better-auth 1.6.15 → 1.6.17

package/dist/client/session-atom.mjs

@@ -1,21 +1,146 @@
-import { useAuthQuery } from "./query.mjs";
+import { isJsonEqual, withEquality } from "./equality.mjs";
 import { createSessionRefreshManager } from "./session-refresh.mjs";
 import { atom, onMount } from "nanostores";
 //#region src/client/session-atom.ts
+const isServer = () => typeof window === "undefined";
+/**
+* Normalize $fetch response: `throw: true` returns data directly,
+* otherwise `{ data, error }`.
+*/
+function normalizeSessionResponse(res) {
+	if (typeof res === "object" && res !== null && "data" in res && "error" in res) return res;
+	return {
+		data: res,
+		error: null
+	};
+}
+function normalizeSessionData(data) {
+	if (!data) return null;
+	if (data.session === null && data.user === null) return null;
+	return data;
+}
+function isSessionAtomEqual(a, b) {
+	return isJsonEqual(a.data, b.data) && a.error === b.error && a.isPending === b.isPending && a.isRefetching === b.isRefetching && a.refetch === b.refetch;
+}
 function getSessionAtom($fetch, options) {
 	const $signal = atom(false);
-	const session = useAuthQuery($signal, "/get-session", $fetch, { method: "GET" });
+	let abortController;
+	const refetch = (queryParams) => fetchSession(queryParams);
+	const session = atom({
+		data: null,
+		error: null,
+		isPending: true,
+		isRefetching: false,
+		refetch
+	});
+	withEquality(session, isSessionAtomEqual);
+	const settleAbortedFetch = (controller) => {
+		if (abortController !== controller) return;
+		const current = session.get();
+		abortController = void 0;
+		if (!current.isPending && !current.isRefetching) return;
+		session.set({
+			...current,
+			isPending: false,
+			isRefetching: false,
+			refetch
+		});
+	};
+	const fetchSession = async (queryParams) => {
+		abortController?.abort();
+		const controller = new AbortController();
+		abortController = controller;
+		const current = session.get();
+		session.set({
+			...current,
+			isPending: current.data === null,
+			isRefetching: true,
+			error: null,
+			refetch
+		});
+		try {
+			const res = await $fetch("/get-session", {
+				method: "GET",
+				query: queryParams?.query,
+				signal: controller.signal
+			});
+			if (controller.signal.aborted) {
+				settleAbortedFetch(controller);
+				return;
+			}
+			let { data, error } = normalizeSessionResponse(res);
+			if (data?.needsRefresh) try {
+				const refreshRes = await $fetch("/get-session", {
+					method: "POST",
+					signal: controller.signal
+				});
+				if (controller.signal.aborted) {
+					settleAbortedFetch(controller);
+					return;
+				}
+				({data, error} = normalizeSessionResponse(refreshRes));
+			} catch {
+				if (controller.signal.aborted) {
+					settleAbortedFetch(controller);
+					return;
+				}
+			}
+			if (error) {
+				const latest = session.get();
+				const isUnauthorized = error?.status === 401;
+				session.set({
+					data: isUnauthorized ? null : latest.data,
+					error,
+					isPending: false,
+					isRefetching: false,
+					refetch
+				});
+				return;
+			}
+			const sessionData = normalizeSessionData(data);
+			const current = session.get();
+			const stableData = current.data != null && sessionData != null && isJsonEqual(current.data, sessionData) ? current.data : sessionData;
+			session.set({
+				data: stableData,
+				error: null,
+				isPending: false,
+				isRefetching: false,
+				refetch
+			});
+		} catch (fetchError) {
+			if (controller.signal.aborted) {
+				settleAbortedFetch(controller);
+				return;
+			}
+			const latest = session.get();
+			session.set({
+				data: latest.data,
+				error: fetchError,
+				isPending: false,
+				isRefetching: false,
+				refetch
+			});
+		}
+	};
 	let broadcastSessionUpdate = () => {};
 	onMount(session, () => {
+		let timeoutId;
+		if (!isServer()) timeoutId = setTimeout(() => {
+			fetchSession();
+		}, 0);
 		const refreshManager = createSessionRefreshManager({
-			sessionAtom: session,
+			fetchSession,
+			shouldPollSession: () => session.get().data != null,
 			sessionSignal: $signal,
-			$fetch,
 			options
 		});
 		refreshManager.init();
 		broadcastSessionUpdate = refreshManager.broadcastSessionUpdate;
 		return () => {
+			if (timeoutId) clearTimeout(timeoutId);
+			const controller = abortController;
+			controller?.abort();
+			if (controller) settleAbortedFetch(controller);
 			refreshManager.cleanup();
 		};
 	});

package/dist/client/session-refresh.d.mts

@@ -1,28 +1,13 @@
-import { Session, User } from "../types/models.mjs";
-import { AuthQueryAtom } from "./query.mjs";
 import { BetterAuthClientOptions } from "@better-auth/core";
 import { WritableAtom } from "nanostores";
-import { BetterFetch } from "@better-fetch/fetch";
 
 //#region src/client/session-refresh.d.ts
 interface SessionRefreshOptions {
-  sessionAtom: AuthQueryAtom<{
-    user: User;
-    session: Session;
-  } & Record<string, any>>;
+  fetchSession: () => Promise<void>;
+  shouldPollSession?: () => boolean;
   sessionSignal: WritableAtom<boolean>;
-  $fetch: BetterFetch;
   options?: BetterAuthClientOptions | undefined;
 }
-type SessionResponse = ({
-  session: null;
-  user: null;
-  needsRefresh?: boolean;
-} | {
-  session: Session;
-  user: User;
-  needsRefresh?: boolean;
-}) & Record<string, any>;
 declare function createSessionRefreshManager(opts: SessionRefreshOptions): {
   init: () => void;
   cleanup: () => void;
@@ -32,4 +17,4 @@ declare function createSessionRefreshManager(opts: SessionRefreshOptions): {
   broadcastSessionUpdate: (trigger: "signout" | "getSession" | "updateUser") => void;
 };
 //#endregion
-export { SessionRefreshOptions, SessionResponse, createSessionRefreshManager };
+export { SessionRefreshOptions, createSessionRefreshManager };

package/dist/client/session-refresh.mjs

@@ -4,28 +4,17 @@ import { getGlobalOnlineManager } from "./online-manager.mjs";
 //#region src/client/session-refresh.ts
 const now = () => Math.floor(Date.now() / 1e3);
 /**
-* Normalize $fetch response: `throw: true` returns data directly, otherwise `{ data, error }`.
-*/
-function normalizeSessionResponse(res) {
-	if (typeof res === "object" && res !== null && "data" in res && "error" in res) return res;
-	return {
-		data: res,
-		error: null
-	};
-}
-/**
 * Rate limit: don't refetch on focus if a session request was made within this many seconds
 */
 const FOCUS_REFETCH_RATE_LIMIT_SECONDS = 5;
 function createSessionRefreshManager(opts) {
-	const { sessionAtom, sessionSignal, $fetch, options = {} } = opts;
+	const { fetchSession, shouldPollSession = () => true, sessionSignal, options = {} } = opts;
 	const refetchInterval = options.sessionOptions?.refetchInterval ?? 0;
 	const refetchOnWindowFocus = options.sessionOptions?.refetchOnWindowFocus ?? true;
 	const refetchWhenOffline = options.sessionOptions?.refetchWhenOffline ?? false;
 	const state = {
-		lastSync: 0,
-		lastSessionRequest: 0,
-		cachedSession: void 0
+		isInitialized: false,
+		lastSessionRequest: 0
 	};
 	const shouldRefetch = () => {
 		return refetchWhenOffline || getGlobalOnlineManager().isOnline;
@@ -33,45 +22,21 @@ function createSessionRefreshManager(opts) {
 	const triggerRefetch = (event) => {
 		if (!shouldRefetch()) return;
 		if (event?.event === "storage") {
-			state.lastSync = now();
-			sessionSignal.set(!sessionSignal.get());
+			fetchSession();
 			return;
 		}
-		const currentSession = sessionAtom.get();
-		const fetchSessionWithRefresh = () => {
-			state.lastSessionRequest = now();
-			$fetch("/get-session").then(async (res) => {
-				let { data, error } = normalizeSessionResponse(res);
-				if (data?.needsRefresh) try {
-					const refreshRes = await $fetch("/get-session", { method: "POST" });
-					({data, error} = normalizeSessionResponse(refreshRes));
-				} catch {}
-				const sessionData = data?.session && data?.user ? data : null;
-				sessionAtom.set({
-					...currentSession,
-					data: sessionData,
-					error
-				});
-				state.lastSync = now();
-				sessionSignal.set(!sessionSignal.get());
-			}).catch(() => {});
-		};
 		if (event?.event === "poll") {
-			fetchSessionWithRefresh();
+			state.lastSessionRequest = now();
+			fetchSession();
 			return;
 		}
 		if (event?.event === "visibilitychange") {
 			if (now() - state.lastSessionRequest < FOCUS_REFETCH_RATE_LIMIT_SECONDS) return;
 			state.lastSessionRequest = now();
-		}
-		if (event?.event === "visibilitychange") {
-			fetchSessionWithRefresh();
+			fetchSession();
 			return;
 		}
-		if (currentSession?.data === null || currentSession?.data === void 0) {
-			state.lastSync = now();
-			sessionSignal.set(!sessionSignal.get());
-		}
+		fetchSession();
 	};
 	const broadcastSessionUpdate = (trigger) => {
 		getGlobalBroadcastChannel().post({
@@ -82,7 +47,7 @@ function createSessionRefreshManager(opts) {
 	};
 	const setupPolling = () => {
 		if (refetchInterval && refetchInterval > 0) state.pollInterval = setInterval(() => {
-			if (sessionAtom.get()?.data) triggerRefetch({ event: "poll" });
+			if (shouldPollSession()) triggerRefetch({ event: "poll" });
 		}, refetchInterval * 1e3);
 	};
 	const setupBroadcast = () => {
@@ -101,16 +66,25 @@ function createSessionRefreshManager(opts) {
 			if (online) triggerRefetch({ event: "visibilitychange" });
 		});
 	};
+	const setupSignalSubscription = () => {
+		state.unsubscribeSignal = sessionSignal.listen(() => {
+			fetchSession();
+		});
+	};
 	const init = () => {
+		if (state.isInitialized) return;
+		state.isInitialized = true;
 		setupPolling();
 		setupBroadcast();
 		setupFocusRefetch();
 		setupOnlineRefetch();
-		getGlobalBroadcastChannel().setup();
-		getGlobalFocusManager().setup();
-		getGlobalOnlineManager().setup();
+		setupSignalSubscription();
+		state.cleanupBroadcastSetup = getGlobalBroadcastChannel().setup();
+		state.cleanupFocusSetup = getGlobalFocusManager().setup();
+		state.cleanupOnlineSetup = getGlobalOnlineManager().setup();
 	};
 	const cleanup = () => {
+		if (!state.isInitialized) return;
 		if (state.pollInterval) {
 			clearInterval(state.pollInterval);
 			state.pollInterval = void 0;
@@ -127,9 +101,24 @@ function createSessionRefreshManager(opts) {
 			state.unsubscribeOnline();
 			state.unsubscribeOnline = void 0;
 		}
-		state.lastSync = 0;
+		if (state.unsubscribeSignal) {
+			state.unsubscribeSignal();
+			state.unsubscribeSignal = void 0;
+		}
+		if (state.cleanupBroadcastSetup) {
+			state.cleanupBroadcastSetup();
+			state.cleanupBroadcastSetup = void 0;
+		}
+		if (state.cleanupFocusSetup) {
+			state.cleanupFocusSetup();
+			state.cleanupFocusSetup = void 0;
+		}
+		if (state.cleanupOnlineSetup) {
+			state.cleanupOnlineSetup();
+			state.cleanupOnlineSetup = void 0;
+		}
+		state.isInitialized = false;
 		state.lastSessionRequest = 0;
-		state.cachedSession = void 0;
 	};
 	return {
 		init,

package/dist/client/solid/index.d.mts

@@ -69,11 +69,6 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
     priority?: RequestPriority | undefined;
     cache?: RequestCache | undefined;
     credentials?: RequestCredentials;
-    headers?: (HeadersInit & (HeadersInit | {
-      accept: "application/json" | "text/plain" | "application/octet-stream";
-      "content-type": "application/json" | "text/plain" | "application/x-www-form-urlencoded" | "multipart/form-data" | "application/octet-stream";
-      authorization: "Bearer" | "Basic";
-    })) | undefined;
     integrity?: string | undefined;
     keepalive?: boolean | undefined;
     method: string;
@@ -103,6 +98,12 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
       prefix: string | (() => string | undefined) | undefined;
       value: string | (() => string | undefined) | undefined;
     }) | undefined;
+    headers?: {} | {
+      [x: string]: string | undefined;
+      accept?: ((string & {}) | "application/json" | "text/plain" | "application/octet-stream") | undefined;
+      "content-type"?: ((string & {}) | "application/x-www-form-urlencoded" | "application/json" | "text/plain" | "application/octet-stream" | "multipart/form-data") | undefined;
+      authorization?: ((string & {}) | `Bearer ${string}` | `Basic ${string}`) | undefined;
+    } | undefined;
     body?: any;
     query?: any;
     params?: any;

package/dist/client/svelte/index.d.mts

@@ -55,11 +55,6 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
     priority?: RequestPriority | undefined;
     cache?: RequestCache | undefined;
     credentials?: RequestCredentials;
-    headers?: (HeadersInit & (HeadersInit | {
-      accept: "application/json" | "text/plain" | "application/octet-stream";
-      "content-type": "application/json" | "text/plain" | "application/x-www-form-urlencoded" | "multipart/form-data" | "application/octet-stream";
-      authorization: "Bearer" | "Basic";
-    })) | undefined;
     integrity?: string | undefined;
     keepalive?: boolean | undefined;
     method: string;
@@ -89,6 +84,12 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
       prefix: string | (() => string | undefined) | undefined;
       value: string | (() => string | undefined) | undefined;
     }) | undefined;
+    headers?: {} | {
+      [x: string]: string | undefined;
+      accept?: ((string & {}) | "application/json" | "text/plain" | "application/octet-stream") | undefined;
+      "content-type"?: ((string & {}) | "application/x-www-form-urlencoded" | "application/json" | "text/plain" | "application/octet-stream" | "multipart/form-data") | undefined;
+      authorization?: ((string & {}) | `Bearer ${string}` | `Basic ${string}`) | undefined;
+    } | undefined;
     body?: any;
     query?: any;
     params?: any;

package/dist/client/types.d.mts

@@ -3,7 +3,7 @@ import { StripEmptyObjects, UnionToIntersection } from "../types/helper.mjs";
 import { InferRoutes } from "./path-to-object.mjs";
 import { Session as Session$1, User as User$1 } from "../types/models.mjs";
 import { Auth } from "../types/auth.mjs";
-import { BetterAuthClientOptions as BetterAuthClientOptions$1, BetterAuthClientPlugin as BetterAuthClientPlugin$1, ClientAtomListener, ClientStore } from "@better-auth/core";
+import { BetterAuthClientOptions as BetterAuthClientOptions$1, BetterAuthClientPlugin as BetterAuthClientPlugin$1, ClientAtomListener, ClientStore as ClientStore$1 } from "@better-auth/core";
 import { BetterAuthPluginDBSchema, InferDBFieldsOutput } from "@better-auth/core/db";
 import { RawError } from "@better-auth/core/utils/error-codes";
 
@@ -37,4 +37,4 @@ type SessionQueryParams = {
   disableRefresh?: boolean | undefined;
 };
 //#endregion
-export { type BetterAuthClientOptions$1 as BetterAuthClientOptions, type BetterAuthClientPlugin$1 as BetterAuthClientPlugin, type ClientAtomListener, type ClientStore, InferActions, InferAdditionalFromClient, InferClientAPI, InferErrorCodes, InferSessionFromClient, InferUserFromClient, IsSignal, SessionQueryParams };
+export { type BetterAuthClientOptions$1 as BetterAuthClientOptions, type BetterAuthClientPlugin$1 as BetterAuthClientPlugin, type ClientAtomListener, type ClientStore$1 as ClientStore, InferActions, InferAdditionalFromClient, InferClientAPI, InferErrorCodes, InferSessionFromClient, InferUserFromClient, IsSignal, SessionQueryParams };

package/dist/client/vanilla.d.mts

@@ -53,11 +53,6 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
     priority?: RequestPriority | undefined;
     cache?: RequestCache | undefined;
     credentials?: RequestCredentials;
-    headers?: (HeadersInit & (HeadersInit | {
-      accept: "application/json" | "text/plain" | "application/octet-stream";
-      "content-type": "application/json" | "text/plain" | "application/x-www-form-urlencoded" | "multipart/form-data" | "application/octet-stream";
-      authorization: "Bearer" | "Basic";
-    })) | undefined;
     integrity?: string | undefined;
     keepalive?: boolean | undefined;
     method: string;
@@ -87,6 +82,12 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
       prefix: string | (() => string | undefined) | undefined;
       value: string | (() => string | undefined) | undefined;
     }) | undefined;
+    headers?: {} | {
+      [x: string]: string | undefined;
+      accept?: ((string & {}) | "application/json" | "text/plain" | "application/octet-stream") | undefined;
+      "content-type"?: ((string & {}) | "application/x-www-form-urlencoded" | "application/json" | "text/plain" | "application/octet-stream" | "multipart/form-data") | undefined;
+      authorization?: ((string & {}) | `Bearer ${string}` | `Basic ${string}`) | undefined;
+    } | undefined;
     body?: any;
     query?: any;
     params?: any;

package/dist/client/vue/index.d.mts

@@ -93,11 +93,6 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
     priority?: RequestPriority | undefined;
     cache?: RequestCache | undefined;
     credentials?: RequestCredentials;
-    headers?: (HeadersInit & (HeadersInit | {
-      accept: "application/json" | "text/plain" | "application/octet-stream";
-      "content-type": "application/json" | "text/plain" | "application/x-www-form-urlencoded" | "multipart/form-data" | "application/octet-stream";
-      authorization: "Bearer" | "Basic";
-    })) | undefined;
     integrity?: string | undefined;
     keepalive?: boolean | undefined;
     method: string;
@@ -127,6 +122,12 @@ declare function createAuthClient<Option extends BetterAuthClientOptions>(option
       prefix: string | (() => string | undefined) | undefined;
       value: string | (() => string | undefined) | undefined;
     }) | undefined;
+    headers?: {} | {
+      [x: string]: string | undefined;
+      accept?: ((string & {}) | "application/json" | "text/plain" | "application/octet-stream") | undefined;
+      "content-type"?: ((string & {}) | "application/x-www-form-urlencoded" | "application/json" | "text/plain" | "application/octet-stream" | "multipart/form-data") | undefined;
+      authorization?: ((string & {}) | `Bearer ${string}` | `Basic ${string}`) | undefined;
+    } | undefined;
     body?: any;
     query?: any;
     params?: any;

package/dist/context/create-context.mjs

@@ -1,5 +1,6 @@
 import { getBaseURL, isDynamicBaseURLConfig } from "../utils/url.mjs";
 import { matchesOriginPattern } from "../auth/trusted-origins.mjs";
+import { hasServerSessionStore } from "./store-capabilities.mjs";
 import { isPromise } from "../utils/is-promise.mjs";
 import { hashPassword, verifyPassword } from "../crypto/password.mjs";
 import { createCookieGetter, getCookies } from "../cookies/index.mjs";
@@ -42,7 +43,7 @@ function validateSecret(secret, logger) {
 	if (estimateEntropy(secret) < 120) logger.warn("[better-auth] Warning: your BETTER_AUTH_SECRET appears low-entropy. Use a randomly generated secret for production.");
 }
 async function createAuthContext(adapter, options, getDatabaseType) {
-	const isStateful = !!options.database || !!options.secondaryStorage;
+	const isStateful = hasServerSessionStore(options);
 	if (!isStateful) options = defu$1(options, { session: { cookieCache: {
 		enabled: true,
 		strategy: "jwe",
@@ -59,7 +60,7 @@ async function createAuthContext(adapter, options, getDatabaseType) {
 		if (!allowedHosts || allowedHosts.length === 0) throw new BetterAuthError("baseURL.allowedHosts cannot be empty. Provide at least one allowed host pattern (e.g., [\"myapp.com\", \"*.vercel.app\"]).");
 	}
 	const baseURL = isDynamicConfig ? void 0 : getBaseURL(typeof options.baseURL === "string" ? options.baseURL : void 0, options.basePath);
-	if (!baseURL && !isDynamicConfig) logger.warn(`[better-auth] Base URL could not be determined. Please set a valid base URL using the baseURL config option or the BETTER_AUTH_URL environment variable. Without this, callbacks and redirects may not work correctly.`);
+	if (!baseURL && !isDynamicConfig) logger.warn(`[better-auth] Base URL is not set. Set the baseURL option or BETTER_AUTH_URL env, or use a dynamic baseURL with allowedHosts for multi-host setups. Without it the origin is derived from the incoming request, and callbacks and redirects may not work correctly.`);
 	if (adapter.id === "memory" && options.advanced?.database?.generateId === false) logger.error(`[better-auth] Misconfiguration detected.
 You are using the memory DB with generateId: false.
 This will cause no id to be generated for any model.

package/dist/context/store-capabilities.mjs

@@ -0,0 +1,12 @@
+//#region src/context/store-capabilities.ts
+function hasServerSessionStore(options) {
+	return !!options.database || !!options.secondaryStorage;
+}
+function hasServerAccountStore(options) {
+	return !!options.database;
+}
+function shouldBindAccountCookieToSessionUser(options) {
+	return hasServerAccountStore(options);
+}
+//#endregion
+export { hasServerSessionStore, shouldBindAccountCookieToSessionUser };

package/dist/cookies/index.mjs

@@ -1,4 +1,5 @@
 import { isDynamicBaseURLConfig } from "../utils/url.mjs";
+import { shouldBindAccountCookieToSessionUser } from "../context/store-capabilities.mjs";
 import { signJWT, symmetricDecodeJWT, symmetricEncodeJWT, verifyJWT } from "../crypto/jwt.mjs";
 import { parseUserOutput } from "../db/schema.mjs";
 import { getDate } from "../utils/date.mjs";
@@ -114,9 +115,14 @@ async function setCookieCache(ctx, session, dontRememberMe) {
 		}
 		ctx.setCookie(ctx.context.authCookies.sessionData.name, data, options);
 	}
-	if (ctx.context.options.account?.storeAccountCookie) {
+	if (ctx.context.options.account?.storeAccountCookie && !hasPendingSetCookie(ctx, ctx.context.authCookies.accountData.name)) {
 		const accountData = await getAccountCookie(ctx);
-		if (accountData) await setAccountCookie(ctx, accountData);
+		if (accountData) if (!shouldBindAccountCookieToSessionUser(ctx.context.options) || accountData.userId === session.user.id) await setAccountCookie(ctx, accountData);
+		else {
+			expireCookie(ctx, ctx.context.authCookies.accountData);
+			const accountStore = createAccountStore(ctx.context.authCookies.accountData.name, ctx.context.authCookies.accountData.attributes, ctx);
+			accountStore.setCookies(accountStore.clean());
+		}
 	}
 }
 async function setSessionCookie(ctx, session, dontRememberMe, overrides) {
@@ -170,6 +176,20 @@ function removeSetCookieEntries(ctx, cookieName) {
 	}
 }
 /**
+* Whether the response already has a pending `Set-Cookie` for `cookieName`
+* or a chunked variant.
+*/
+function hasPendingSetCookie(ctx, cookieName) {
+	const scoped = ctx;
+	const targets = /* @__PURE__ */ new Set();
+	if (scoped.responseHeaders) targets.add(scoped.responseHeaders);
+	if (scoped.context?.responseHeaders) targets.add(scoped.context.responseHeaders);
+	const exact = `${cookieName}=`;
+	const chunk = `${cookieName}.`;
+	for (const headers of targets) if ((typeof headers.getSetCookie === "function" ? headers.getSetCookie() : splitSetCookieHeader(headers.get("set-cookie") || "")).some((entry) => entry.startsWith(exact) || entry.startsWith(chunk))) return true;
+	return false;
+}
+/**
 * Expires a cookie by setting `maxAge: 0` while preserving its attributes
 */
 function expireCookie(ctx, cookie) {
@@ -231,6 +251,10 @@ const getCookieCache = async (request, config) => {
 		const secret = config?.secret || env.BETTER_AUTH_SECRET;
 		if (!secret) throw new BetterAuthError("getCookieCache requires a secret to be provided. Either pass it as an option or set the BETTER_AUTH_SECRET environment variable");
 		const strategy = config?.strategy || "compact";
+		const isEmbeddedSessionExpired = (payload) => {
+			const expiresAt = payload.session?.expiresAt;
+			return !!expiresAt && new Date(expiresAt).getTime() < Date.now();
+		};
 		if (strategy === "jwe") {
 			const payload = await symmetricDecodeJWT(sessionData, secret, "better-auth-session");
 			if (payload && payload.session && payload.user) {
@@ -244,6 +268,7 @@ const getCookieCache = async (request, config) => {
 					}
 					if (cookieVersion !== expectedVersion) return null;
 				}
+				if (isEmbeddedSessionExpired(payload)) return null;
 				return payload;
 			}
 			return null;
@@ -260,6 +285,7 @@ const getCookieCache = async (request, config) => {
 					}
 					if (cookieVersion !== expectedVersion) return null;
 				}
+				if (isEmbeddedSessionExpired(payload)) return null;
 				return payload;
 			}
 			return null;
@@ -280,6 +306,8 @@ const getCookieCache = async (request, config) => {
 				}
 				if (cookieVersion !== expectedVersion) return null;
 			}
+			if (typeof sessionDataPayload.expiresAt === "number" && sessionDataPayload.expiresAt < Date.now()) return null;
+			if (isEmbeddedSessionExpired(sessionDataPayload.session)) return null;
 			return sessionDataPayload.session;
 		}
 	}

package/dist/db/internal-adapter.mjs

@@ -6,6 +6,8 @@ import { getWithHooks } from "./with-hooks.mjs";
 import { getCurrentAdapter, getCurrentAuthContext, runWithTransaction } from "@better-auth/core/context";
 import { generateId } from "@better-auth/core/utils/id";
 import { safeJSONParse } from "@better-auth/core/utils/json";
+import { base64Url } from "@better-auth/utils/base64";
+import { createHash } from "@better-auth/utils/hash";
 //#region src/db/internal-adapter.ts
 function getTTLSeconds(expiresAt, now = Date.now()) {
 	const expiresMs = typeof expiresAt === "number" ? expiresAt : expiresAt.getTime();
@@ -16,6 +18,7 @@ const createInternalAdapter = (adapter, ctx) => {
 	const options = ctx.options;
 	const secondaryStorage = options.secondaryStorage;
 	const verificationConsumeLocks = /* @__PURE__ */ new Map();
+	let warnedNonAtomicConsume = false;
 	const sessionExpiration = options.session?.expiresIn || 3600 * 24 * 7;
 	const { createWithHooks, updateWithHooks, updateManyWithHooks, deleteWithHooks, deleteManyWithHooks, consumeOneWithHooks } = getWithHooks(adapter, ctx);
 	async function refreshUserSessions(user) {
@@ -653,6 +656,10 @@ const createInternalAdapter = (adapter, ctx) => {
 			if (secondaryStorage && !options.verification?.storeInDatabase) {
 				const consumeCacheKey = async (key) => {
 					if (secondaryStorage.getAndDelete) return hydrateCachedVerification(await secondaryStorage.getAndDelete(key));
+					if (!warnedNonAtomicConsume) {
+						warnedNonAtomicConsume = true;
+						logger.warn("Secondary storage does not implement `getAndDelete`, so single-use verification values cannot be consumed atomically across processes. Implement `getAndDelete` or use database-backed verification storage to guarantee single use.");
+					}
 					return withVerificationConsumeLock(key, async () => {
 						const parsed = hydrateCachedVerification(await secondaryStorage.get(key));
 						if (!parsed) return null;
@@ -712,6 +719,55 @@ const createInternalAdapter = (adapter, ctx) => {
 			if (!consumed || consumed.expiresAt < /* @__PURE__ */ new Date()) return null;
 			return consumed;
 		},
+		reserveVerificationValue: async (data) => {
+			const reservationId = base64Url.encode(new Uint8Array(await createHash("SHA-256").digest(new TextEncoder().encode("reserve:" + data.identifier))), { padding: false });
+			const storageOption = getStorageOption(data.identifier, options.verification?.storeIdentifier);
+			const storedIdentifier = await processIdentifier(data.identifier, storageOption);
+			if (secondaryStorage && !options.verification?.storeInDatabase) {
+				const cacheKey = `verification:${storedIdentifier}`;
+				if (await secondaryStorage.get(cacheKey)) return false;
+				await secondaryStorage.set(cacheKey, JSON.stringify({
+					id: reservationId,
+					identifier: storedIdentifier,
+					value: data.value,
+					expiresAt: data.expiresAt
+				}), getTTLSeconds(data.expiresAt));
+				return true;
+			}
+			try {
+				await adapter.create({
+					model: "verification",
+					data: {
+						id: reservationId,
+						identifier: storedIdentifier,
+						value: data.value,
+						expiresAt: data.expiresAt,
+						createdAt: /* @__PURE__ */ new Date(),
+						updatedAt: /* @__PURE__ */ new Date()
+					},
+					forceAllowId: true
+				});
+			} catch (error) {
+				if (await adapter.findOne({
+					model: "verification",
+					where: [{
+						field: "id",
+						value: reservationId
+					}]
+				})) return false;
+				throw error;
+			}
+			if (secondaryStorage) {
+				const ttl = getTTLSeconds(data.expiresAt);
+				if (ttl > 0) await secondaryStorage.set(`verification:${storedIdentifier}`, JSON.stringify({
+					id: reservationId,
+					identifier: storedIdentifier,
+					value: data.value,
+					expiresAt: data.expiresAt
+				}), ttl);
+			}
+			return true;
+		},
 		updateVerificationByIdentifier: async (identifier, data) => {
 			const storedIdentifier = await processIdentifier(identifier, getStorageOption(identifier, options.verification?.storeIdentifier));
 			if (secondaryStorage) {