _better_auth_core_utils_error_codes0.RawError<"YOU_CANNOT_IMPERSONATE_ADMINS">;
   INVALID_ROLE_TYPE: _better_auth_core_utils_error_codes0.RawError<"INVALID_ROLE_TYPE">;
+  YOU_ARE_NOT_ALLOWED_TO_SET_USERS_EMAIL: _better_auth_core_utils_error_codes0.RawError<"YOU_ARE_NOT_ALLOWED_TO_SET_USERS_EMAIL">;
+  PASSWORD_CANNOT_BE_UPDATED_VIA_UPDATE_USER: _better_auth_core_utils_error_codes0.RawError<"PASSWORD_CANNOT_BE_UPDATED_VIA_UPDATE_USER">;
 };
 //#endregion
 export { ADMIN_ERROR_CODES };

package/dist/plugins/admin/error-codes.mjs

@@ -21,7 +21,9 @@ const ADMIN_ERROR_CODES = defineErrorCodes({
 	YOU_CANNOT_REMOVE_YOURSELF: "You cannot remove yourself",
 	YOU_ARE_NOT_ALLOWED_TO_SET_NON_EXISTENT_VALUE: "You are not allowed to set a non-existent role value",
 	YOU_CANNOT_IMPERSONATE_ADMINS: "You cannot impersonate admins",
-	INVALID_ROLE_TYPE: "Invalid role type"
+	INVALID_ROLE_TYPE: "Invalid role type",
+	YOU_ARE_NOT_ALLOWED_TO_SET_USERS_EMAIL: "You are not allowed to update users email",
+	PASSWORD_CANNOT_BE_UPDATED_VIA_UPDATE_USER: "Password cannot be updated through update-user. Use the set-user-password endpoint instead"
 });
 //#endregion
 export { ADMIN_ERROR_CODES };

package/dist/plugins/admin/routes.mjs

@@ -72,6 +72,7 @@ const setRole = (opts) => createAuthEndpoint("/admin/set-role", {
 		const inputRoles = Array.isArray(ctx.body.role) ? ctx.body.role : [ctx.body.role];
 		for (const role of inputRoles) if (!roles[role]) throw APIError.from("BAD_REQUEST", ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_SET_NON_EXISTENT_VALUE);
 	}
+	if (!await ctx.context.internalAdapter.findUserById(ctx.body.userId)) throw APIError.from("NOT_FOUND", BASE_ERROR_CODES.USER_NOT_FOUND);
 	const updatedUser = await ctx.context.internalAdapter.updateUser(ctx.body.userId, { role: parseRoles(ctx.body.role) });
 	return ctx.json({ user: parseUserOutput(ctx.context.options, updatedUser) });
 });
@@ -155,14 +156,43 @@ const createUser = (opts) => createAuthEndpoint("/admin/create-user", {
 			permissions: { user: ["create"] }
 		})) throw APIError.from("FORBIDDEN", ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_CREATE_USERS);
 	}
+	const { role: dataRole, ...userData } = ctx.body.data ?? {};
+	const requestedRole = ctx.body.role ?? dataRole;
+	if (requestedRole !== void 0) {
+		if (session) {
+			if (!hasPermission({
+				userId: session.user.id,
+				role: session.user.role,
+				options: opts,
+				permissions: { user: ["set-role"] }
+			})) throw APIError.from("FORBIDDEN", ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_CHANGE_USERS_ROLE);
+		}
+		const inputRoles = Array.isArray(requestedRole) ? requestedRole : [requestedRole];
+		for (const role of inputRoles) {
+			if (typeof role !== "string") throw APIError.from("BAD_REQUEST", ADMIN_ERROR_CODES.INVALID_ROLE_TYPE);
+			if (opts.roles && !opts.roles[role]) throw APIError.from("BAD_REQUEST", ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_SET_NON_EXISTENT_VALUE);
+		}
+	}
+	if (session && [
+		"banned",
+		"banReason",
+		"banExpires"
+	].some((key) => Object.prototype.hasOwnProperty.call(userData, key))) {
+		if (!hasPermission({
+			userId: session.user.id,
+			role: session.user.role,
+			options: opts,
+			permissions: { user: ["ban"] }
+		})) throw APIError.from("FORBIDDEN", ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_BAN_USERS);
+	}
 	const email = ctx.body.email.toLowerCase();
 	if (!z.email().safeParse(email).success) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.INVALID_EMAIL);
 	if (await ctx.context.internalAdapter.findUserByEmail(email)) throw APIError.from("BAD_REQUEST", ADMIN_ERROR_CODES.USER_ALREADY_EXISTS_USE_ANOTHER_EMAIL);
 	const user = await ctx.context.internalAdapter.createUser({
+		...userData,
 		email,
 		name: ctx.body.name,
-		role: (ctx.body.role && parseRoles(ctx.body.role)) ?? opts?.defaultRole ?? "user",
-		...ctx.body.data
+		role: requestedRole !== void 0 ? parseRoles(requestedRole) : opts?.defaultRole ?? "user"
 	});
 	if (!user) throw APIError.from("INTERNAL_SERVER_ERROR", ADMIN_ERROR_CODES.FAILED_TO_CREATE_USER);
 	if (ctx.body.password) {
@@ -219,6 +249,9 @@ const adminUpdateUser = (opts) => createAuthEndpoint("/admin/update-user", {
 		permissions: { user: ["update"] }
 	})) throw APIError.from("FORBIDDEN", ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_UPDATE_USERS);
 	if (Object.keys(ctx.body.data).length === 0) throw APIError.from("BAD_REQUEST", ADMIN_ERROR_CODES.NO_DATA_TO_UPDATE);
+	const updateData = ctx.body.data;
+	const hasDataKey = (key) => Object.prototype.hasOwnProperty.call(updateData, key);
+	if (hasDataKey("password")) throw APIError.from("BAD_REQUEST", ADMIN_ERROR_CODES.PASSWORD_CANNOT_BE_UPDATED_VIA_UPDATE_USER);
 	if (Object.prototype.hasOwnProperty.call(ctx.body.data, "role")) {
 		if (!hasPermission({
 			userId: ctx.context.session.user.id,
@@ -234,7 +267,37 @@ const adminUpdateUser = (opts) => createAuthEndpoint("/admin/update-user", {
 		}
 		ctx.body.data.role = parseRoles(inputRoles);
 	}
+	if ([
+		"banned",
+		"banReason",
+		"banExpires"
+	].some(hasDataKey)) {
+		if (!hasPermission({
+			userId: ctx.context.session.user.id,
+			role: ctx.context.session.user.role,
+			options: opts,
+			permissions: { user: ["ban"] }
+		})) throw APIError.from("FORBIDDEN", ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_BAN_USERS);
+		if (updateData.banned === true && ctx.body.userId === ctx.context.session.user.id) throw APIError.from("BAD_REQUEST", ADMIN_ERROR_CODES.YOU_CANNOT_BAN_YOURSELF);
+	}
+	if (hasDataKey("email") || hasDataKey("emailVerified")) {
+		if (!hasPermission({
+			userId: ctx.context.session.user.id,
+			role: ctx.context.session.user.role,
+			options: opts,
+			permissions: { user: ["set-email"] }
+		})) throw APIError.from("FORBIDDEN", ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_SET_USERS_EMAIL);
+		if (hasDataKey("email")) {
+			const email = String(updateData.email).toLowerCase();
+			if (!z.email().safeParse(email).success) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.INVALID_EMAIL);
+			const existUser = await ctx.context.internalAdapter.findUserByEmail(email);
+			if (existUser && existUser.user.id !== ctx.body.userId) throw APIError.from("BAD_REQUEST", ADMIN_ERROR_CODES.USER_ALREADY_EXISTS_USE_ANOTHER_EMAIL);
+			updateData.email = email;
+		}
+	}
+	if (!await ctx.context.internalAdapter.findUserById(ctx.body.userId)) throw APIError.from("NOT_FOUND", BASE_ERROR_CODES.USER_NOT_FOUND);
 	const updatedUser = await ctx.context.internalAdapter.updateUser(ctx.body.userId, ctx.body.data);
+	if (updateData.banned === true) await ctx.context.internalAdapter.deleteUserSessions(ctx.body.userId);
 	return ctx.json(parseUserOutput(ctx.context.options, updatedUser));
 });
 const listUsersQuerySchema = z.object({
@@ -402,6 +465,7 @@ const unbanUser = (opts) => createAuthEndpoint("/admin/unban-user", {
 		options: opts,
 		permissions: { user: ["ban"] }
 	})) throw APIError.from("FORBIDDEN", ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_BAN_USERS);
+	if (!await ctx.context.internalAdapter.findUserById(ctx.body.userId)) throw APIError.from("NOT_FOUND", BASE_ERROR_CODES.USER_NOT_FOUND);
 	const user = await ctx.context.internalAdapter.updateUser(ctx.body.userId, {
 		banned: false,
 		banExpires: null,

package/dist/plugins/admin/schema.d.mts

@@ -30,6 +30,7 @@ declare const schema: {
       impersonatedBy: {
         type: "string";
         required: false;
+        input: false;
       };
     };
   };

package/dist/plugins/admin/schema.mjs

@@ -25,7 +25,8 @@ const schema = {
 	} },
 	session: { fields: { impersonatedBy: {
 		type: "string",
-		required: false
+		required: false,
+		input: false
 	} } }
 };
 //#endregion

package/dist/plugins/email-otp/routes.mjs

@@ -334,7 +334,7 @@ const verifyEmailOTP = (opts) => createAuthEndpoint("/email-otp/verify-email", {
 		});
 	}
 	const currentSession = await getSessionFromCtx(ctx);
-	if (currentSession && updatedUser.emailVerified) {
+	if (currentSession && updatedUser.emailVerified && currentSession.user.id === updatedUser.id) {
 		const dontRememberMeCookie = await ctx.getSignedCookie(ctx.context.authCookies.dontRememberToken.name, ctx.context.secret);
 		await setCookieCache(ctx, {
 			session: currentSession.session,

package/dist/plugins/generic-oauth/routes.mjs

@@ -209,7 +209,12 @@ const oAuth2Callback = (options) => createAuthEndpoint("/oauth2/callback/:provid
 			ctx.context.logger.error(missingEmailLogMessage(providerConfig.providerId, { source: "generic" }), userInfo);
 			redirectOnError(ctx, resolvedErrorURL, "email_is_missing");
 		}
-		const id = mapUser.id ? String(mapUser.id) : String(userInfo.id);
+		const rawId = mapUser.id !== void 0 && mapUser.id !== null && mapUser.id !== "" ? mapUser.id : userInfo.id;
+		const id = rawId !== void 0 && rawId !== null ? String(rawId) : "";
+		if (!id) {
+			ctx.context.logger.error("Provider did not return an account id (e.g. `sub`). Unable to sign in.", userInfo);
+			redirectOnError(ctx, resolvedErrorURL, "id_is_missing");
+		}
 		const name = mapUser.name ? mapUser.name : userInfo.name;
 		if (!name) {
 			ctx.context.logger.error("Unable to get user info", userInfo);
@@ -398,8 +403,10 @@ async function getUserInfo(tokens, finalUserInfoUrl) {
 		method: "GET",
 		headers: { Authorization: `Bearer ${tokens.accessToken}` }
 	});
+	const subjectId = userInfo.data?.sub ?? userInfo.data?.id;
+	if (subjectId === void 0 || subjectId === null || subjectId === "") return null;
 	return {
-		id: userInfo.data?.sub ?? "",
+		id: subjectId,
 		emailVerified: userInfo.data?.email_verified ?? false,
 		email: userInfo.data?.email,
 		image: userInfo.data?.picture,

package/dist/plugins/organization/organization.mjs

@@ -394,11 +394,13 @@ function organization(options) {
 				activeOrganizationId: {
 					type: "string",
 					required: false,
+					input: false,
 					fieldName: opts.schema?.session?.fields?.activeOrganizationId
 				},
 				...teamSupport ? { activeTeamId: {
 					type: "string",
 					required: false,
+					input: false,
 					fieldName: opts.schema?.session?.fields?.activeTeamId
 				} } : {}
 			} }

package/dist/plugins/organization/routes/crud-invites.mjs

@@ -170,7 +170,12 @@ const createInvitation = (option) => {
 		}, ctx.context) : ctx.context.orgOptions.invitationLimit ?? 100;
 		if ((await adapter.findPendingInvitations({ organizationId })).length >= invitationLimit) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.INVITATION_LIMIT_REACHED);
 		if (ctx.context.orgOptions.teams?.enabled && "teamId" in ctx.body && ctx.body.teamId) {
-			if ((typeof ctx.body.teamId === "string" ? [ctx.body.teamId] : ctx.body.teamId).some((id) => id.includes(","))) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.INVALID_TEAM_ID);
+			const requestedTeamIds = typeof ctx.body.teamId === "string" ? [ctx.body.teamId] : ctx.body.teamId;
+			if (requestedTeamIds.some((id) => id.includes(","))) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.INVALID_TEAM_ID);
+			for (const teamId of requestedTeamIds) if (!await adapter.findTeamById({
+				teamId,
+				organizationId
+			})) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.TEAM_NOT_FOUND);
 		}
 		if (ctx.context.orgOptions.teams && ctx.context.orgOptions.teams.enabled && typeof ctx.context.orgOptions.teams.maximumMembersPerTeam !== "undefined" && "teamId" in ctx.body && ctx.body.teamId) {
 			const teamIds = typeof ctx.body.teamId === "string" ? [ctx.body.teamId] : ctx.body.teamId;
@@ -285,6 +290,10 @@ const acceptInvitation = (options) => createAuthEndpoint("/organization/accept-i
 		const teamIds = acceptedI.teamId.split(",");
 		const onlyOne = teamIds.length === 1;
 		for (const teamId of teamIds) {
+			if (!await adapter.findTeamById({
+				teamId,
+				organizationId: invitation.organizationId
+			})) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.TEAM_NOT_FOUND);
 			await adapter.findOrCreateTeamMember({
 				teamId,
 				userId: session.user.id

package/dist/plugins/organization/routes/crud-team.mjs

@@ -441,8 +441,15 @@ const listUserTeams = (options) => createAuthEndpoint("/organization/list-user-t
 	use: [orgMiddleware, orgSessionMiddleware]
 }, async (ctx) => {
 	const session = ctx.context.session;
-	const teams = await getOrgAdapter(ctx.context, ctx.context.orgOptions).listTeamsByUser({ userId: session.user.id });
-	return ctx.json(teams);
+	const adapter = getOrgAdapter(ctx.context, ctx.context.orgOptions);
+	const teams = await adapter.listTeamsByUser({ userId: session.user.id });
+	const orgIds = [...new Set(teams.map((team) => team.organizationId))];
+	const memberships = await Promise.all(orgIds.map((organizationId) => adapter.checkMembership({
+		userId: session.user.id,
+		organizationId
+	})));
+	const memberOrgIds = new Set(orgIds.filter((_, index) => memberships[index]));
+	return ctx.json(teams.filter((team) => memberOrgIds.has(team.organizationId)));
 });
 const listTeamMembersQuerySchema = z.optional(z.object({ teamId: z.string().optional().meta({ description: "The team whose members we should return. If this is not provided the members of the current active team get returned." }) }));
 const listTeamMembers = (options) => createAuthEndpoint("/organization/list-team-members", {
@@ -494,6 +501,12 @@ const listTeamMembers = (options) => createAuthEndpoint("/organization/list-team
 	const adapter = getOrgAdapter(ctx.context, ctx.context.orgOptions);
 	const teamId = ctx.query?.teamId || session?.session.activeTeamId;
 	if (!teamId) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.YOU_DO_NOT_HAVE_AN_ACTIVE_TEAM);
+	const team = await adapter.findTeamById({ teamId });
+	if (!team) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.TEAM_NOT_FOUND);
+	if (!await adapter.checkMembership({
+		userId: session.user.id,
+		organizationId: team.organizationId
+	})) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.USER_IS_NOT_A_MEMBER_OF_THE_TEAM);
 	if (!await adapter.findTeamMember({
 		userId: session.user.id,
 		teamId

package/dist/plugins/organization/schema.d.mts

@@ -183,6 +183,7 @@ interface SessionDefaultFields {
   activeOrganizationId: {
     type: "string";
     required: false;
+    input: false;
   };
 }
 type OrganizationSchema<O extends OrganizationOptions> = (O["dynamicAccessControl"] extends {
@@ -222,6 +223,7 @@ type OrganizationSchema<O extends OrganizationOptions> = (O["dynamicAccessContro
       activeTeamId: {
         type: "string";
         required: false;
+        input: false;
       };
     } : {});
   };

package/dist/plugins/siwe/index.mjs

@@ -5,6 +5,7 @@ import { setSessionCookie } from "../../cookies/index.mjs";
 import { APIError } from "../../api/index.mjs";
 import { PACKAGE_VERSION } from "../../version.mjs";
 import { toChecksumAddress } from "../../utils/hashing.mjs";
+import { normalizeSiweDomain, parseSiweMessage } from "./parse-message.mjs";
 import { schema } from "./schema.mjs";
 import { createAuthEndpoint } from "@better-auth/core/api";
 import * as z from "zod";
@@ -74,6 +75,33 @@ const siwe = (options) => {
 						code: "UNAUTHORIZED_INVALID_OR_EXPIRED_NONCE"
 					});
 					const { value: nonce } = verification;
+					const parsedMessage = parseSiweMessage(message);
+					const nonceMatches = parsedMessage.nonce === nonce;
+					const addressMatches = !!parsedMessage.address && parsedMessage.address.toLowerCase() === walletAddress.toLowerCase();
+					const chainMatches = parsedMessage.chainId === chainId;
+					const domainMatches = !!parsedMessage.domain && normalizeSiweDomain(parsedMessage.domain) === normalizeSiweDomain(options.domain);
+					if (!nonceMatches || !addressMatches || !chainMatches || !domainMatches) throw APIError.fromStatus("UNAUTHORIZED", {
+						message: "Unauthorized: SIWE message does not match the expected nonce, domain, address, or chain ID",
+						status: 401,
+						code: "UNAUTHORIZED_SIWE_MESSAGE_MISMATCH"
+					});
+					const now = Date.now();
+					if (parsedMessage.expirationTime) {
+						const expiresAt = Date.parse(parsedMessage.expirationTime);
+						if (!Number.isNaN(expiresAt) && now >= expiresAt) throw APIError.fromStatus("UNAUTHORIZED", {
+							message: "Unauthorized: SIWE message has expired",
+							status: 401,
+							code: "UNAUTHORIZED_SIWE_MESSAGE_EXPIRED"
+						});
+					}
+					if (parsedMessage.notBefore) {
+						const notBefore = Date.parse(parsedMessage.notBefore);
+						if (!Number.isNaN(notBefore) && now < notBefore) throw APIError.fromStatus("UNAUTHORIZED", {
+							message: "Unauthorized: SIWE message is not yet valid",
+							status: 401,
+							code: "UNAUTHORIZED_SIWE_MESSAGE_NOT_YET_VALID"
+						});
+					}
 					if (!await options.verifyMessage({
 						message,
 						signature,

package/dist/plugins/siwe/parse-message.mjs

@@ -0,0 +1,60 @@
+//#region src/plugins/siwe/parse-message.ts
+const HEADER_REGEX = /^(?:([a-zA-Z][a-zA-Z0-9+.-]*):\/\/)?(\S+) wants you to sign in with your Ethereum account:$/;
+const ADDRESS_REGEX = /^0x[a-fA-F0-9]{40}$/;
+const FIELD_REGEX = /^([A-Za-z ]+): (.*)$/;
+function parseSiweMessage(message) {
+	const result = {};
+	const lines = message.split(/\r?\n/);
+	const headerMatch = lines[0]?.match(HEADER_REGEX);
+	if (headerMatch) {
+		if (headerMatch[1]) result.scheme = headerMatch[1];
+		result.domain = headerMatch[2];
+	}
+	const addressLine = lines[1]?.trim();
+	if (addressLine && ADDRESS_REGEX.test(addressLine)) result.address = addressLine;
+	for (const line of lines) {
+		const match = line.match(FIELD_REGEX);
+		if (!match) continue;
+		const [, key, value] = match;
+		switch (key) {
+			case "URI":
+				result.uri = value;
+				break;
+			case "Version":
+				result.version = value;
+				break;
+			case "Chain ID": {
+				const parsed = Number(value);
+				if (Number.isInteger(parsed)) result.chainId = parsed;
+				break;
+			}
+			case "Nonce":
+				result.nonce = value;
+				break;
+			case "Issued At":
+				result.issuedAt = value;
+				break;
+			case "Expiration Time":
+				result.expirationTime = value;
+				break;
+			case "Not Before":
+				result.notBefore = value;
+				break;
+			case "Request ID":
+				result.requestId = value;
+				break;
+		}
+	}
+	return result;
+}
+/**
+* Normalizes a SIWE `domain` (RFC 3986 authority) for comparison: strips any
+* scheme and path, lowercases, leaving `host[:port]`.
+*/
+function normalizeSiweDomain(domain) {
+	const withoutScheme = domain.trim().toLowerCase().replace(/^[a-z][a-z0-9+.-]*:\/\//, "");
+	const pathStart = withoutScheme.indexOf("/");
+	return pathStart === -1 ? withoutScheme : withoutScheme.slice(0, pathStart);
+}
+//#endregion
+export { normalizeSiweDomain, parseSiweMessage };

package/dist/plugins/two-factor/index.mjs

@@ -220,7 +220,15 @@ const twoFactor = (options) => {
 					expireCookie(ctx, trustDeviceCookieAttrs);
 				}
 				/**
-				* remove the session cookie. It's set by the sign in credential
+				* Remove the session cookie set by the credential sign-in.
+				*
+				* The credential handler already created a session and set
+				* `ctx.context.newSession`. Since 2FA is still pending, that
+				* session is deleted here and `newSession` is reset to `null`
+				* so downstream hooks don't observe a session that no longer
+				* exists. Hooks that read `ctx.context.newSession` after a
+				* sign-in must therefore null-check it: it is `null` while a
+				* 2FA challenge is in flight (no authenticated session yet).
 				*/
 				deleteSessionCookie(ctx, true);
 				await ctx.context.internalAdapter.deleteSession(data.session.token);

package/dist/test-utils/test-instance.d.mts

@@ -7999,11 +7999,6 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
       priority?: RequestPriority | undefined;
       cache?: RequestCache | undefined;
       credentials?: RequestCredentials;
-      headers?: (HeadersInit & (HeadersInit | {
-        accept: "application/json" | "text/plain" | "application/octet-stream";
-        "content-type": "application/json" | "text/plain" | "application/x-www-form-urlencoded" | "multipart/form-data" | "application/octet-stream";
-        authorization: "Bearer" | "Basic";
-      })) | undefined;
       integrity?: string | undefined;
       keepalive?: boolean | undefined;
       method: string;
@@ -8033,6 +8028,12 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
         prefix: string | (() => string | undefined) | undefined;
         value: string | (() => string | undefined) | undefined;
       }) | undefined;
+      headers?: {} | {
+        [x: string]: string | undefined;
+        accept?: ((string & {}) | "application/json" | "text/plain" | "application/octet-stream") | undefined;
+        "content-type"?: ((string & {}) | "application/x-www-form-urlencoded" | "application/json" | "text/plain" | "application/octet-stream" | "multipart/form-data") | undefined;
+        authorization?: ((string & {}) | `Bearer ${string}` | `Basic ${string}`) | undefined;
+      } | undefined;
       body?: any;
       query?: any;
       params?: any;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "better-auth",
-  "version": "1.6.14",
+  "version": "1.6.16",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "license": "MIT",
@@ -480,22 +480,22 @@
   },
   "dependencies": {
     "@better-auth/utils": "0.4.1",
-    "@better-fetch/fetch": "1.1.21",
+    "@better-fetch/fetch": "1.2.2",
     "@noble/ciphers": "^2.1.1",
     "@noble/hashes": "^2.0.1",
-    "better-call": "1.3.5",
+    "better-call": "1.3.6",
     "defu": "^6.1.4",
     "jose": "^6.1.3",
     "kysely": "^0.28.17 || ^0.29.0",
     "nanostores": "^1.1.1",
     "zod": "^4.3.6",
-    "@better-auth/core": "1.6.14",
-    "@better-auth/drizzle-adapter": "1.6.14",
-    "@better-auth/kysely-adapter": "1.6.14",
-    "@better-auth/memory-adapter": "1.6.14",
-    "@better-auth/mongo-adapter": "1.6.14",
-    "@better-auth/prisma-adapter": "1.6.14",
-    "@better-auth/telemetry": "1.6.14"
+    "@better-auth/core": "1.6.16",
+    "@better-auth/drizzle-adapter": "1.6.16",
+    "@better-auth/kysely-adapter": "1.6.16",
+    "@better-auth/memory-adapter": "1.6.16",
+    "@better-auth/mongo-adapter": "1.6.16",
+    "@better-auth/prisma-adapter": "1.6.16",
+    "@better-auth/telemetry": "1.6.16"
   },
   "devDependencies": {
     "@lynx-js/react": "^0.116.3",