better-auth 1.6.15 → 1.6.16

package/dist/api/middlewares/origin-check.mjs

@@ -141,6 +141,7 @@ async function validateFormCsrf(ctx) {
 		}
 		return await validateOrigin(ctx, true);
 	}
+	if (headers.get("origin") || headers.get("referer")) return await validateOrigin(ctx, true);
 }
 //#endregion
 export { formCsrfMiddleware, originCheck, originCheckMiddleware };

package/dist/api/routes/account.mjs

@@ -225,9 +225,15 @@ const unlinkAccount = createAuthEndpoint("/unlink-account", {
 * `userId` directly. Throws `UNAUTHORIZED` when an HTTP caller is
 * unauthenticated, and `USER_ID_OR_SESSION_REQUIRED` when neither a session
 * nor a `userId` is available.
+*
+* When a durable store is authoritative, bypasses the cookie cache: these
+* routes mint or refresh provider access tokens, so a server-side session
+* revocation must take effect immediately rather than waiting for the cached
+* cookie to expire. DB-less deployments keep the session in the cookie itself,
+* so the cache is left in place for them.
 */
 async function resolveUserId(ctx, userId) {
-	const session = await getSessionFromCtx(ctx);
+	const session = await getSessionFromCtx(ctx, { disableCookieCache: !!ctx.context.options.database || !!ctx.context.options.secondaryStorage });
 	if (!session && (ctx.request || ctx.headers)) throw ctx.error("UNAUTHORIZED");
 	const resolvedUserId = session?.user?.id || userId;
 	if (!resolvedUserId) throw APIError.from("BAD_REQUEST", {
@@ -382,12 +388,11 @@ const refreshToken = createAuthEndpoint("/refresh-token", {
 	});
 	let account = void 0;
 	const accountData = await getAccountCookie(ctx);
-	if (accountData && accountData.userId === resolvedUserId && (!providerId || providerId === accountData?.providerId)) account = accountData;
+	const usedAccountCookie = !!accountData && accountData.userId === resolvedUserId && providerId === accountData.providerId && (!accountId || accountData.accountId === accountId);
+	if (usedAccountCookie) account = accountData;
 	else account = (await ctx.context.internalAdapter.findAccounts(resolvedUserId)).find((acc) => accountId ? acc.accountId === accountId && acc.providerId === providerId : acc.providerId === providerId);
 	if (!account) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.ACCOUNT_NOT_FOUND);
-	let refreshToken = void 0;
-	if (accountData && providerId === accountData.providerId) refreshToken = accountData.refreshToken ?? void 0;
-	else refreshToken = account.refreshToken ?? void 0;
+	const refreshToken = account.refreshToken ?? void 0;
 	if (!refreshToken) throw APIError.from("BAD_REQUEST", {
 		message: "Refresh token not found",
 		code: "REFRESH_TOKEN_NOT_FOUND"
@@ -409,7 +414,7 @@ const refreshToken = createAuthEndpoint("/refresh-token", {
 			};
 			await ctx.context.internalAdapter.updateAccount(account.id, updateData);
 		}
-		if (accountData && providerId === accountData.providerId && ctx.context.options.account?.storeAccountCookie) await setAccountCookie(ctx, {
+		if (usedAccountCookie && ctx.context.options.account?.storeAccountCookie) await setAccountCookie(ctx, {
 			...accountData,
 			accessToken: await setTokenUtil(tokens.accessToken, ctx.context),
 			refreshToken: resolvedRefreshToken,

package/dist/api/routes/callback.mjs

@@ -81,7 +81,7 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 		...tokens,
 		user: parsedUserData ?? void 0
 	}).then((res) => res?.user);
-	if (!userInfo || userInfo.id === void 0 || userInfo.id === null) {
+	if (!userInfo || userInfo.id === void 0 || userInfo.id === null || userInfo.id === "") {
 		c.context.logger.error("Unable to get user info");
 		redirectOnError(c, resolvedErrorURL, "unable_to_get_user_info");
 	}

package/dist/api/routes/session.mjs

@@ -276,7 +276,9 @@ const getSessionFromCtx = async (ctx, config) => {
 		returnStatus: false,
 		query: {
 			...config,
-			...ctx.query
+			...ctx.query,
+			disableCookieCache: config?.disableCookieCache || ctx.query?.disableCookieCache,
+			disableRefresh: config?.disableRefresh || ctx.query?.disableRefresh
 		}
 	}).catch(() => {
 		return null;

package/dist/api/routes/update-session.mjs

@@ -1,5 +1,5 @@
 import { parseSessionInput, parseSessionOutput } from "../../db/schema.mjs";
-import { setSessionCookie } from "../../cookies/index.mjs";
+import { deleteSessionCookie, setSessionCookie } from "../../cookies/index.mjs";
 import { sessionMiddleware } from "./session.mjs";
 import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
 import { createAuthEndpoint } from "@better-auth/core/api";
@@ -34,10 +34,16 @@ const updateSession = () => createAuthEndpoint("/update-session", {
 	const session = ctx.context.session;
 	const additionalFields = parseSessionInput(ctx.context.options, body, "update");
 	if (Object.keys(additionalFields).length === 0) throw APIError.fromStatus("BAD_REQUEST", { message: "No fields to update" });
-	const newSession = await ctx.context.internalAdapter.updateSession(session.session.token, {
+	const updatedSession = await ctx.context.internalAdapter.updateSession(session.session.token, {
 		...additionalFields,
 		updatedAt: /* @__PURE__ */ new Date()
-	}) ?? {
+	});
+	const isStateful = !!ctx.context.options.database || !!ctx.context.options.secondaryStorage;
+	if (!updatedSession && isStateful) {
+		deleteSessionCookie(ctx);
+		throw APIError.from("UNAUTHORIZED", BASE_ERROR_CODES.FAILED_TO_GET_SESSION);
+	}
+	const newSession = updatedSession ?? {
 		...session.session,
 		...additionalFields,
 		updatedAt: /* @__PURE__ */ new Date()

package/dist/client/lynx/index.d.mts

@@ -69,11 +69,6 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
     priority?: RequestPriority | undefined;
     cache?: RequestCache | undefined;
     credentials?: RequestCredentials;
-    headers?: (HeadersInit & (HeadersInit | {
-      accept: "application/json" | "text/plain" | "application/octet-stream";
-      "content-type": "application/json" | "text/plain" | "application/x-www-form-urlencoded" | "multipart/form-data" | "application/octet-stream";
-      authorization: "Bearer" | "Basic";
-    })) | undefined;
     integrity?: string | undefined;
     keepalive?: boolean | undefined;
     method: string;
@@ -103,6 +98,12 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
       prefix: string | (() => string | undefined) | undefined;
       value: string | (() => string | undefined) | undefined;
     }) | undefined;
+    headers?: {} | {
+      [x: string]: string | undefined;
+      accept?: ((string & {}) | "application/json" | "text/plain" | "application/octet-stream") | undefined;
+      "content-type"?: ((string & {}) | "application/x-www-form-urlencoded" | "application/json" | "text/plain" | "application/octet-stream" | "multipart/form-data") | undefined;
+      authorization?: ((string & {}) | `Bearer ${string}` | `Basic ${string}`) | undefined;
+    } | undefined;
     body?: any;
     query?: any;
     params?: any;

package/dist/client/react/index.d.mts

@@ -70,11 +70,6 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
     priority?: RequestPriority | undefined;
     cache?: RequestCache | undefined;
     credentials?: RequestCredentials;
-    headers?: (HeadersInit & (HeadersInit | {
-      accept: "application/json" | "text/plain" | "application/octet-stream";
-      "content-type": "application/json" | "text/plain" | "application/x-www-form-urlencoded" | "multipart/form-data" | "application/octet-stream";
-      authorization: "Bearer" | "Basic";
-    })) | undefined;
     integrity?: string | undefined;
     keepalive?: boolean | undefined;
     method: string;
@@ -104,6 +99,12 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
       prefix: string | (() => string | undefined) | undefined;
       value: string | (() => string | undefined) | undefined;
     }) | undefined;
+    headers?: {} | {
+      [x: string]: string | undefined;
+      accept?: ((string & {}) | "application/json" | "text/plain" | "application/octet-stream") | undefined;
+      "content-type"?: ((string & {}) | "application/x-www-form-urlencoded" | "application/json" | "text/plain" | "application/octet-stream" | "multipart/form-data") | undefined;
+      authorization?: ((string & {}) | `Bearer ${string}` | `Basic ${string}`) | undefined;
+    } | undefined;
     body?: any;
     query?: any;
     params?: any;

package/dist/client/solid/index.d.mts

@@ -69,11 +69,6 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
     priority?: RequestPriority | undefined;
     cache?: RequestCache | undefined;
     credentials?: RequestCredentials;
-    headers?: (HeadersInit & (HeadersInit | {
-      accept: "application/json" | "text/plain" | "application/octet-stream";
-      "content-type": "application/json" | "text/plain" | "application/x-www-form-urlencoded" | "multipart/form-data" | "application/octet-stream";
-      authorization: "Bearer" | "Basic";
-    })) | undefined;
     integrity?: string | undefined;
     keepalive?: boolean | undefined;
     method: string;
@@ -103,6 +98,12 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
       prefix: string | (() => string | undefined) | undefined;
       value: string | (() => string | undefined) | undefined;
     }) | undefined;
+    headers?: {} | {
+      [x: string]: string | undefined;
+      accept?: ((string & {}) | "application/json" | "text/plain" | "application/octet-stream") | undefined;
+      "content-type"?: ((string & {}) | "application/x-www-form-urlencoded" | "application/json" | "text/plain" | "application/octet-stream" | "multipart/form-data") | undefined;
+      authorization?: ((string & {}) | `Bearer ${string}` | `Basic ${string}`) | undefined;
+    } | undefined;
     body?: any;
     query?: any;
     params?: any;

package/dist/client/svelte/index.d.mts

@@ -55,11 +55,6 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
     priority?: RequestPriority | undefined;
     cache?: RequestCache | undefined;
     credentials?: RequestCredentials;
-    headers?: (HeadersInit & (HeadersInit | {
-      accept: "application/json" | "text/plain" | "application/octet-stream";
-      "content-type": "application/json" | "text/plain" | "application/x-www-form-urlencoded" | "multipart/form-data" | "application/octet-stream";
-      authorization: "Bearer" | "Basic";
-    })) | undefined;
     integrity?: string | undefined;
     keepalive?: boolean | undefined;
     method: string;
@@ -89,6 +84,12 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
       prefix: string | (() => string | undefined) | undefined;
       value: string | (() => string | undefined) | undefined;
     }) | undefined;
+    headers?: {} | {
+      [x: string]: string | undefined;
+      accept?: ((string & {}) | "application/json" | "text/plain" | "application/octet-stream") | undefined;
+      "content-type"?: ((string & {}) | "application/x-www-form-urlencoded" | "application/json" | "text/plain" | "application/octet-stream" | "multipart/form-data") | undefined;
+      authorization?: ((string & {}) | `Bearer ${string}` | `Basic ${string}`) | undefined;
+    } | undefined;
     body?: any;
     query?: any;
     params?: any;

package/dist/client/vanilla.d.mts

@@ -53,11 +53,6 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
     priority?: RequestPriority | undefined;
     cache?: RequestCache | undefined;
     credentials?: RequestCredentials;
-    headers?: (HeadersInit & (HeadersInit | {
-      accept: "application/json" | "text/plain" | "application/octet-stream";
-      "content-type": "application/json" | "text/plain" | "application/x-www-form-urlencoded" | "multipart/form-data" | "application/octet-stream";
-      authorization: "Bearer" | "Basic";
-    })) | undefined;
     integrity?: string | undefined;
     keepalive?: boolean | undefined;
     method: string;
@@ -87,6 +82,12 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
       prefix: string | (() => string | undefined) | undefined;
       value: string | (() => string | undefined) | undefined;
     }) | undefined;
+    headers?: {} | {
+      [x: string]: string | undefined;
+      accept?: ((string & {}) | "application/json" | "text/plain" | "application/octet-stream") | undefined;
+      "content-type"?: ((string & {}) | "application/x-www-form-urlencoded" | "application/json" | "text/plain" | "application/octet-stream" | "multipart/form-data") | undefined;
+      authorization?: ((string & {}) | `Bearer ${string}` | `Basic ${string}`) | undefined;
+    } | undefined;
     body?: any;
     query?: any;
     params?: any;

package/dist/client/vue/index.d.mts

@@ -93,11 +93,6 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
     priority?: RequestPriority | undefined;
     cache?: RequestCache | undefined;
     credentials?: RequestCredentials;
-    headers?: (HeadersInit & (HeadersInit | {
-      accept: "application/json" | "text/plain" | "application/octet-stream";
-      "content-type": "application/json" | "text/plain" | "application/x-www-form-urlencoded" | "multipart/form-data" | "application/octet-stream";
-      authorization: "Bearer" | "Basic";
-    })) | undefined;
     integrity?: string | undefined;
     keepalive?: boolean | undefined;
     method: string;
@@ -127,6 +122,12 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
       prefix: string | (() => string | undefined) | undefined;
       value: string | (() => string | undefined) | undefined;
     }) | undefined;
+    headers?: {} | {
+      [x: string]: string | undefined;
+      accept?: ((string & {}) | "application/json" | "text/plain" | "application/octet-stream") | undefined;
+      "content-type"?: ((string & {}) | "application/x-www-form-urlencoded" | "application/json" | "text/plain" | "application/octet-stream" | "multipart/form-data") | undefined;
+      authorization?: ((string & {}) | `Bearer ${string}` | `Basic ${string}`) | undefined;
+    } | undefined;
     body?: any;
     query?: any;
     params?: any;

package/dist/context/create-context.mjs

@@ -59,7 +59,7 @@ async function createAuthContext(adapter, options, getDatabaseType) {
 		if (!allowedHosts || allowedHosts.length === 0) throw new BetterAuthError("baseURL.allowedHosts cannot be empty. Provide at least one allowed host pattern (e.g., [\"myapp.com\", \"*.vercel.app\"]).");
 	}
 	const baseURL = isDynamicConfig ? void 0 : getBaseURL(typeof options.baseURL === "string" ? options.baseURL : void 0, options.basePath);
-	if (!baseURL && !isDynamicConfig) logger.warn(`[better-auth] Base URL could not be determined. Please set a valid base URL using the baseURL config option or the BETTER_AUTH_URL environment variable. Without this, callbacks and redirects may not work correctly.`);
+	if (!baseURL && !isDynamicConfig) logger.warn(`[better-auth] Base URL is not set. Set the baseURL option or BETTER_AUTH_URL env, or use a dynamic baseURL with allowedHosts for multi-host setups. Without it the origin is derived from the incoming request, and callbacks and redirects may not work correctly.`);
 	if (adapter.id === "memory" && options.advanced?.database?.generateId === false) logger.error(`[better-auth] Misconfiguration detected.
 You are using the memory DB with generateId: false.
 This will cause no id to be generated for any model.

package/dist/cookies/index.mjs

@@ -116,7 +116,12 @@ async function setCookieCache(ctx, session, dontRememberMe) {
 	}
 	if (ctx.context.options.account?.storeAccountCookie) {
 		const accountData = await getAccountCookie(ctx);
-		if (accountData) await setAccountCookie(ctx, accountData);
+		if (accountData) if (accountData.userId === session.user.id) await setAccountCookie(ctx, accountData);
+		else {
+			expireCookie(ctx, ctx.context.authCookies.accountData);
+			const accountStore = createAccountStore(ctx.context.authCookies.accountData.name, ctx.context.authCookies.accountData.attributes, ctx);
+			accountStore.setCookies(accountStore.clean());
+		}
 	}
 }
 async function setSessionCookie(ctx, session, dontRememberMe, overrides) {

package/dist/db/internal-adapter.mjs

@@ -16,6 +16,7 @@ const createInternalAdapter = (adapter, ctx) => {
 	const options = ctx.options;
 	const secondaryStorage = options.secondaryStorage;
 	const verificationConsumeLocks = /* @__PURE__ */ new Map();
+	let warnedNonAtomicConsume = false;
 	const sessionExpiration = options.session?.expiresIn || 3600 * 24 * 7;
 	const { createWithHooks, updateWithHooks, updateManyWithHooks, deleteWithHooks, deleteManyWithHooks, consumeOneWithHooks } = getWithHooks(adapter, ctx);
 	async function refreshUserSessions(user) {
@@ -653,6 +654,10 @@ const createInternalAdapter = (adapter, ctx) => {
 			if (secondaryStorage && !options.verification?.storeInDatabase) {
 				const consumeCacheKey = async (key) => {
 					if (secondaryStorage.getAndDelete) return hydrateCachedVerification(await secondaryStorage.getAndDelete(key));
+					if (!warnedNonAtomicConsume) {
+						warnedNonAtomicConsume = true;
+						logger.warn("Secondary storage does not implement `getAndDelete`, so single-use verification values cannot be consumed atomically across processes. Implement `getAndDelete` or use database-backed verification storage to guarantee single use.");
+					}
 					return withVerificationConsumeLock(key, async () => {
 						const parsed = hydrateCachedVerification(await secondaryStorage.get(key));
 						if (!parsed) return null;

package/dist/oauth2/link-account.d.mts

@@ -9,6 +9,19 @@ declare function handleOAuthUserInfo(c: GenericEndpointContext, opts: {
   disableSignUp?: boolean | undefined;
   overrideUserInfo?: boolean | undefined;
   isTrustedProvider?: boolean | undefined;
+  /**
+   * Whether `account.providerId` may be matched against the globally
+   * configured `accountLinking.trustedProviders` list to infer trust.
+   *
+   * Defaults to `true` for built-in social/OAuth providers, whose
+   * `providerId` namespace is controlled by the developer's config. Callers
+   * whose `providerId` is user-controlled (e.g. the SSO plugin, where any
+   * authenticated user can register a provider with an arbitrary id) must
+   * pass `false` so a provider named after a trusted social provider can't
+   * launder that trust. Such callers should supply their own
+   * `isTrustedProvider` signal instead.
+   */
+  trustProviderByName?: boolean | undefined;
 }): Promise<{
   error: string;
   data: null;

package/dist/oauth2/link-account.mjs

@@ -17,7 +17,7 @@ async function handleOAuthUserInfo(c, opts) {
 		const linkedAccount = dbUser.linkedAccount ?? dbUser.accounts.find((acc) => acc.providerId === account.providerId && acc.accountId === account.accountId);
 		if (!linkedAccount) {
 			const accountLinking = c.context.options.account?.accountLinking;
-			const isTrustedProvider = opts.isTrustedProvider || c.context.trustedProviders.includes(account.providerId);
+			const isTrustedProvider = opts.isTrustedProvider || opts.trustProviderByName !== false && c.context.trustedProviders.includes(account.providerId);
 			const requireLocalEmailVerified = accountLinking?.requireLocalEmailVerified ?? true;
 			if (!isTrustedProvider && !userInfo.emailVerified || requireLocalEmailVerified && !dbUser.user.emailVerified || accountLinking?.enabled === false || accountLinking?.disableImplicitLinking === true) {
 				if (isDevelopment()) logger.warn(`User already exist but account isn't linked to ${account.providerId}. To read more about how account linking works in Better Auth see https://www.better-auth.com/docs/concepts/users-accounts#account-linking.`);

package/dist/package.mjs

@@ -1,4 +1,4 @@
 //#region package.json
-var version = "1.6.15";
+var version = "1.6.16";
 //#endregion
 export { version };

package/dist/plugins/admin/access/statement.d.mts

@@ -1,49 +1,49 @@
 import { ExactRoleStatements, Role, RoleInput, Statements } from "../../access/types.mjs";
 //#region src/plugins/admin/access/statement.d.ts
 declare const defaultStatements: {
-  readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
+  readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "set-email", "get", "update"];
   readonly session: readonly ["list", "revoke", "delete"];
 };
 declare const defaultAc: {
   newRole<const TRoleStatements extends Statements>(statements: RoleInput<{
-    readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
+    readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "set-email", "get", "update"];
     readonly session: readonly ["list", "revoke", "delete"];
   }, TRoleStatements>): Role<ExactRoleStatements<TRoleStatements>, {
-    readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
+    readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "set-email", "get", "update"];
     readonly session: readonly ["list", "revoke", "delete"];
   }>;
   statements: {
-    readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
+    readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "set-email", "get", "update"];
     readonly session: readonly ["list", "revoke", "delete"];
   };
 };
 declare const adminAc: Role<ExactRoleStatements<{
-  readonly user: ["create", "list", "set-role", "ban", "impersonate", "delete", "set-password", "get", "update"];
+  readonly user: ["create", "list", "set-role", "ban", "impersonate", "delete", "set-password", "set-email", "get", "update"];
   readonly session: ["list", "revoke", "delete"];
 }>, {
-  readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
+  readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "set-email", "get", "update"];
   readonly session: readonly ["list", "revoke", "delete"];
 }>;
 declare const userAc: Role<ExactRoleStatements<{
   readonly user: [];
   readonly session: [];
 }>, {
-  readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
+  readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "set-email", "get", "update"];
   readonly session: readonly ["list", "revoke", "delete"];
 }>;
 declare const defaultRoles: {
   admin: Role<ExactRoleStatements<{
-    readonly user: ["create", "list", "set-role", "ban", "impersonate", "delete", "set-password", "get", "update"];
+    readonly user: ["create", "list", "set-role", "ban", "impersonate", "delete", "set-password", "set-email", "get", "update"];
     readonly session: ["list", "revoke", "delete"];
   }>, {
-    readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
+    readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "set-email", "get", "update"];
     readonly session: readonly ["list", "revoke", "delete"];
   }>;
   user: Role<ExactRoleStatements<{
     readonly user: [];
     readonly session: [];
   }>, {
-    readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
+    readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "set-email", "get", "update"];
     readonly session: readonly ["list", "revoke", "delete"];
   }>;
 };

package/dist/plugins/admin/access/statement.mjs

@@ -10,6 +10,7 @@ const defaultStatements = {
 		"impersonate-admins",
 		"delete",
 		"set-password",
+		"set-email",
 		"get",
 		"update"
 	],
@@ -29,6 +30,7 @@ const adminAc = defaultAc.newRole({
 		"impersonate",
 		"delete",
 		"set-password",
+		"set-email",
 		"get",
 		"update"
 	],

package/dist/plugins/admin/admin.d.mts

@@ -824,13 +824,13 @@ declare const admin: <O extends AdminOptions>(options?: O | undefined) => {
         $Infer: {
           body: {
             permissions: { [key in keyof (O["ac"] extends AccessControl<infer S extends Statements> ? S : {
-              readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
+              readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "set-email", "get", "update"];
               readonly session: readonly ["list", "revoke", "delete"];
             })]?: ((O["ac"] extends AccessControl<infer S extends Statements> ? S : {
-              readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
+              readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "set-email", "get", "update"];
               readonly session: readonly ["list", "revoke", "delete"];
             })[key] extends readonly unknown[] ? ArrayElement<(O["ac"] extends AccessControl<infer S extends Statements> ? S : {
-              readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
+              readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "set-email", "get", "update"];
               readonly session: readonly ["list", "revoke", "delete"];
             })[key]> : never)[] | undefined };
           } & {
@@ -866,6 +866,8 @@ declare const admin: <O extends AdminOptions>(options?: O | undefined) => {
     YOU_ARE_NOT_ALLOWED_TO_SET_NON_EXISTENT_VALUE: _better_auth_core_utils_error_codes0.RawError<"YOU_ARE_NOT_ALLOWED_TO_SET_NON_EXISTENT_VALUE">;
     YOU_CANNOT_IMPERSONATE_ADMINS: _better_auth_core_utils_error_codes0.RawError<"YOU_CANNOT_IMPERSONATE_ADMINS">;
     INVALID_ROLE_TYPE: _better_auth_core_utils_error_codes0.RawError<"INVALID_ROLE_TYPE">;
+    YOU_ARE_NOT_ALLOWED_TO_SET_USERS_EMAIL: _better_auth_core_utils_error_codes0.RawError<"YOU_ARE_NOT_ALLOWED_TO_SET_USERS_EMAIL">;
+    PASSWORD_CANNOT_BE_UPDATED_VIA_UPDATE_USER: _better_auth_core_utils_error_codes0.RawError<"PASSWORD_CANNOT_BE_UPDATED_VIA_UPDATE_USER">;
   };
   schema: {
     user: {
@@ -898,6 +900,7 @@ declare const admin: <O extends AdminOptions>(options?: O | undefined) => {
         impersonatedBy: {
           type: "string";
           required: false;
+          input: false;
         };
       };
     };

package/dist/plugins/admin/client.d.mts

@@ -14,7 +14,7 @@ declare const adminClient: <O extends AdminClientOptions>(options?: O | undefine
   version: string;
   $InferServerPlugin: ReturnType<typeof admin<{
     ac: O["ac"] extends AccessControl ? O["ac"] : AccessControl<{
-      readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
+      readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "set-email", "get", "update"];
       readonly session: readonly ["list", "revoke", "delete"];
     }>;
     roles: O["roles"] extends Record<string, Role> ? O["roles"] : {
@@ -28,13 +28,13 @@ declare const adminClient: <O extends AdminClientOptions>(options?: O | undefine
         roles: any;
       } ? keyof O["roles"] : "admin" | "user")>(data: {
         permissions: { [key in keyof (O["ac"] extends AccessControl<infer S extends Statements> ? S : {
-          readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
+          readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "set-email", "get", "update"];
           readonly session: readonly ["list", "revoke", "delete"];
         })]?: ((O["ac"] extends AccessControl<infer S extends Statements> ? S : {
-          readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
+          readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "set-email", "get", "update"];
           readonly session: readonly ["list", "revoke", "delete"];
         })[key] extends readonly unknown[] ? ArrayElement<(O["ac"] extends AccessControl<infer S extends Statements> ? S : {
-          readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
+          readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "set-email", "get", "update"];
           readonly session: readonly ["list", "revoke", "delete"];
         })[key]> : never)[] | undefined };
       } & {
@@ -73,6 +73,8 @@ declare const adminClient: <O extends AdminClientOptions>(options?: O | undefine
     YOU_ARE_NOT_ALLOWED_TO_SET_NON_EXISTENT_VALUE: _better_auth_core_utils_error_codes0.RawError<"YOU_ARE_NOT_ALLOWED_TO_SET_NON_EXISTENT_VALUE">;
     YOU_CANNOT_IMPERSONATE_ADMINS: _better_auth_core_utils_error_codes0.RawError<"YOU_CANNOT_IMPERSONATE_ADMINS">;
     INVALID_ROLE_TYPE: _better_auth_core_utils_error_codes0.RawError<"INVALID_ROLE_TYPE">;
+    YOU_ARE_NOT_ALLOWED_TO_SET_USERS_EMAIL: _better_auth_core_utils_error_codes0.RawError<"YOU_ARE_NOT_ALLOWED_TO_SET_USERS_EMAIL">;
+    PASSWORD_CANNOT_BE_UPDATED_VIA_UPDATE_USER: _better_auth_core_utils_error_codes0.RawError<"PASSWORD_CANNOT_BE_UPDATED_VIA_UPDATE_USER">;
   };
 };
 //#endregion

package/dist/plugins/admin/error-codes.d.mts

@@ -23,6 +23,8 @@ declare const ADMIN_ERROR_CODES: {
   YOU_ARE_NOT_ALLOWED_TO_SET_NON_EXISTENT_VALUE: _better_auth_core_utils_error_codes0.RawError<"YOU_ARE_NOT_ALLOWED_TO_SET_NON_EXISTENT_VALUE">;
   YOU_CANNOT_IMPERSONATE_ADMINS: _better_auth_core_utils_error_codes0.RawError<"YOU_CANNOT_IMPERSONATE_ADMINS">;
   INVALID_ROLE_TYPE: _better_auth_core_utils_error_codes0.RawError<"INVALID_ROLE_TYPE">;
+  YOU_ARE_NOT_ALLOWED_TO_SET_USERS_EMAIL: _better_auth_core_utils_error_codes0.RawError<"YOU_ARE_NOT_ALLOWED_TO_SET_USERS_EMAIL">;
+  PASSWORD_CANNOT_BE_UPDATED_VIA_UPDATE_USER: _better_auth_core_utils_error_codes0.RawError<"PASSWORD_CANNOT_BE_UPDATED_VIA_UPDATE_USER">;
 };
 //#endregion
 export { ADMIN_ERROR_CODES };

package/dist/plugins/admin/error-codes.mjs

@@ -21,7 +21,9 @@ const ADMIN_ERROR_CODES = defineErrorCodes({
 	YOU_CANNOT_REMOVE_YOURSELF: "You cannot remove yourself",
 	YOU_ARE_NOT_ALLOWED_TO_SET_NON_EXISTENT_VALUE: "You are not allowed to set a non-existent role value",
 	YOU_CANNOT_IMPERSONATE_ADMINS: "You cannot impersonate admins",
-	INVALID_ROLE_TYPE: "Invalid role type"
+	INVALID_ROLE_TYPE: "Invalid role type",
+	YOU_ARE_NOT_ALLOWED_TO_SET_USERS_EMAIL: "You are not allowed to update users email",
+	PASSWORD_CANNOT_BE_UPDATED_VIA_UPDATE_USER: "Password cannot be updated through update-user. Use the set-user-password endpoint instead"
 });
 //#endregion
 export { ADMIN_ERROR_CODES };

package/dist/plugins/admin/routes.mjs

@@ -156,14 +156,43 @@ const createUser = (opts) => createAuthEndpoint("/admin/create-user", {
 			permissions: { user: ["create"] }
 		})) throw APIError.from("FORBIDDEN", ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_CREATE_USERS);
 	}
+	const { role: dataRole, ...userData } = ctx.body.data ?? {};
+	const requestedRole = ctx.body.role ?? dataRole;
+	if (requestedRole !== void 0) {
+		if (session) {
+			if (!hasPermission({
+				userId: session.user.id,
+				role: session.user.role,
+				options: opts,
+				permissions: { user: ["set-role"] }
+			})) throw APIError.from("FORBIDDEN", ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_CHANGE_USERS_ROLE);
+		}
+		const inputRoles = Array.isArray(requestedRole) ? requestedRole : [requestedRole];
+		for (const role of inputRoles) {
+			if (typeof role !== "string") throw APIError.from("BAD_REQUEST", ADMIN_ERROR_CODES.INVALID_ROLE_TYPE);
+			if (opts.roles && !opts.roles[role]) throw APIError.from("BAD_REQUEST", ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_SET_NON_EXISTENT_VALUE);
+		}
+	}
+	if (session && [
+		"banned",
+		"banReason",
+		"banExpires"
+	].some((key) => Object.prototype.hasOwnProperty.call(userData, key))) {
+		if (!hasPermission({
+			userId: session.user.id,
+			role: session.user.role,
+			options: opts,
+			permissions: { user: ["ban"] }
+		})) throw APIError.from("FORBIDDEN", ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_BAN_USERS);
+	}
 	const email = ctx.body.email.toLowerCase();
 	if (!z.email().safeParse(email).success) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.INVALID_EMAIL);
 	if (await ctx.context.internalAdapter.findUserByEmail(email)) throw APIError.from("BAD_REQUEST", ADMIN_ERROR_CODES.USER_ALREADY_EXISTS_USE_ANOTHER_EMAIL);
 	const user = await ctx.context.internalAdapter.createUser({
+		...userData,
 		email,
 		name: ctx.body.name,
-		role: (ctx.body.role && parseRoles(ctx.body.role)) ?? opts?.defaultRole ?? "user",
-		...ctx.body.data
+		role: requestedRole !== void 0 ? parseRoles(requestedRole) : opts?.defaultRole ?? "user"
 	});
 	if (!user) throw APIError.from("INTERNAL_SERVER_ERROR", ADMIN_ERROR_CODES.FAILED_TO_CREATE_USER);
 	if (ctx.body.password) {
@@ -220,6 +249,9 @@ const adminUpdateUser = (opts) => createAuthEndpoint("/admin/update-user", {
 		permissions: { user: ["update"] }
 	})) throw APIError.from("FORBIDDEN", ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_UPDATE_USERS);
 	if (Object.keys(ctx.body.data).length === 0) throw APIError.from("BAD_REQUEST", ADMIN_ERROR_CODES.NO_DATA_TO_UPDATE);
+	const updateData = ctx.body.data;
+	const hasDataKey = (key) => Object.prototype.hasOwnProperty.call(updateData, key);
+	if (hasDataKey("password")) throw APIError.from("BAD_REQUEST", ADMIN_ERROR_CODES.PASSWORD_CANNOT_BE_UPDATED_VIA_UPDATE_USER);
 	if (Object.prototype.hasOwnProperty.call(ctx.body.data, "role")) {
 		if (!hasPermission({
 			userId: ctx.context.session.user.id,
@@ -235,8 +267,37 @@ const adminUpdateUser = (opts) => createAuthEndpoint("/admin/update-user", {
 		}
 		ctx.body.data.role = parseRoles(inputRoles);
 	}
+	if ([
+		"banned",
+		"banReason",
+		"banExpires"
+	].some(hasDataKey)) {
+		if (!hasPermission({
+			userId: ctx.context.session.user.id,
+			role: ctx.context.session.user.role,
+			options: opts,
+			permissions: { user: ["ban"] }
+		})) throw APIError.from("FORBIDDEN", ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_BAN_USERS);
+		if (updateData.banned === true && ctx.body.userId === ctx.context.session.user.id) throw APIError.from("BAD_REQUEST", ADMIN_ERROR_CODES.YOU_CANNOT_BAN_YOURSELF);
+	}
+	if (hasDataKey("email") || hasDataKey("emailVerified")) {
+		if (!hasPermission({
+			userId: ctx.context.session.user.id,
+			role: ctx.context.session.user.role,
+			options: opts,
+			permissions: { user: ["set-email"] }
+		})) throw APIError.from("FORBIDDEN", ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_SET_USERS_EMAIL);
+		if (hasDataKey("email")) {
+			const email = String(updateData.email).toLowerCase();
+			if (!z.email().safeParse(email).success) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.INVALID_EMAIL);
+			const existUser = await ctx.context.internalAdapter.findUserByEmail(email);
+			if (existUser && existUser.user.id !== ctx.body.userId) throw APIError.from("BAD_REQUEST", ADMIN_ERROR_CODES.USER_ALREADY_EXISTS_USE_ANOTHER_EMAIL);
+			updateData.email = email;
+		}
+	}
 	if (!await ctx.context.internalAdapter.findUserById(ctx.body.userId)) throw APIError.from("NOT_FOUND", BASE_ERROR_CODES.USER_NOT_FOUND);
 	const updatedUser = await ctx.context.internalAdapter.updateUser(ctx.body.userId, ctx.body.data);
+	if (updateData.banned === true) await ctx.context.internalAdapter.deleteUserSessions(ctx.body.userId);
 	return ctx.json(parseUserOutput(ctx.context.options, updatedUser));
 });
 const listUsersQuerySchema = z.object({

package/dist/plugins/admin/schema.d.mts

@@ -30,6 +30,7 @@ declare const schema: {
       impersonatedBy: {
         type: "string";
         required: false;
+        input: false;
       };
     };
   };

package/dist/plugins/admin/schema.mjs

@@ -25,7 +25,8 @@ const schema = {
 	} },
 	session: { fields: { impersonatedBy: {
 		type: "string",
-		required: false
+		required: false,
+		input: false
 	} } }
 };
 //#endregion

package/dist/plugins/email-otp/routes.mjs

@@ -334,7 +334,7 @@ const verifyEmailOTP = (opts) => createAuthEndpoint("/email-otp/verify-email", {
 		});
 	}
 	const currentSession = await getSessionFromCtx(ctx);
-	if (currentSession && updatedUser.emailVerified) {
+	if (currentSession && updatedUser.emailVerified && currentSession.user.id === updatedUser.id) {
 		const dontRememberMeCookie = await ctx.getSignedCookie(ctx.context.authCookies.dontRememberToken.name, ctx.context.secret);
 		await setCookieCache(ctx, {
 			session: currentSession.session,

package/dist/plugins/generic-oauth/routes.mjs

@@ -209,7 +209,12 @@ const oAuth2Callback = (options) => createAuthEndpoint("/oauth2/callback/:provid
 			ctx.context.logger.error(missingEmailLogMessage(providerConfig.providerId, { source: "generic" }), userInfo);
 			redirectOnError(ctx, resolvedErrorURL, "email_is_missing");
 		}
-		const id = mapUser.id ? String(mapUser.id) : String(userInfo.id);
+		const rawId = mapUser.id !== void 0 && mapUser.id !== null && mapUser.id !== "" ? mapUser.id : userInfo.id;
+		const id = rawId !== void 0 && rawId !== null ? String(rawId) : "";
+		if (!id) {
+			ctx.context.logger.error("Provider did not return an account id (e.g. `sub`). Unable to sign in.", userInfo);
+			redirectOnError(ctx, resolvedErrorURL, "id_is_missing");
+		}
 		const name = mapUser.name ? mapUser.name : userInfo.name;
 		if (!name) {
 			ctx.context.logger.error("Unable to get user info", userInfo);
@@ -398,8 +403,10 @@ async function getUserInfo(tokens, finalUserInfoUrl) {
 		method: "GET",
 		headers: { Authorization: `Bearer ${tokens.accessToken}` }
 	});
+	const subjectId = userInfo.data?.sub ?? userInfo.data?.id;
+	if (subjectId === void 0 || subjectId === null || subjectId === "") return null;
 	return {
-		id: userInfo.data?.sub ?? "",
+		id: subjectId,
 		emailVerified: userInfo.data?.email_verified ?? false,
 		email: userInfo.data?.email,
 		image: userInfo.data?.picture,

package/dist/plugins/organization/organization.mjs

@@ -394,11 +394,13 @@ function organization(options) {
 				activeOrganizationId: {
 					type: "string",
 					required: false,
+					input: false,
 					fieldName: opts.schema?.session?.fields?.activeOrganizationId
 				},
 				...teamSupport ? { activeTeamId: {
 					type: "string",
 					required: false,
+					input: false,
 					fieldName: opts.schema?.session?.fields?.activeTeamId
 				} } : {}
 			} }

package/dist/plugins/organization/routes/crud-invites.mjs

@@ -170,7 +170,12 @@ const createInvitation = (option) => {
 		}, ctx.context) : ctx.context.orgOptions.invitationLimit ?? 100;
 		if ((await adapter.findPendingInvitations({ organizationId })).length >= invitationLimit) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.INVITATION_LIMIT_REACHED);
 		if (ctx.context.orgOptions.teams?.enabled && "teamId" in ctx.body && ctx.body.teamId) {
-			if ((typeof ctx.body.teamId === "string" ? [ctx.body.teamId] : ctx.body.teamId).some((id) => id.includes(","))) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.INVALID_TEAM_ID);
+			const requestedTeamIds = typeof ctx.body.teamId === "string" ? [ctx.body.teamId] : ctx.body.teamId;
+			if (requestedTeamIds.some((id) => id.includes(","))) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.INVALID_TEAM_ID);
+			for (const teamId of requestedTeamIds) if (!await adapter.findTeamById({
+				teamId,
+				organizationId
+			})) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.TEAM_NOT_FOUND);
 		}
 		if (ctx.context.orgOptions.teams && ctx.context.orgOptions.teams.enabled && typeof ctx.context.orgOptions.teams.maximumMembersPerTeam !== "undefined" && "teamId" in ctx.body && ctx.body.teamId) {
 			const teamIds = typeof ctx.body.teamId === "string" ? [ctx.body.teamId] : ctx.body.teamId;
@@ -285,6 +290,10 @@ const acceptInvitation = (options) => createAuthEndpoint("/organization/accept-i
 		const teamIds = acceptedI.teamId.split(",");
 		const onlyOne = teamIds.length === 1;
 		for (const teamId of teamIds) {
+			if (!await adapter.findTeamById({
+				teamId,
+				organizationId: invitation.organizationId
+			})) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.TEAM_NOT_FOUND);
 			await adapter.findOrCreateTeamMember({
 				teamId,
 				userId: session.user.id

package/dist/plugins/organization/routes/crud-team.mjs

@@ -441,8 +441,15 @@ const listUserTeams = (options) => createAuthEndpoint("/organization/list-user-t
 	use: [orgMiddleware, orgSessionMiddleware]
 }, async (ctx) => {
 	const session = ctx.context.session;
-	const teams = await getOrgAdapter(ctx.context, ctx.context.orgOptions).listTeamsByUser({ userId: session.user.id });
-	return ctx.json(teams);
+	const adapter = getOrgAdapter(ctx.context, ctx.context.orgOptions);
+	const teams = await adapter.listTeamsByUser({ userId: session.user.id });
+	const orgIds = [...new Set(teams.map((team) => team.organizationId))];
+	const memberships = await Promise.all(orgIds.map((organizationId) => adapter.checkMembership({
+		userId: session.user.id,
+		organizationId
+	})));
+	const memberOrgIds = new Set(orgIds.filter((_, index) => memberships[index]));
+	return ctx.json(teams.filter((team) => memberOrgIds.has(team.organizationId)));
 });
 const listTeamMembersQuerySchema = z.optional(z.object({ teamId: z.string().optional().meta({ description: "The team whose members we should return. If this is not provided the members of the current active team get returned." }) }));
 const listTeamMembers = (options) => createAuthEndpoint("/organization/list-team-members", {
@@ -494,6 +501,12 @@ const listTeamMembers = (options) => createAuthEndpoint("/organization/list-team
 	const adapter = getOrgAdapter(ctx.context, ctx.context.orgOptions);
 	const teamId = ctx.query?.teamId || session?.session.activeTeamId;
 	if (!teamId) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.YOU_DO_NOT_HAVE_AN_ACTIVE_TEAM);
+	const team = await adapter.findTeamById({ teamId });
+	if (!team) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.TEAM_NOT_FOUND);
+	if (!await adapter.checkMembership({
+		userId: session.user.id,
+		organizationId: team.organizationId
+	})) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.USER_IS_NOT_A_MEMBER_OF_THE_TEAM);
 	if (!await adapter.findTeamMember({
 		userId: session.user.id,
 		teamId

package/dist/plugins/organization/schema.d.mts

@@ -183,6 +183,7 @@ interface SessionDefaultFields {
   activeOrganizationId: {
     type: "string";
     required: false;
+    input: false;
   };
 }
 type OrganizationSchema<O extends OrganizationOptions> = (O["dynamicAccessControl"] extends {
@@ -222,6 +223,7 @@ type OrganizationSchema<O extends OrganizationOptions> = (O["dynamicAccessContro
       activeTeamId: {
         type: "string";
         required: false;
+        input: false;
       };
     } : {});
   };

package/dist/plugins/siwe/index.mjs

@@ -5,6 +5,7 @@ import { setSessionCookie } from "../../cookies/index.mjs";
 import { APIError } from "../../api/index.mjs";
 import { PACKAGE_VERSION } from "../../version.mjs";
 import { toChecksumAddress } from "../../utils/hashing.mjs";
+import { normalizeSiweDomain, parseSiweMessage } from "./parse-message.mjs";
 import { schema } from "./schema.mjs";
 import { createAuthEndpoint } from "@better-auth/core/api";
 import * as z from "zod";
@@ -74,6 +75,33 @@ const siwe = (options) => {
 						code: "UNAUTHORIZED_INVALID_OR_EXPIRED_NONCE"
 					});
 					const { value: nonce } = verification;
+					const parsedMessage = parseSiweMessage(message);
+					const nonceMatches = parsedMessage.nonce === nonce;
+					const addressMatches = !!parsedMessage.address && parsedMessage.address.toLowerCase() === walletAddress.toLowerCase();
+					const chainMatches = parsedMessage.chainId === chainId;
+					const domainMatches = !!parsedMessage.domain && normalizeSiweDomain(parsedMessage.domain) === normalizeSiweDomain(options.domain);
+					if (!nonceMatches || !addressMatches || !chainMatches || !domainMatches) throw APIError.fromStatus("UNAUTHORIZED", {
+						message: "Unauthorized: SIWE message does not match the expected nonce, domain, address, or chain ID",
+						status: 401,
+						code: "UNAUTHORIZED_SIWE_MESSAGE_MISMATCH"
+					});
+					const now = Date.now();
+					if (parsedMessage.expirationTime) {
+						const expiresAt = Date.parse(parsedMessage.expirationTime);
+						if (!Number.isNaN(expiresAt) && now >= expiresAt) throw APIError.fromStatus("UNAUTHORIZED", {
+							message: "Unauthorized: SIWE message has expired",
+							status: 401,
+							code: "UNAUTHORIZED_SIWE_MESSAGE_EXPIRED"
+						});
+					}
+					if (parsedMessage.notBefore) {
+						const notBefore = Date.parse(parsedMessage.notBefore);
+						if (!Number.isNaN(notBefore) && now < notBefore) throw APIError.fromStatus("UNAUTHORIZED", {
+							message: "Unauthorized: SIWE message is not yet valid",
+							status: 401,
+							code: "UNAUTHORIZED_SIWE_MESSAGE_NOT_YET_VALID"
+						});
+					}
 					if (!await options.verifyMessage({
 						message,
 						signature,

package/dist/plugins/siwe/parse-message.mjs

@@ -0,0 +1,60 @@
+//#region src/plugins/siwe/parse-message.ts
+const HEADER_REGEX = /^(?:([a-zA-Z][a-zA-Z0-9+.-]*):\/\/)?(\S+) wants you to sign in with your Ethereum account:$/;
+const ADDRESS_REGEX = /^0x[a-fA-F0-9]{40}$/;
+const FIELD_REGEX = /^([A-Za-z ]+): (.*)$/;
+function parseSiweMessage(message) {
+	const result = {};
+	const lines = message.split(/\r?\n/);
+	const headerMatch = lines[0]?.match(HEADER_REGEX);
+	if (headerMatch) {
+		if (headerMatch[1]) result.scheme = headerMatch[1];
+		result.domain = headerMatch[2];
+	}
+	const addressLine = lines[1]?.trim();
+	if (addressLine && ADDRESS_REGEX.test(addressLine)) result.address = addressLine;
+	for (const line of lines) {
+		const match = line.match(FIELD_REGEX);
+		if (!match) continue;
+		const [, key, value] = match;
+		switch (key) {
+			case "URI":
+				result.uri = value;
+				break;
+			case "Version":
+				result.version = value;
+				break;
+			case "Chain ID": {
+				const parsed = Number(value);
+				if (Number.isInteger(parsed)) result.chainId = parsed;
+				break;
+			}
+			case "Nonce":
+				result.nonce = value;
+				break;
+			case "Issued At":
+				result.issuedAt = value;
+				break;
+			case "Expiration Time":
+				result.expirationTime = value;
+				break;
+			case "Not Before":
+				result.notBefore = value;
+				break;
+			case "Request ID":
+				result.requestId = value;
+				break;
+		}
+	}
+	return result;
+}
+/**
+* Normalizes a SIWE `domain` (RFC 3986 authority) for comparison: strips any
+* scheme and path, lowercases, leaving `host[:port]`.
+*/
+function normalizeSiweDomain(domain) {
+	const withoutScheme = domain.trim().toLowerCase().replace(/^[a-z][a-z0-9+.-]*:\/\//, "");
+	const pathStart = withoutScheme.indexOf("/");
+	return pathStart === -1 ? withoutScheme : withoutScheme.slice(0, pathStart);
+}
+//#endregion
+export { normalizeSiweDomain, parseSiweMessage };

package/dist/plugins/two-factor/index.mjs

@@ -220,7 +220,15 @@ const twoFactor = (options) => {
 					expireCookie(ctx, trustDeviceCookieAttrs);
 				}
 				/**
-				* remove the session cookie. It's set by the sign in credential
+				* Remove the session cookie set by the credential sign-in.
+				*
+				* The credential handler already created a session and set
+				* `ctx.context.newSession`. Since 2FA is still pending, that
+				* session is deleted here and `newSession` is reset to `null`
+				* so downstream hooks don't observe a session that no longer
+				* exists. Hooks that read `ctx.context.newSession` after a
+				* sign-in must therefore null-check it: it is `null` while a
+				* 2FA challenge is in flight (no authenticated session yet).
 				*/
 				deleteSessionCookie(ctx, true);
 				await ctx.context.internalAdapter.deleteSession(data.session.token);

package/dist/test-utils/test-instance.d.mts

@@ -7999,11 +7999,6 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
       priority?: RequestPriority | undefined;
       cache?: RequestCache | undefined;
       credentials?: RequestCredentials;
-      headers?: (HeadersInit & (HeadersInit | {
-        accept: "application/json" | "text/plain" | "application/octet-stream";
-        "content-type": "application/json" | "text/plain" | "application/x-www-form-urlencoded" | "multipart/form-data" | "application/octet-stream";
-        authorization: "Bearer" | "Basic";
-      })) | undefined;
       integrity?: string | undefined;
       keepalive?: boolean | undefined;
       method: string;
@@ -8033,6 +8028,12 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
         prefix: string | (() => string | undefined) | undefined;
         value: string | (() => string | undefined) | undefined;
       }) | undefined;
+      headers?: {} | {
+        [x: string]: string | undefined;
+        accept?: ((string & {}) | "application/json" | "text/plain" | "application/octet-stream") | undefined;
+        "content-type"?: ((string & {}) | "application/x-www-form-urlencoded" | "application/json" | "text/plain" | "application/octet-stream" | "multipart/form-data") | undefined;
+        authorization?: ((string & {}) | `Bearer ${string}` | `Basic ${string}`) | undefined;
+      } | undefined;
       body?: any;
       query?: any;
       params?: any;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "better-auth",
-  "version": "1.6.15",
+  "version": "1.6.16",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "license": "MIT",
@@ -480,22 +480,22 @@
   },
   "dependencies": {
     "@better-auth/utils": "0.4.1",
-    "@better-fetch/fetch": "1.1.21",
+    "@better-fetch/fetch": "1.2.2",
     "@noble/ciphers": "^2.1.1",
     "@noble/hashes": "^2.0.1",
-    "better-call": "1.3.5",
+    "better-call": "1.3.6",
     "defu": "^6.1.4",
     "jose": "^6.1.3",
     "kysely": "^0.28.17 || ^0.29.0",
     "nanostores": "^1.1.1",
     "zod": "^4.3.6",
-    "@better-auth/core": "1.6.15",
-    "@better-auth/drizzle-adapter": "1.6.15",
-    "@better-auth/kysely-adapter": "1.6.15",
-    "@better-auth/memory-adapter": "1.6.15",
-    "@better-auth/mongo-adapter": "1.6.15",
-    "@better-auth/prisma-adapter": "1.6.15",
-    "@better-auth/telemetry": "1.6.15"
+    "@better-auth/core": "1.6.16",
+    "@better-auth/drizzle-adapter": "1.6.16",
+    "@better-auth/kysely-adapter": "1.6.16",
+    "@better-auth/memory-adapter": "1.6.16",
+    "@better-auth/mongo-adapter": "1.6.16",
+    "@better-auth/prisma-adapter": "1.6.16",
+    "@better-auth/telemetry": "1.6.16"
   },
   "devDependencies": {
     "@lynx-js/react": "^0.116.3",