npm - better-auth - Versions diffs - 1.6.15 → 1.6.17 - Mend

better-auth 1.6.15 → 1.6.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (105) hide show

package/dist/api/index.d.mts +2 -2
package/dist/api/index.mjs +3 -4
package/dist/api/middlewares/origin-check.mjs +6 -1
package/dist/api/rate-limiter/index.mjs +259 -73
package/dist/api/routes/account.mjs +31 -11
package/dist/api/routes/callback.mjs +3 -3
package/dist/api/routes/index.d.mts +1 -1
package/dist/api/routes/password.mjs +3 -4
package/dist/api/routes/session.d.mts +12 -1
package/dist/api/routes/session.mjs +16 -2
package/dist/api/routes/sign-in.mjs +5 -5
package/dist/api/routes/sign-up.mjs +2 -2
package/dist/api/routes/update-session.mjs +9 -4
package/dist/api/routes/update-user.mjs +10 -12
package/dist/auth/base.mjs +11 -7
package/dist/client/equality.d.mts +19 -0
package/dist/client/equality.mjs +42 -0
package/dist/client/index.d.mts +5 -4
package/dist/client/index.mjs +2 -1
package/dist/client/lynx/index.d.mts +6 -5
package/dist/client/path-to-object.d.mts +5 -2
package/dist/client/plugins/index.d.mts +4 -1
package/dist/client/plugins/index.mjs +4 -1
package/dist/client/query.d.mts +4 -3
package/dist/client/query.mjs +27 -17
package/dist/client/react/index.d.mts +6 -5
package/dist/client/session-atom.mjs +129 -4
package/dist/client/session-refresh.d.mts +3 -18
package/dist/client/session-refresh.mjs +38 -49
package/dist/client/solid/index.d.mts +6 -5
package/dist/client/svelte/index.d.mts +6 -5
package/dist/client/types.d.mts +2 -2
package/dist/client/vanilla.d.mts +6 -5
package/dist/client/vue/index.d.mts +6 -5
package/dist/context/create-context.mjs +3 -2
package/dist/context/store-capabilities.mjs +12 -0
package/dist/cookies/index.mjs +30 -2
package/dist/db/internal-adapter.mjs +56 -0
package/dist/oauth2/link-account.d.mts +13 -0
package/dist/oauth2/link-account.mjs +1 -1
package/dist/package.mjs +1 -1
package/dist/plugins/access/access.mjs +49 -19
package/dist/plugins/admin/access/statement.d.mts +10 -10
package/dist/plugins/admin/access/statement.mjs +2 -0
package/dist/plugins/admin/admin.d.mts +6 -3
package/dist/plugins/admin/client.d.mts +6 -4
package/dist/plugins/admin/error-codes.d.mts +2 -0
package/dist/plugins/admin/error-codes.mjs +3 -1
package/dist/plugins/admin/routes.mjs +73 -5
package/dist/plugins/admin/schema.d.mts +1 -0
package/dist/plugins/admin/schema.mjs +2 -1
package/dist/plugins/captcha/constants.mjs +8 -1
package/dist/plugins/captcha/index.mjs +8 -2
package/dist/plugins/captcha/types.d.mts +21 -0
package/dist/plugins/captcha/verify-handlers/captchafox.mjs +2 -0
package/dist/plugins/captcha/verify-handlers/cloudflare-turnstile.mjs +7 -2
package/dist/plugins/captcha/verify-handlers/google-recaptcha.mjs +7 -2
package/dist/plugins/captcha/verify-handlers/h-captcha.mjs +2 -0
package/dist/plugins/device-authorization/routes.mjs +16 -9
package/dist/plugins/email-otp/routes.mjs +23 -53
package/dist/plugins/generic-oauth/index.mjs +7 -2
package/dist/plugins/generic-oauth/routes.mjs +20 -9
package/dist/plugins/haveibeenpwned/index.d.mts +1 -1
package/dist/plugins/haveibeenpwned/index.mjs +5 -1
package/dist/plugins/index.d.mts +5 -1
package/dist/plugins/index.mjs +4 -1
package/dist/plugins/jwt/index.mjs +2 -2
package/dist/plugins/mcp/client/index.mjs +1 -0
package/dist/plugins/mcp/index.mjs +8 -0
package/dist/plugins/multi-session/index.mjs +7 -5
package/dist/plugins/oauth-popup/client.d.mts +82 -0
package/dist/plugins/oauth-popup/client.mjs +203 -0
package/dist/plugins/oauth-popup/constants.d.mts +11 -0
package/dist/plugins/oauth-popup/constants.mjs +11 -0
package/dist/plugins/oauth-popup/error-codes.d.mts +11 -0
package/dist/plugins/oauth-popup/error-codes.mjs +10 -0
package/dist/plugins/oauth-popup/index.d.mts +67 -0
package/dist/plugins/oauth-popup/index.mjs +227 -0
package/dist/plugins/oauth-popup/types.d.mts +30 -0
package/dist/plugins/oauth-proxy/index.mjs +2 -2
package/dist/plugins/oauth-proxy/utils.mjs +16 -2
package/dist/plugins/oidc-provider/index.mjs +10 -0
package/dist/plugins/one-tap/client.mjs +12 -6
package/dist/plugins/one-tap/index.d.mts +1 -0
package/dist/plugins/one-tap/index.mjs +9 -5
package/dist/plugins/one-time-token/index.mjs +1 -3
package/dist/plugins/open-api/generator.mjs +7 -4
package/dist/plugins/organization/adapter.d.mts +29 -1
package/dist/plugins/organization/adapter.mjs +66 -6
package/dist/plugins/organization/organization.mjs +2 -0
package/dist/plugins/organization/routes/crud-invites.mjs +55 -31
package/dist/plugins/organization/routes/crud-members.mjs +42 -6
package/dist/plugins/organization/routes/crud-team.mjs +51 -5
package/dist/plugins/organization/schema.d.mts +2 -0
package/dist/plugins/phone-number/routes.mjs +41 -36
package/dist/plugins/siwe/index.mjs +30 -3
package/dist/plugins/siwe/parse-message.mjs +60 -0
package/dist/plugins/two-factor/backup-codes/index.mjs +1 -1
package/dist/plugins/two-factor/index.mjs +9 -1
package/dist/plugins/two-factor/otp/index.mjs +11 -13
package/dist/plugins/two-factor/totp/index.mjs +1 -1
package/dist/plugins/two-factor/verify-two-factor.mjs +6 -2
package/dist/plugins/username/index.mjs +6 -6
package/dist/test-utils/test-instance.d.mts +6 -5
package/package.json +10 -10

package/dist/api/routes/session.d.mts CHANGED Viewed

@@ -45,6 +45,17 @@ declare const getSession: <Option extends BetterAuthOptions>() => better_call0.S
   session: Session$1<Option["session"], Option["plugins"]>;
   user: User$1<Option["user"], Option["plugins"]>;
 } | null>;
+/**
+ * Whether the deployment keeps sessions in a durable server-side store
+ * (a database or secondary storage) rather than only in the signed cookie.
+ *
+ * Sensitive operations use this to decide whether the cookie cache is merely an
+ * optimization that must be bypassed for an authoritative read (`true`), or the
+ * only place the session lives and therefore the authority itself (`false`, for
+ * stateless / DB-less deployments). Pass the result as `disableCookieCache` so a
+ * revoked-but-cached session cannot authorize a sensitive action.
+ */
+declare const isStateful: (ctx: GenericEndpointContext) => boolean;
 declare const getSessionFromCtx: <U extends Record<string, any> = Record<string, any>, S extends Record<string, any> = Record<string, any>>(ctx: GenericEndpointContext, config?: {
   disableCookieCache?: boolean;
   disableRefresh?: boolean;
@@ -409,4 +420,4 @@ declare const revokeOtherSessions: better_call0.StrictEndpoint<"/revoke-other-se
   status: boolean;
 }>;
 //#endregion
-export { freshSessionMiddleware, getSession, getSessionFromCtx, listSessions, requestOnlySessionMiddleware, revokeOtherSessions, revokeSession, revokeSessions, sensitiveSessionMiddleware, sessionMiddleware };
+export { freshSessionMiddleware, getSession, getSessionFromCtx, isStateful, listSessions, requestOnlySessionMiddleware, revokeOtherSessions, revokeSession, revokeSessions, sensitiveSessionMiddleware, sessionMiddleware };

package/dist/api/routes/session.mjs CHANGED Viewed

@@ -1,4 +1,5 @@
 import { isAPIError } from "../../utils/is-api-error.mjs";
+import { hasServerSessionStore } from "../../context/store-capabilities.mjs";
 import { symmetricDecodeJWT, verifyJWT } from "../../crypto/jwt.mjs";
 import { parseSessionOutput, parseUserOutput } from "../../db/schema.mjs";
 import { getDate } from "../../utils/date.mjs";
@@ -265,6 +266,17 @@ const getSession = () => createAuthEndpoint("/get-session", {
 		throw APIError.from("INTERNAL_SERVER_ERROR", BASE_ERROR_CODES.FAILED_TO_GET_SESSION);
 	}
 });
+/**
+* Whether the deployment keeps sessions in a durable server-side store
+* (a database or secondary storage) rather than only in the signed cookie.
+*
+* Sensitive operations use this to decide whether the cookie cache is merely an
+* optimization that must be bypassed for an authoritative read (`true`), or the
+* only place the session lives and therefore the authority itself (`false`, for
+* stateless / DB-less deployments). Pass the result as `disableCookieCache` so a
+* revoked-but-cached session cannot authorize a sensitive action.
+*/
+const isStateful = (ctx) => hasServerSessionStore(ctx.context.options);
 const getSessionFromCtx = async (ctx, config) => {
 	if (ctx.context.session) return ctx.context.session;
 	const session = await getSession()({
@@ -276,7 +288,9 @@ const getSessionFromCtx = async (ctx, config) => {
 		returnStatus: false,
 		query: {
 			...config,
-			...ctx.query
+			...ctx.query,
+			disableCookieCache: config?.disableCookieCache || ctx.query?.disableCookieCache,
+			disableRefresh: config?.disableRefresh || ctx.query?.disableRefresh
 		}
 	}).catch(() => {
 		return null;
@@ -486,4 +500,4 @@ const revokeOtherSessions = createAuthEndpoint("/revoke-other-sessions", {
 	return ctx.json({ status: true });
 });
 //#endregion
-export { freshSessionMiddleware, getSession, getSessionFromCtx, listSessions, requestOnlySessionMiddleware, revokeOtherSessions, revokeSession, revokeSessions, sensitiveSessionMiddleware, sessionMiddleware };
+export { freshSessionMiddleware, getSession, getSessionFromCtx, isStateful, listSessions, requestOnlySessionMiddleware, revokeOtherSessions, revokeSession, revokeSessions, sensitiveSessionMiddleware, sessionMiddleware };

package/dist/api/routes/sign-in.mjs CHANGED Viewed

@@ -80,7 +80,7 @@ const signInSocial = () => createAuthEndpoint("/sign-in/social", {
 		}
 		const { token, nonce } = c.body.idToken;
 		if (!await provider.verifyIdToken(token, nonce)) {
-			c.context.logger.error("Invalid id token", { provider: c.body.provider });
+			c.context.logger.warn("Invalid id token", { provider: c.body.provider });
 			throw APIError.from("UNAUTHORIZED", BASE_ERROR_CODES.INVALID_TOKEN);
 		}
 		const userInfo = await provider.getUserInfo({
@@ -205,26 +205,26 @@ const signInEmail = () => createAuthEndpoint("/sign-in/email", {
 	const user = await ctx.context.internalAdapter.findUserByEmail(email, { includeAccounts: true });
 	if (!user) {
 		await ctx.context.password.hash(password);
-		ctx.context.logger.error("User not found", { email });
+		ctx.context.logger.warn("User not found");
 		throw APIError.from("UNAUTHORIZED", BASE_ERROR_CODES.INVALID_EMAIL_OR_PASSWORD);
 	}
 	const credentialAccount = user.accounts.find((a) => a.providerId === "credential");
 	if (!credentialAccount) {
 		await ctx.context.password.hash(password);
-		ctx.context.logger.error("Credential account not found", { email });
+		ctx.context.logger.warn("Credential account not found");
 		throw APIError.from("UNAUTHORIZED", BASE_ERROR_CODES.INVALID_EMAIL_OR_PASSWORD);
 	}
 	const currentPassword = credentialAccount?.password;
 	if (!currentPassword) {
 		await ctx.context.password.hash(password);
-		ctx.context.logger.error("Password not found", { email });
+		ctx.context.logger.warn("Password not found");
 		throw APIError.from("UNAUTHORIZED", BASE_ERROR_CODES.INVALID_EMAIL_OR_PASSWORD);
 	}
 	if (!await ctx.context.password.verify({
 		hash: currentPassword,
 		password
 	})) {
-		ctx.context.logger.error("Invalid password");
+		ctx.context.logger.warn("Invalid password");
 		throw APIError.from("UNAUTHORIZED", BASE_ERROR_CODES.INVALID_EMAIL_OR_PASSWORD);
 	}
 	if (ctx.context.options?.emailAndPassword?.requireEmailVerification && !user.user.emailVerified) {

package/dist/api/routes/sign-up.mjs CHANGED Viewed

@@ -150,12 +150,12 @@ const signUpEmail = () => createAuthEndpoint("/sign-up/email", {
 		if (!password || typeof password !== "string") throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.INVALID_PASSWORD);
 		const minPasswordLength = ctx.context.password.config.minPasswordLength;
 		if (password.length < minPasswordLength) {
-			ctx.context.logger.error("Password is too short");
+			ctx.context.logger.warn("Password is too short");
 			throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.PASSWORD_TOO_SHORT);
 		}
 		const maxPasswordLength = ctx.context.password.config.maxPasswordLength;
 		if (password.length > maxPasswordLength) {
-			ctx.context.logger.error("Password is too long");
+			ctx.context.logger.warn("Password is too long");
 			throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.PASSWORD_TOO_LONG);
 		}
 		const shouldReturnGenericDuplicateResponse = ctx.context.options.emailAndPassword.requireEmailVerification || ctx.context.options.emailAndPassword.autoSignIn === false;

package/dist/api/routes/update-session.mjs CHANGED Viewed

@@ -1,6 +1,6 @@
 import { parseSessionInput, parseSessionOutput } from "../../db/schema.mjs";
-import { setSessionCookie } from "../../cookies/index.mjs";
-import { sessionMiddleware } from "./session.mjs";
+import { deleteSessionCookie, setSessionCookie } from "../../cookies/index.mjs";
+import { isStateful, sessionMiddleware } from "./session.mjs";
 import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
 import { createAuthEndpoint } from "@better-auth/core/api";
 import * as z from "zod";
@@ -34,10 +34,15 @@ const updateSession = () => createAuthEndpoint("/update-session", {
 	const session = ctx.context.session;
 	const additionalFields = parseSessionInput(ctx.context.options, body, "update");
 	if (Object.keys(additionalFields).length === 0) throw APIError.fromStatus("BAD_REQUEST", { message: "No fields to update" });
-	const newSession = await ctx.context.internalAdapter.updateSession(session.session.token, {
+	const updatedSession = await ctx.context.internalAdapter.updateSession(session.session.token, {
 		...additionalFields,
 		updatedAt: /* @__PURE__ */ new Date()
-	}) ?? {
+	});
+	if (!updatedSession && isStateful(ctx)) {
+		deleteSessionCookie(ctx);
+		throw APIError.from("UNAUTHORIZED", BASE_ERROR_CODES.FAILED_TO_GET_SESSION);
+	}
+	const newSession = updatedSession ?? {
 		...session.session,
 		...additionalFields,
 		updatedAt: /* @__PURE__ */ new Date()

package/dist/api/routes/update-user.mjs CHANGED Viewed

@@ -2,7 +2,7 @@ import { originCheck } from "../middlewares/origin-check.mjs";
 import { parseUserInput, parseUserOutput } from "../../db/schema.mjs";
 import { generateRandomString } from "../../crypto/random.mjs";
 import { deleteSessionCookie, setSessionCookie } from "../../cookies/index.mjs";
-import { getSessionFromCtx, sensitiveSessionMiddleware, sessionMiddleware } from "./session.mjs";
+import { getSessionFromCtx, isStateful, sensitiveSessionMiddleware, sessionMiddleware } from "./session.mjs";
 import { createEmailVerificationToken } from "./email-verification.mjs";
 import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
 import { createAuthEndpoint } from "@better-auth/core/api";
@@ -150,12 +150,12 @@ const changePassword = createAuthEndpoint("/change-password", {
 	const session = ctx.context.session;
 	const minPasswordLength = ctx.context.password.config.minPasswordLength;
 	if (newPassword.length < minPasswordLength) {
-		ctx.context.logger.error("Password is too short");
+		ctx.context.logger.warn("Password is too short");
 		throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.PASSWORD_TOO_SHORT);
 	}
 	const maxPasswordLength = ctx.context.password.config.maxPasswordLength;
 	if (newPassword.length > maxPasswordLength) {
-		ctx.context.logger.error("Password is too long");
+		ctx.context.logger.warn("Password is too long");
 		throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.PASSWORD_TOO_LONG);
 	}
 	const account = (await ctx.context.internalAdapter.findAccounts(session.user.id)).find((account) => account.providerId === "credential" && account.password);
@@ -182,7 +182,7 @@ const changePassword = createAuthEndpoint("/change-password", {
 		user: parseUserOutput(ctx.context.options, session.user)
 	});
 });
-const setPassword = createAuthEndpoint({
+const setPassword = createAuthEndpoint.serverOnly({
 	method: "POST",
 	body: z.object({ newPassword: z.string().meta({ description: "The new password to set is required" }) }),
 	use: [sensitiveSessionMiddleware]
@@ -191,12 +191,12 @@ const setPassword = createAuthEndpoint({
 	const session = ctx.context.session;
 	const minPasswordLength = ctx.context.password.config.minPasswordLength;
 	if (newPassword.length < minPasswordLength) {
-		ctx.context.logger.error("Password is too short");
+		ctx.context.logger.warn("Password is too short");
 		throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.PASSWORD_TOO_SHORT);
 	}
 	const maxPasswordLength = ctx.context.password.config.maxPasswordLength;
 	if (newPassword.length > maxPasswordLength) {
-		ctx.context.logger.error("Password is too long");
+		ctx.context.logger.warn("Password is too long");
 		throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.PASSWORD_TOO_LONG);
 	}
 	const account = (await ctx.context.internalAdapter.findAccounts(session.user.id)).find((account) => account.providerId === "credential" && account.password);
@@ -354,17 +354,15 @@ const deleteUserCallback = createAuthEndpoint("/delete-user/callback", {
 			code: "NOT_FOUND"
 		});
 	}
-	const session = await getSessionFromCtx(ctx);
+	const session = await getSessionFromCtx(ctx, { disableCookieCache: isStateful(ctx) });
 	if (!session) throw APIError.from("NOT_FOUND", BASE_ERROR_CODES.FAILED_TO_GET_USER_INFO);
-	const token = await ctx.context.internalAdapter.findVerificationValue(`delete-account-${ctx.query.token}`);
-	if (!token || token.expiresAt < /* @__PURE__ */ new Date()) throw APIError.from("NOT_FOUND", BASE_ERROR_CODES.INVALID_TOKEN);
-	if (token.value !== session.user.id) throw APIError.from("NOT_FOUND", BASE_ERROR_CODES.INVALID_TOKEN);
+	const token = await ctx.context.internalAdapter.consumeVerificationValue(`delete-account-${ctx.query.token}`);
+	if (!token || token.value !== session.user.id) throw APIError.from("NOT_FOUND", BASE_ERROR_CODES.INVALID_TOKEN);
 	const beforeDelete = ctx.context.options.user.deleteUser?.beforeDelete;
 	if (beforeDelete) await beforeDelete(session.user, ctx.request);
 	await ctx.context.internalAdapter.deleteUser(session.user.id);
 	await ctx.context.internalAdapter.deleteUserSessions(session.user.id);
 	await ctx.context.internalAdapter.deleteAccounts(session.user.id);
-	await ctx.context.internalAdapter.deleteVerificationByIdentifier(`delete-account-${ctx.query.token}`);
 	deleteSessionCookie(ctx);
 	const afterDelete = ctx.context.options.user.deleteUser?.afterDelete;
 	if (afterDelete) await afterDelete(session.user, ctx.request);
@@ -414,7 +412,7 @@ const changeEmail = createAuthEndpoint("/change-email", {
 	}
 	const newEmail = ctx.body.newEmail.toLowerCase();
 	if (newEmail === ctx.context.session.user.email) {
-		ctx.context.logger.error("Email is the same");
+		ctx.context.logger.warn("Email is the same");
 		throw APIError.fromStatus("BAD_REQUEST", { message: "Email is the same" });
 	}
 	/**

package/dist/auth/base.mjs CHANGED Viewed

@@ -14,16 +14,20 @@ const createBetterAuth = (options, initFn) => {
 			let handlerCtx;
 			if (isDynamicBaseURLConfig(options.baseURL)) handlerCtx = await resolveRequestContext(ctx, request, resolveDynamicTrustedProxyHeaders(ctx.options));
 			else {
-				handlerCtx = ctx;
+				handlerCtx = Object.create(Object.getPrototypeOf(ctx), Object.getOwnPropertyDescriptors(ctx));
+				let trustOptions = ctx.options;
 				if (!ctx.options.baseURL) {
 					const baseURL = getBaseURL(void 0, basePath, request, void 0, ctx.options.advanced?.trustedProxyHeaders);
-					if (baseURL) {
-						ctx.baseURL = baseURL;
-						ctx.options.baseURL = getOrigin(ctx.baseURL) || void 0;
-					} else throw new BetterAuthError("Could not get base URL from request. Please provide a valid base URL.");
+					if (!baseURL) throw new BetterAuthError("Could not get base URL from request. Please provide a valid base URL.");
+					handlerCtx.baseURL = baseURL;
+					handlerCtx.options = {
+						...ctx.options,
+						baseURL: getOrigin(baseURL) || void 0
+					};
+					trustOptions = handlerCtx.options;
 				}
-				handlerCtx.trustedOrigins = await getTrustedOrigins(ctx.options, request);
-				handlerCtx.trustedProviders = await getTrustedProviders(ctx.options, request);
+				handlerCtx.trustedOrigins = await getTrustedOrigins(trustOptions, request);
+				handlerCtx.trustedProviders = await getTrustedProviders(trustOptions, request);
 			}
 			const { handler } = router(handlerCtx, options);
 			return runWithAdapter(handlerCtx.adapter, () => handler(request));

package/dist/client/equality.d.mts ADDED Viewed

@@ -0,0 +1,19 @@
+import { Store, StoreValue } from "nanostores";
+//#region src/client/equality.d.ts
+/**
+ * Deep structural equality for JSON-serializable values.
+ * Handles: primitives, null, arrays, and plain objects.
+ * Short-circuits on referential equality at every recursion level.
+ */
+declare function isJsonEqual(a: unknown, b: unknown): boolean;
+/**
+ * Attach an equality gate to a nanostores atom via `onSet`.
+ * When `isEqual(currentValue, newValue)` returns true, the `set()` call
+ * is aborted: no listeners fire, no framework re-renders occur.
+ *
+ * Returns the unsubscribe function from `onSet`.
+ */
+declare function withEquality<S extends Store>(store: S, isEqual: (a: StoreValue<S>, b: StoreValue<S>) => boolean): () => void;
+//#endregion
+export { isJsonEqual, withEquality };

package/dist/client/equality.mjs ADDED Viewed

@@ -0,0 +1,42 @@
+import { onSet } from "nanostores";
+//#region src/client/equality.ts
+function isPlainObject(value) {
+	if (typeof value !== "object" || value === null) return false;
+	const prototype = Object.getPrototypeOf(value);
+	return prototype === Object.prototype || prototype === null;
+}
+/**
+* Deep structural equality for JSON-serializable values.
+* Handles: primitives, null, arrays, and plain objects.
+* Short-circuits on referential equality at every recursion level.
+*/
+function isJsonEqual(a, b) {
+	if (a === b) return true;
+	if (Array.isArray(a) && Array.isArray(b)) {
+		if (a.length !== b.length) return false;
+		for (let i = 0; i < a.length; i++) if (!isJsonEqual(a[i], b[i])) return false;
+		return true;
+	}
+	if (isPlainObject(a) && isPlainObject(b)) {
+		const keysA = Object.keys(a);
+		const keysB = Object.keys(b);
+		if (keysA.length !== keysB.length) return false;
+		for (const key of keysA) if (!(key in b) || !isJsonEqual(a[key], b[key])) return false;
+		return true;
+	}
+	return false;
+}
+/**
+* Attach an equality gate to a nanostores atom via `onSet`.
+* When `isEqual(currentValue, newValue)` returns true, the `set()` call
+* is aborted: no listeners fire, no framework re-renders occur.
+*
+* Returns the unsubscribe function from `onSet`.
+*/
+function withEquality(store, isEqual) {
+	return onSet(store, ({ newValue, abort }) => {
+		if (isEqual(store.value, newValue)) abort();
+	});
+}
+//#endregion
+export { isJsonEqual, withEquality };

package/dist/client/index.d.mts CHANGED Viewed

@@ -1,12 +1,13 @@
 import { ExtractPluginField, HasRequiredKeys, InferPluginFieldFromTuple, IsAny, OverrideMerge, Prettify, PrettifyDeep, RequiredKeysOf, StripEmptyObjects, UnionToIntersection } from "../types/helper.mjs";
-import { CamelCase, InferCtx, InferRoute, InferRoutes, InferSignUpEmailCtx, InferUserUpdateCtx, MergeRoutes, PathToObject, ProxyRequest } from "./path-to-object.mjs";
+import { CamelCase, InferCtx, InferRoute, InferRoutes, InferSessionUpdateCtx, InferSignUpEmailCtx, InferUserUpdateCtx, MergeRoutes, PathToObject, ProxyRequest } from "./path-to-object.mjs";
 import { BetterAuthClientOptions, BetterAuthClientPlugin, ClientAtomListener, ClientStore, InferActions, InferAdditionalFromClient, InferClientAPI, InferErrorCodes, InferSessionFromClient, InferUserFromClient, IsSignal, SessionQueryParams } from "./types.mjs";
 import { BroadcastChannel, BroadcastListener, BroadcastMessage, getGlobalBroadcastChannel, kBroadcastChannel } from "./broadcast-channel.mjs";
+import { isJsonEqual, withEquality } from "./equality.mjs";
 import { FocusListener, FocusManager, kFocusManager } from "./focus-manager.mjs";
 import { OnlineListener, OnlineManager, kOnlineManager } from "./online-manager.mjs";
 import { parseJSON } from "./parser.mjs";
-import { AuthQueryAtom, useAuthQuery } from "./query.mjs";
-import { SessionRefreshOptions, SessionResponse, createSessionRefreshManager } from "./session-refresh.mjs";
+import { AuthQueryAtom, AuthQueryState, useAuthQuery } from "./query.mjs";
+import { SessionRefreshOptions, createSessionRefreshManager } from "./session-refresh.mjs";
 import { AuthClient, createAuthClient } from "./vanilla.mjs";
 import { AccessControl, ArrayElement, ExactRoleStatements, Role, RoleAuthorizeRequest, RoleInput, RoleStatements, Statements, SubArray, Subset } from "../plugins/access/types.mjs";
 import { AuthorizeResponse, createAccessControl, role } from "../plugins/access/access.mjs";
@@ -31,4 +32,4 @@ declare function InferAuth<O extends {
   options: BetterAuthOptions;
 }>(): O["options"];
 //#endregion
-export { AccessControl, ArrayElement, AuthClient, AuthQueryAtom, AuthorizeResponse, BetterAuthClientOptions, BetterAuthClientPlugin, BroadcastChannel, BroadcastListener, BroadcastMessage, CamelCase, ClientAtomListener, ClientStore, type DBPrimitive, DefaultOrganizationPlugin, DynamicAccessControlEndpoints, ExactRoleStatements, ExtractPluginField, type FocusListener, type FocusManager, HasRequiredKeys, InferActions, InferAdditionalFromClient, InferAuth, InferClientAPI, InferCtx, InferErrorCodes, InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPlugin, InferPluginFieldFromTuple, InferRoute, InferRoutes, InferSessionFromClient, InferSignUpEmailCtx, InferTeam, InferUserFromClient, InferUserUpdateCtx, Invitation, InvitationInput, InvitationStatus, IsAny, IsSignal, Member, MemberInput, MergeRoutes, type OnlineListener, type OnlineManager, Organization, OrganizationCreator, OrganizationEndpoints, OrganizationInput, OrganizationOptions, OrganizationPlugin, OrganizationRole, OrganizationSchema, OverrideMerge, PathToObject, Prettify, PrettifyDeep, ProxyRequest, RequiredKeysOf, Role, RoleAuthorizeRequest, RoleInput, RoleStatements, SessionQueryParams, SessionRefreshOptions, SessionResponse, Statements, StripEmptyObjects, SubArray, Subset, Team, TeamEndpoints, TeamInput, TeamMember, TeamMemberInput, type UnionToIntersection, createAccessControl, createAuthClient, createSessionRefreshManager, defaultRolesSchema, getGlobalBroadcastChannel, getOrgAdapter, hasPermission, invitationSchema, invitationStatus, kBroadcastChannel, kFocusManager, kOnlineManager, memberSchema, organization, organizationRoleSchema, organizationSchema, parseJSON, parseRoles, role, roleSchema, teamMemberSchema, teamSchema, useAuthQuery };
+export { AccessControl, ArrayElement, AuthClient, AuthQueryAtom, AuthQueryState, AuthorizeResponse, BetterAuthClientOptions, BetterAuthClientPlugin, BroadcastChannel, BroadcastListener, BroadcastMessage, CamelCase, ClientAtomListener, ClientStore, type DBPrimitive, DefaultOrganizationPlugin, DynamicAccessControlEndpoints, ExactRoleStatements, ExtractPluginField, type FocusListener, type FocusManager, HasRequiredKeys, InferActions, InferAdditionalFromClient, InferAuth, InferClientAPI, InferCtx, InferErrorCodes, InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPlugin, InferPluginFieldFromTuple, InferRoute, InferRoutes, InferSessionFromClient, InferSessionUpdateCtx, InferSignUpEmailCtx, InferTeam, InferUserFromClient, InferUserUpdateCtx, Invitation, InvitationInput, InvitationStatus, IsAny, IsSignal, Member, MemberInput, MergeRoutes, type OnlineListener, type OnlineManager, Organization, OrganizationCreator, OrganizationEndpoints, OrganizationInput, OrganizationOptions, OrganizationPlugin, OrganizationRole, OrganizationSchema, OverrideMerge, PathToObject, Prettify, PrettifyDeep, ProxyRequest, RequiredKeysOf, Role, RoleAuthorizeRequest, RoleInput, RoleStatements, SessionQueryParams, SessionRefreshOptions, Statements, StripEmptyObjects, SubArray, Subset, Team, TeamEndpoints, TeamInput, TeamMember, TeamMemberInput, type UnionToIntersection, createAccessControl, createAuthClient, createSessionRefreshManager, defaultRolesSchema, getGlobalBroadcastChannel, getOrgAdapter, hasPermission, invitationSchema, invitationStatus, isJsonEqual, kBroadcastChannel, kFocusManager, kOnlineManager, memberSchema, organization, organizationRoleSchema, organizationSchema, parseJSON, parseRoles, role, roleSchema, teamMemberSchema, teamSchema, useAuthQuery, withEquality };

package/dist/client/index.mjs CHANGED Viewed

@@ -1,5 +1,6 @@
 import { PACKAGE_VERSION } from "../version.mjs";
 import { getGlobalBroadcastChannel, kBroadcastChannel } from "./broadcast-channel.mjs";
+import { isJsonEqual, withEquality } from "./equality.mjs";
 import { kFocusManager } from "./focus-manager.mjs";
 import { kOnlineManager } from "./online-manager.mjs";
 import { parseJSON } from "./parser.mjs";
@@ -18,4 +19,4 @@ function InferAuth() {
 	return {};
 }
 //#endregion
-export { InferAuth, InferPlugin, createAuthClient, createSessionRefreshManager, getGlobalBroadcastChannel, kBroadcastChannel, kFocusManager, kOnlineManager, parseJSON, useAuthQuery };
+export { InferAuth, InferPlugin, createAuthClient, createSessionRefreshManager, getGlobalBroadcastChannel, isJsonEqual, kBroadcastChannel, kFocusManager, kOnlineManager, parseJSON, useAuthQuery, withEquality };

package/dist/client/lynx/index.d.mts CHANGED Viewed

@@ -69,11 +69,6 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
     priority?: RequestPriority | undefined;
     cache?: RequestCache | undefined;
     credentials?: RequestCredentials;
-    headers?: (HeadersInit & (HeadersInit | {
-      accept: "application/json" | "text/plain" | "application/octet-stream";
-      "content-type": "application/json" | "text/plain" | "application/x-www-form-urlencoded" | "multipart/form-data" | "application/octet-stream";
-      authorization: "Bearer" | "Basic";
-    })) | undefined;
     integrity?: string | undefined;
     keepalive?: boolean | undefined;
     method: string;
@@ -103,6 +98,12 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
       prefix: string | (() => string | undefined) | undefined;
       value: string | (() => string | undefined) | undefined;
     }) | undefined;
+    headers?: {} | {
+      [x: string]: string | undefined;
+      accept?: ((string & {}) | "application/json" | "text/plain" | "application/octet-stream") | undefined;
+      "content-type"?: ((string & {}) | "application/x-www-form-urlencoded" | "application/json" | "text/plain" | "application/octet-stream" | "multipart/form-data") | undefined;
+      authorization?: ((string & {}) | `Bearer ${string}` | `Basic ${string}`) | undefined;
+    } | undefined;
     body?: any;
     query?: any;
     params?: any;

package/dist/client/path-to-object.d.mts CHANGED Viewed

@@ -30,6 +30,9 @@ type InferUserUpdateCtx<ClientOpts extends BetterAuthClientOptions, FetchOptions
   name?: string | undefined;
   fetchOptions?: FetchOptions | undefined;
 } & Partial<UnionToIntersection<InferAdditionalFromClient<ClientOpts, "user", "input">>>;
+type InferSessionUpdateCtx<ClientOpts extends BetterAuthClientOptions, FetchOptions extends ClientFetchOption> = {
+  fetchOptions?: FetchOptions | undefined;
+} & Partial<UnionToIntersection<InferAdditionalFromClient<ClientOpts, "session", "input">>>;
 type InferCtxQuery<C extends InputContext<any, any>, FetchOptions extends ClientFetchOption> = C["query"] extends Record<string, any> ? {
   query: C["query"];
   fetchOptions?: FetchOptions | undefined;
@@ -51,7 +54,7 @@ type InferRoute<API, COpts extends BetterAuthClientOptions> = API extends Record
   scope: "http";
 } | {
   scope: "server";
-} ? {} : PathToObject<T["path"], T extends ((ctx: infer C) => infer R) ? C extends InputContext<any, any> ? <FetchOptions extends ClientFetchOption<Partial<C["body"]> & Record<string, any>, Partial<C["query"]> & Record<string, any>, C["params"]>>(...data: HasRequiredKeys<InferCtx<C, FetchOptions>> extends true ? [Prettify$1<T["path"] extends `/sign-up/email` ? InferSignUpEmailCtx<COpts, FetchOptions> : InferCtx<C, FetchOptions>>, FetchOptions?] : [Prettify$1<T["path"] extends `/update-user` ? InferUserUpdateCtx<COpts, FetchOptions> : InferCtx<C, FetchOptions>>?, FetchOptions?]) => Promise<BetterFetchResponse<T["options"]["metadata"] extends {
+} ? {} : PathToObject<T["path"], T extends ((ctx: infer C) => infer R) ? C extends InputContext<any, any> ? <FetchOptions extends ClientFetchOption<Partial<C["body"]> & Record<string, any>, Partial<C["query"]> & Record<string, any>, C["params"]>>(...data: HasRequiredKeys<InferCtx<C, FetchOptions>> extends true ? [Prettify$1<T["path"] extends `/sign-up/email` ? InferSignUpEmailCtx<COpts, FetchOptions> : InferCtx<C, FetchOptions>>, FetchOptions?] : [Prettify$1<T["path"] extends `/update-user` ? InferUserUpdateCtx<COpts, FetchOptions> : T["path"] extends `/update-session` ? InferSessionUpdateCtx<COpts, FetchOptions> : InferCtx<C, FetchOptions>>?, FetchOptions?]) => Promise<BetterFetchResponse<T["options"]["metadata"] extends {
   CUSTOM_SESSION: boolean;
 } ? MergeCustomSessionWithInferred<NonNullable<Awaited<R>>, COpts> : T["path"] extends "/get-session" ? {
   user: InferUserFromClient<COpts>;
@@ -69,4 +72,4 @@ type ProxyRequest = {
   [key: string]: any;
 };
 //#endregion
-export { CamelCase, InferCtx, InferRoute, InferRoutes, InferSignUpEmailCtx, InferUserUpdateCtx, MergeRoutes, PathToObject, ProxyRequest };
+export { CamelCase, InferCtx, InferRoute, InferRoutes, InferSessionUpdateCtx, InferSignUpEmailCtx, InferUserUpdateCtx, MergeRoutes, PathToObject, ProxyRequest };

package/dist/client/plugins/index.d.mts CHANGED Viewed

@@ -19,6 +19,8 @@ import { JWKOptions, JWSAlgorithms, Jwk, JwtOptions } from "../../plugins/jwt/ty
 import { AuthorizationQuery, Client, CodeVerificationValue, OAuthAccessToken, OIDCMetadata, OIDCOptions, TokenBody } from "../../plugins/oidc-provider/types.mjs";
 import { MULTI_SESSION_ERROR_CODES } from "../../plugins/multi-session/error-codes.mjs";
 import { MultiSessionConfig } from "../../plugins/multi-session/index.mjs";
+import { POPUP_TOKEN_STORAGE_KEY } from "../../plugins/oauth-popup/constants.mjs";
+import { OAUTH_POPUP_ERROR_CODES } from "../../plugins/oauth-popup/error-codes.mjs";
 import { OneTimeTokenOptions } from "../../plugins/one-time-token/index.mjs";
 import { PhoneNumberOptions, UserWithPhoneNumber } from "../../plugins/phone-number/types.mjs";
 import { BackupCodeOptions, backupCode2fa, encodeBackupCodes, generateBackupCodes, getBackupCodes, verifyBackupCode } from "../../plugins/two-factor/backup-codes/index.mjs";
@@ -44,6 +46,7 @@ import { jwtClient } from "../../plugins/jwt/client.mjs";
 import { LastLoginMethodClientConfig, lastLoginMethodClient } from "../../plugins/last-login-method/client.mjs";
 import { magicLinkClient } from "../../plugins/magic-link/client.mjs";
 import { multiSessionClient } from "../../plugins/multi-session/client.mjs";
+import { SignInPopupOptions, SignInPopupResult, createSignInPopup, getStoredPopupToken, oauthPopupClient, popupBearerFetchPlugin } from "../../plugins/oauth-popup/client.mjs";
 import { OidcClientPlugin, oidcClient } from "../../plugins/oidc-provider/client.mjs";
 import { GoogleOneTapActionOptions, GoogleOneTapOptions, GsiButtonConfiguration, oneTapClient } from "../../plugins/one-tap/client.mjs";
 import { oneTimeTokenClient } from "../../plugins/one-time-token/client.mjs";
@@ -53,4 +56,4 @@ import { phoneNumberClient } from "../../plugins/phone-number/client.mjs";
 import { siweClient } from "../../plugins/siwe/client.mjs";
 import { usernameClient } from "../../plugins/username/client.mjs";
 import { InferServerPlugin } from "./infer-plugin.mjs";
-export { ADMIN_ERROR_CODES, ANONYMOUS_ERROR_CODES, AdminClientOptions, AdminOptions, AnonymousOptions, AnonymousSession, Auth0Options, AuthorizationQuery, BackupCodeOptions, BaseOAuthProviderOptions, Client, CodeVerificationValue, EMAIL_OTP_ERROR_CODES, ExtractPluginField, type FieldAttributeToObject, GENERIC_OAUTH_ERROR_CODES, GenericOAuthConfig, GenericOAuthOptions, GoogleOneTapActionOptions, GoogleOneTapOptions, GsiButtonConfiguration, GumroadOptions, HasRequiredKeys, HubSpotOptions, InferAdminRolesFromOption, InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginFieldFromTuple, InferServerPlugin, InferTeam, Invitation, InvitationInput, InvitationStatus, IsAny, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, KeycloakOptions, LastLoginMethodClientConfig, LineOptions, MULTI_SESSION_ERROR_CODES, Member, MemberInput, MicrosoftEntraIdOptions, MultiSessionConfig, OAuthAccessToken, OIDCMetadata, OIDCOptions, ORGANIZATION_ERROR_CODES, OTPOptions, OidcClientPlugin, OktaOptions, OneTimeTokenOptions, Organization, OrganizationClientOptions, OrganizationInput, OrganizationRole, OrganizationSchema, OverrideMerge, PHONE_NUMBER_ERROR_CODES, PatreonOptions, PhoneNumberOptions, Prettify, PrettifyDeep, type RemoveFieldsWithReturnedFalse, RequiredKeysOf, SessionWithImpersonatedBy, SlackOptions, StripEmptyObjects, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamInput, TeamMember, TeamMemberInput, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UnionToIntersection, UserWithAnonymous, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, adminClient, anonymousClient, auth0, backupCode2fa, clientSideHasPermission, customSessionClient, defaultRolesSchema, deviceAuthorizationClient, emailOTPClient, encodeBackupCodes, generateBackupCodes, genericOAuthClient, getBackupCodes, gumroad, hubspot, inferAdditionalFields, inferOrgAdditionalFields, invitationSchema, invitationStatus, jwtClient, keycloak, lastLoginMethodClient, line, magicLinkClient, memberSchema, microsoftEntraId, multiSessionClient, oidcClient, okta, oneTapClient, oneTimeTokenClient, organizationClient, organizationRoleSchema, organizationSchema, otp2fa, patreon, phoneNumberClient, roleSchema, schema, siweClient, slack, teamMemberSchema, teamSchema, totp2fa, twoFactorClient, usernameClient, verifyBackupCode };
+export { ADMIN_ERROR_CODES, ANONYMOUS_ERROR_CODES, AdminClientOptions, AdminOptions, AnonymousOptions, AnonymousSession, Auth0Options, AuthorizationQuery, BackupCodeOptions, BaseOAuthProviderOptions, Client, CodeVerificationValue, EMAIL_OTP_ERROR_CODES, ExtractPluginField, type FieldAttributeToObject, GENERIC_OAUTH_ERROR_CODES, GenericOAuthConfig, GenericOAuthOptions, GoogleOneTapActionOptions, GoogleOneTapOptions, GsiButtonConfiguration, GumroadOptions, HasRequiredKeys, HubSpotOptions, InferAdminRolesFromOption, InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginFieldFromTuple, InferServerPlugin, InferTeam, Invitation, InvitationInput, InvitationStatus, IsAny, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, KeycloakOptions, LastLoginMethodClientConfig, LineOptions, MULTI_SESSION_ERROR_CODES, Member, MemberInput, MicrosoftEntraIdOptions, MultiSessionConfig, OAUTH_POPUP_ERROR_CODES, OAuthAccessToken, OIDCMetadata, OIDCOptions, ORGANIZATION_ERROR_CODES, OTPOptions, OidcClientPlugin, OktaOptions, OneTimeTokenOptions, Organization, OrganizationClientOptions, OrganizationInput, OrganizationRole, OrganizationSchema, OverrideMerge, PHONE_NUMBER_ERROR_CODES, POPUP_TOKEN_STORAGE_KEY, PatreonOptions, PhoneNumberOptions, Prettify, PrettifyDeep, type RemoveFieldsWithReturnedFalse, RequiredKeysOf, SessionWithImpersonatedBy, SignInPopupOptions, SignInPopupResult, SlackOptions, StripEmptyObjects, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamInput, TeamMember, TeamMemberInput, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UnionToIntersection, UserWithAnonymous, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, adminClient, anonymousClient, auth0, backupCode2fa, clientSideHasPermission, createSignInPopup, customSessionClient, defaultRolesSchema, deviceAuthorizationClient, emailOTPClient, encodeBackupCodes, generateBackupCodes, genericOAuthClient, getBackupCodes, getStoredPopupToken, gumroad, hubspot, inferAdditionalFields, inferOrgAdditionalFields, invitationSchema, invitationStatus, jwtClient, keycloak, lastLoginMethodClient, line, magicLinkClient, memberSchema, microsoftEntraId, multiSessionClient, oauthPopupClient, oidcClient, okta, oneTapClient, oneTimeTokenClient, organizationClient, organizationRoleSchema, organizationSchema, otp2fa, patreon, phoneNumberClient, popupBearerFetchPlugin, roleSchema, schema, siweClient, slack, teamMemberSchema, teamSchema, totp2fa, twoFactorClient, usernameClient, verifyBackupCode };

package/dist/client/plugins/index.mjs CHANGED Viewed

@@ -14,6 +14,9 @@ import { lastLoginMethodClient } from "../../plugins/last-login-method/client.mj
 import { magicLinkClient } from "../../plugins/magic-link/client.mjs";
 import { MULTI_SESSION_ERROR_CODES } from "../../plugins/multi-session/error-codes.mjs";
 import { multiSessionClient } from "../../plugins/multi-session/client.mjs";
+import { POPUP_TOKEN_STORAGE_KEY } from "../../plugins/oauth-popup/constants.mjs";
+import { OAUTH_POPUP_ERROR_CODES } from "../../plugins/oauth-popup/error-codes.mjs";
+import { createSignInPopup, getStoredPopupToken, oauthPopupClient, popupBearerFetchPlugin } from "../../plugins/oauth-popup/client.mjs";
 import { oidcClient } from "../../plugins/oidc-provider/client.mjs";
 import { oneTapClient } from "../../plugins/one-tap/client.mjs";
 import { oneTimeTokenClient } from "../../plugins/one-time-token/client.mjs";
@@ -27,4 +30,4 @@ import { twoFactorClient } from "../../plugins/two-factor/client.mjs";
 import { USERNAME_ERROR_CODES } from "../../plugins/username/error-codes.mjs";
 import { usernameClient } from "../../plugins/username/client.mjs";
 import { InferServerPlugin } from "./infer-plugin.mjs";
-export { ADMIN_ERROR_CODES, ANONYMOUS_ERROR_CODES, EMAIL_OTP_ERROR_CODES, GENERIC_OAUTH_ERROR_CODES, InferServerPlugin, MULTI_SESSION_ERROR_CODES, ORGANIZATION_ERROR_CODES, PHONE_NUMBER_ERROR_CODES, TWO_FACTOR_ERROR_CODES, USERNAME_ERROR_CODES, adminClient, anonymousClient, clientSideHasPermission, customSessionClient, deviceAuthorizationClient, emailOTPClient, genericOAuthClient, inferAdditionalFields, inferOrgAdditionalFields, jwtClient, lastLoginMethodClient, magicLinkClient, multiSessionClient, oidcClient, oneTapClient, oneTimeTokenClient, organizationClient, phoneNumberClient, siweClient, twoFactorClient, usernameClient };
+export { ADMIN_ERROR_CODES, ANONYMOUS_ERROR_CODES, EMAIL_OTP_ERROR_CODES, GENERIC_OAUTH_ERROR_CODES, InferServerPlugin, MULTI_SESSION_ERROR_CODES, OAUTH_POPUP_ERROR_CODES, ORGANIZATION_ERROR_CODES, PHONE_NUMBER_ERROR_CODES, POPUP_TOKEN_STORAGE_KEY, TWO_FACTOR_ERROR_CODES, USERNAME_ERROR_CODES, adminClient, anonymousClient, clientSideHasPermission, createSignInPopup, customSessionClient, deviceAuthorizationClient, emailOTPClient, genericOAuthClient, getStoredPopupToken, inferAdditionalFields, inferOrgAdditionalFields, jwtClient, lastLoginMethodClient, magicLinkClient, multiSessionClient, oauthPopupClient, oidcClient, oneTapClient, oneTimeTokenClient, organizationClient, phoneNumberClient, popupBearerFetchPlugin, siweClient, twoFactorClient, usernameClient };

package/dist/client/query.d.mts CHANGED Viewed

@@ -4,7 +4,7 @@ import { PreinitializedWritableAtom } from "nanostores";
 import { BetterFetch, BetterFetchError } from "@better-fetch/fetch";
 //#region src/client/query.d.ts
-type AuthQueryAtom<T> = PreinitializedWritableAtom<{
+type AuthQueryState<T> = {
   data: null | T;
   error: null | BetterFetchError;
   isPending: boolean;
@@ -12,11 +12,12 @@ type AuthQueryAtom<T> = PreinitializedWritableAtom<{
   refetch: (queryParams?: {
     query?: SessionQueryParams;
   } | undefined) => Promise<void>;
-}>;
+};
+type AuthQueryAtom<T> = PreinitializedWritableAtom<AuthQueryState<T>>;
 declare const useAuthQuery: <T>(initializedAtom: PreinitializedWritableAtom<any> | PreinitializedWritableAtom<any>[], path: string, $fetch: BetterFetch, options?: (((value: {
   data: null | T;
   error: null | BetterFetchError;
   isPending: boolean;
 }) => ClientFetchOption) | ClientFetchOption) | undefined) => AuthQueryAtom<T>;
 //#endregion
-export { AuthQueryAtom, useAuthQuery };
+export { AuthQueryAtom, AuthQueryState, useAuthQuery };

package/dist/client/query.mjs CHANGED Viewed

@@ -1,6 +1,10 @@
+import { isJsonEqual, withEquality } from "./equality.mjs";
 import { atom, onMount } from "nanostores";
 //#region src/client/query.ts
 const isServer = () => typeof window === "undefined";
+function isAuthQueryStateEqual(a, b) {
+	return isJsonEqual(a.data, b.data) && a.error === b.error && a.isPending === b.isPending && a.isRefetching === b.isRefetching && a.refetch === b.refetch;
+}
 const useAuthQuery = (initializedAtom, path, $fetch, options) => {
 	const value = atom({
 		data: null,
@@ -9,6 +13,7 @@ const useAuthQuery = (initializedAtom, path, $fetch, options) => {
 		isRefetching: false,
 		refetch: (queryParams) => fn(queryParams)
 	});
+	withEquality(value, isAuthQueryStateEqual);
 	const fn = async (queryParams) => {
 		return new Promise((resolve) => {
 			const opts = typeof options === "function" ? options({
@@ -23,8 +28,10 @@ const useAuthQuery = (initializedAtom, path, $fetch, options) => {
 					...queryParams?.query
 				},
 				async onSuccess(context) {
+					const current = value.get();
+					const stableData = current.data != null && context.data != null && isJsonEqual(current.data, context.data) ? current.data : context.data;
 					value.set({
-						data: context.data,
+						data: stableData,
 						error: null,
 						isPending: false,
 						isRefetching: false,
@@ -73,23 +80,26 @@ const useAuthQuery = (initializedAtom, path, $fetch, options) => {
 	};
 	initializedAtom = Array.isArray(initializedAtom) ? initializedAtom : [initializedAtom];
 	let isInitialized = false;
-	for (const initAtom of initializedAtom) initAtom.subscribe(async () => {
-		if (isServer()) return;
-		if (isInitialized) await fn();
-		else onMount(value, () => {
-			const timeoutId = setTimeout(async () => {
-				if (!isInitialized) {
-					isInitialized = true;
-					await fn();
-				}
-			}, 0);
-			return () => {
-				value.off();
-				initAtom.off();
-				clearTimeout(timeoutId);
-			};
+	const cleanups = [];
+	for (const initAtom of initializedAtom) {
+		const unbind = initAtom.subscribe(async () => {
+			if (isServer()) return;
+			if (isInitialized) await fn();
+			else onMount(value, () => {
+				const timeoutId = setTimeout(async () => {
+					if (!isInitialized) {
+						isInitialized = true;
+						await fn();
+					}
+				}, 0);
+				return () => {
+					for (const u of cleanups) u();
+					clearTimeout(timeoutId);
+				};
+			});
 		});
-	});
+		cleanups.push(unbind);
+	}
 	return value;
 };
 //#endregion

package/dist/client/react/index.d.mts CHANGED Viewed

@@ -70,11 +70,6 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
     priority?: RequestPriority | undefined;
     cache?: RequestCache | undefined;
     credentials?: RequestCredentials;
-    headers?: (HeadersInit & (HeadersInit | {
-      accept: "application/json" | "text/plain" | "application/octet-stream";
-      "content-type": "application/json" | "text/plain" | "application/x-www-form-urlencoded" | "multipart/form-data" | "application/octet-stream";
-      authorization: "Bearer" | "Basic";
-    })) | undefined;
     integrity?: string | undefined;
     keepalive?: boolean | undefined;
     method: string;
@@ -104,6 +99,12 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
       prefix: string | (() => string | undefined) | undefined;
       value: string | (() => string | undefined) | undefined;
     }) | undefined;
+    headers?: {} | {
+      [x: string]: string | undefined;
+      accept?: ((string & {}) | "application/json" | "text/plain" | "application/octet-stream") | undefined;
+      "content-type"?: ((string & {}) | "application/x-www-form-urlencoded" | "application/json" | "text/plain" | "application/octet-stream" | "multipart/form-data") | undefined;
+      authorization?: ((string & {}) | `Bearer ${string}` | `Basic ${string}`) | undefined;
+    } | undefined;
     body?: any;
     query?: any;
     params?: any;