better-auth 1.6.15 → 1.6.17

package/dist/plugins/one-tap/index.d.mts

@@ -32,6 +32,7 @@ declare const oneTap: (options?: OneTapOptions | undefined) => {
       method: "POST";
       body: z.ZodObject<{
         idToken: z.ZodString;
+        callbackURL: z.ZodOptional<z.ZodString>;
       }, z.core.$strip>;
       metadata: {
         openapi: {

package/dist/plugins/one-tap/index.mjs

@@ -8,7 +8,10 @@ import { createAuthEndpoint } from "@better-auth/core/api";
 import * as z from "zod";
 import { createRemoteJWKSet, jwtVerify } from "jose";
 //#region src/plugins/one-tap/index.ts
-const oneTapCallbackBodySchema = z.object({ idToken: z.string().meta({ description: "Google ID token, which the client obtains from the One Tap API" }) });
+const oneTapCallbackBodySchema = z.object({
+	idToken: z.string().meta({ description: "Google ID token, which the client obtains from the One Tap API" }),
+	callbackURL: z.string().meta({ description: "URL to redirect to after a successful sign-in" }).optional()
+});
 const oneTap = (options) => ({
 	id: "one-tap",
 	version: PACKAGE_VERSION,
@@ -34,13 +37,14 @@ const oneTap = (options) => ({
 		} }
 	}, async (ctx) => {
 		const { idToken } = ctx.body;
+		const googleProvider = typeof ctx.context.options.socialProviders?.google === "function" ? await ctx.context.options.socialProviders?.google() : ctx.context.options.socialProviders?.google;
+		const audience = options?.clientId || googleProvider?.clientId;
+		if (!audience || Array.isArray(audience) && audience.length === 0) throw new APIError("BAD_REQUEST", { message: "Google client ID is required for One Tap. Set it on the oneTap plugin (clientId) or on socialProviders.google." });
 		let payload;
 		try {
-			const JWKS = createRemoteJWKSet(new URL("https://www.googleapis.com/oauth2/v3/certs"));
-			const googleProvider = typeof ctx.context.options.socialProviders?.google === "function" ? await ctx.context.options.socialProviders?.google() : ctx.context.options.socialProviders?.google;
-			const { payload: verifiedPayload } = await jwtVerify(idToken, JWKS, {
+			const { payload: verifiedPayload } = await jwtVerify(idToken, createRemoteJWKSet(new URL("https://www.googleapis.com/oauth2/v3/certs")), {
 				issuer: ["https://accounts.google.com", "accounts.google.com"],
-				audience: options?.clientId || googleProvider?.clientId
+				audience
 			});
 			payload = verifiedPayload;
 		} catch {

package/dist/plugins/one-time-token/index.mjs

@@ -47,10 +47,8 @@ const oneTimeToken = (options) => {
 			}, async (c) => {
 				const { token } = c.body;
 				const storedToken = await storeToken(c, token);
-				const verificationValue = await c.context.internalAdapter.findVerificationValue(`one-time-token:${storedToken}`);
+				const verificationValue = await c.context.internalAdapter.consumeVerificationValue(`one-time-token:${storedToken}`);
 				if (!verificationValue) throw c.error("BAD_REQUEST", { message: "Invalid token" });
-				await c.context.internalAdapter.deleteVerificationByIdentifier(`one-time-token:${storedToken}`);
-				if (verificationValue.expiresAt < /* @__PURE__ */ new Date()) throw c.error("BAD_REQUEST", { message: "Token expired" });
 				const session = await c.context.internalAdapter.findSession(verificationValue.value);
 				if (!session) throw c.error("BAD_REQUEST", { message: "Session not found" });
 				if (!opts?.disableSetSessionCookie) await setSessionCookie(c, session);

package/dist/plugins/open-api/generator.mjs

@@ -178,12 +178,15 @@ async function generator(ctx, options) {
 	const components = { schemas: { ...Object.entries(tables).reduce((acc, [key, value]) => {
 		const modelName = key.charAt(0).toUpperCase() + key.slice(1);
 		const fields = value.fields;
-		const required = [];
-		const properties = { id: { type: "string" } };
+		const required = new Set(["id"]);
+		const properties = { id: {
+			type: "string",
+			readOnly: true
+		} };
 		Object.entries(fields).forEach(([fieldKey, fieldValue]) => {
 			if (!fieldValue) return;
 			properties[fieldKey] = getFieldSchema(fieldValue);
-			if (fieldValue.required && fieldValue.input !== false) required.push(fieldKey);
+			if (fieldValue.required && fieldValue.returned !== false) required.add(fieldKey);
 		});
 		Object.entries(properties).forEach(([key, prop]) => {
 			const field = value.fields[key];
@@ -192,7 +195,7 @@ async function generator(ctx, options) {
 		acc[modelName] = {
 			type: "object",
 			properties,
-			required
+			required: Array.from(required)
 		};
 		return acc;
 	}, {}) } };

package/dist/plugins/organization/adapter.d.mts

@@ -536,6 +536,28 @@ declare const getOrgAdapter: <O extends OrganizationOptions>(context: AuthContex
     userId: string;
     createdAt: Date;
   }>;
+  /**
+   * Adds a user to a team only when the team is below its member limit,
+   * reading the count and creating the membership in one transaction.
+   * Returns the existing membership unchanged (no capacity charge) when the
+   * user already belongs to the team.
+   *
+   * FIXME(team-cap-race): the count-then-create is not atomic under READ
+   * COMMITTED, so two concurrent adds can both pass the count check and
+   * exceed maximumMembersPerTeam. A durable fix needs a unique constraint on
+   * teamMember(teamId, userId) or serializable isolation. Affects every
+   * caller (acceptInvitation, addMember, addTeamMember).
+   */
+  addTeamMemberWithLimit: (data: {
+    teamId: string;
+    userId: string;
+    maximumMembersPerTeam: number;
+  }) => Promise<{
+    status: "added";
+    member: TeamMember;
+  } | {
+    status: "limitReached";
+  }>;
   removeTeamMember: (data: {
     teamId: string;
     userId: string;
@@ -757,7 +779,13 @@ declare const getOrgAdapter: <O extends OrganizationOptions>(context: AuthContex
   } ? FieldAttributeToObject<Field> : {}) extends infer T ? { [K in keyof T]: T[K] } : never)[]>;
   updateInvitation: (data: {
     invitationId: string;
-    status: "accepted" | "canceled" | "rejected";
+    status: "pending" | "accepted" | "canceled" | "rejected";
+    /**
+     * Only transition when the invitation is currently in this status. The
+     * guarded update is atomic, so a concurrent caller racing the same
+     * transition gets `null` instead of both proceeding.
+     */
+    fromStatus?: "pending";
   }) => Promise<((O["teams"] extends {
     enabled: true;
   } ? {

package/dist/plugins/organization/adapter.mjs

@@ -4,6 +4,23 @@ import { getCurrentAdapter, runWithTransaction } from "@better-auth/core/context
 import { BetterAuthError } from "@better-auth/core/error";
 import { filterOutputFields } from "@better-auth/core/utils/db";
 //#region src/plugins/organization/adapter.ts
+/**
+* Resolves the configured per-team member cap to a concrete number for a given
+* team-add. Returns `undefined` only when no cap is configured. Throws when the
+* cap is a function but no session is available to evaluate it, so a sessionless
+* server-side add fails closed instead of silently bypassing the limit.
+*/
+async function resolveMaximumMembersPerTeam(teams, context) {
+	const maximumMembersPerTeam = teams?.maximumMembersPerTeam;
+	if (maximumMembersPerTeam === void 0) return void 0;
+	if (typeof maximumMembersPerTeam === "number") return maximumMembersPerTeam;
+	if (!context.session) throw new BetterAuthError("`teams.maximumMembersPerTeam` is configured as a function but no session is available to evaluate it. Provide a session-bearing request or configure a numeric limit.");
+	return await maximumMembersPerTeam({
+		teamId: context.teamId,
+		session: context.session,
+		organizationId: context.organizationId
+	});
+}
 const getOrgAdapter = (context, options) => {
 	const baseAdapter = context.adapter;
 	const orgAdditionalFields = options?.schema?.organization?.additionalFields;
@@ -513,6 +530,43 @@ const getOrgAdapter = (context, options) => {
 				}
 			});
 		},
+		addTeamMemberWithLimit: async (data) => {
+			return runWithTransaction(baseAdapter, async () => {
+				const adapter = await getCurrentAdapter(baseAdapter);
+				const existing = await adapter.findOne({
+					model: "teamMember",
+					where: [{
+						field: "teamId",
+						value: data.teamId
+					}, {
+						field: "userId",
+						value: data.userId
+					}]
+				});
+				if (existing) return {
+					status: "added",
+					member: existing
+				};
+				if (await adapter.count({
+					model: "teamMember",
+					where: [{
+						field: "teamId",
+						value: data.teamId
+					}]
+				}) >= data.maximumMembersPerTeam) return { status: "limitReached" };
+				return {
+					status: "added",
+					member: await adapter.create({
+						model: "teamMember",
+						data: {
+							teamId: data.teamId,
+							userId: data.userId,
+							createdAt: /* @__PURE__ */ new Date()
+						}
+					})
+				};
+			});
+		},
 		removeTeamMember: async (data) => {
 			await (await getCurrentAdapter(baseAdapter)).deleteMany({
 				model: "teamMember",
@@ -615,16 +669,22 @@ const getOrgAdapter = (context, options) => {
 			});
 		},
 		updateInvitation: async (data) => {
-			return await (await getCurrentAdapter(baseAdapter)).update({
+			const adapter = await getCurrentAdapter(baseAdapter);
+			const where = [{
+				field: "id",
+				value: data.invitationId
+			}];
+			if (data.fromStatus) where.push({
+				field: "status",
+				value: data.fromStatus
+			});
+			return await adapter.update({
 				model: "invitation",
-				where: [{
-					field: "id",
-					value: data.invitationId
-				}],
+				where,
 				update: { status: data.status }
 			});
 		}
 	};
 };
 //#endregion
-export { getOrgAdapter };
+export { getOrgAdapter, resolveMaximumMembersPerTeam };

package/dist/plugins/organization/organization.mjs

@@ -394,11 +394,13 @@ function organization(options) {
 				activeOrganizationId: {
 					type: "string",
 					required: false,
+					input: false,
 					fieldName: opts.schema?.session?.fields?.activeOrganizationId
 				},
 				...teamSupport ? { activeTeamId: {
 					type: "string",
 					required: false,
+					input: false,
 					fieldName: opts.schema?.session?.fields?.activeTeamId
 				} } : {}
 			} }

package/dist/plugins/organization/routes/crud-invites.mjs

@@ -4,10 +4,11 @@ import { toZodSchema } from "../../../db/to-zod.mjs";
 import { getSessionFromCtx } from "../../../api/routes/session.mjs";
 import { defaultRoles } from "../access/statement.mjs";
 import { ORGANIZATION_ERROR_CODES } from "../error-codes.mjs";
-import { getOrgAdapter } from "../adapter.mjs";
+import { getOrgAdapter, resolveMaximumMembersPerTeam } from "../adapter.mjs";
 import { orgMiddleware, orgSessionMiddleware } from "../call.mjs";
 import { hasPermission } from "../has-permission.mjs";
 import { parseRoles } from "../organization.mjs";
+import { runWithTransaction } from "@better-auth/core/context";
 import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
 import { createAuthEndpoint } from "@better-auth/core/api";
 import * as z from "zod";
@@ -170,7 +171,12 @@ const createInvitation = (option) => {
 		}, ctx.context) : ctx.context.orgOptions.invitationLimit ?? 100;
 		if ((await adapter.findPendingInvitations({ organizationId })).length >= invitationLimit) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.INVITATION_LIMIT_REACHED);
 		if (ctx.context.orgOptions.teams?.enabled && "teamId" in ctx.body && ctx.body.teamId) {
-			if ((typeof ctx.body.teamId === "string" ? [ctx.body.teamId] : ctx.body.teamId).some((id) => id.includes(","))) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.INVALID_TEAM_ID);
+			const requestedTeamIds = typeof ctx.body.teamId === "string" ? [ctx.body.teamId] : ctx.body.teamId;
+			if (requestedTeamIds.some((id) => id.includes(","))) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.INVALID_TEAM_ID);
+			for (const teamId of requestedTeamIds) if (!await adapter.findTeamById({
+				teamId,
+				organizationId
+			})) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.TEAM_NOT_FOUND);
 		}
 		if (ctx.context.orgOptions.teams && ctx.context.orgOptions.teams.enabled && typeof ctx.context.orgOptions.teams.maximumMembersPerTeam !== "undefined" && "teamId" in ctx.body && ctx.body.teamId) {
 			const teamIds = typeof ctx.body.teamId === "string" ? [ctx.body.teamId] : ctx.body.teamId;
@@ -278,40 +284,58 @@ const acceptInvitation = (options) => createAuthEndpoint("/organization/accept-i
 	});
 	const acceptedI = await adapter.updateInvitation({
 		invitationId: ctx.body.invitationId,
-		status: "accepted"
+		status: "accepted",
+		fromStatus: "pending"
 	});
-	if (!acceptedI) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.FAILED_TO_RETRIEVE_INVITATION);
-	if (ctx.context.orgOptions.teams && ctx.context.orgOptions.teams.enabled && "teamId" in acceptedI && acceptedI.teamId) {
-		const teamIds = acceptedI.teamId.split(",");
-		const onlyOne = teamIds.length === 1;
-		for (const teamId of teamIds) {
-			await adapter.findOrCreateTeamMember({
-				teamId,
-				userId: session.user.id
-			});
-			if (typeof ctx.context.orgOptions.teams.maximumMembersPerTeam !== "undefined") {
-				if (await adapter.countTeamMembers({ teamId }) >= (typeof ctx.context.orgOptions.teams.maximumMembersPerTeam === "function" ? await ctx.context.orgOptions.teams.maximumMembersPerTeam({
+	if (!acceptedI) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.INVITATION_NOT_FOUND);
+	const member = await runWithTransaction(ctx.context.adapter, async () => {
+		if (ctx.context.orgOptions.teams && ctx.context.orgOptions.teams.enabled && "teamId" in acceptedI && acceptedI.teamId) {
+			const teamIds = acceptedI.teamId.split(",");
+			const onlyOne = teamIds.length === 1;
+			for (const teamId of teamIds) {
+				if (!await adapter.findTeamById({
 					teamId,
-					session,
-					organizationId: invitation.organizationId
-				}) : ctx.context.orgOptions.teams.maximumMembersPerTeam)) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.TEAM_MEMBER_LIMIT_REACHED);
+					organizationId: acceptedI.organizationId
+				})) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.TEAM_NOT_FOUND);
+				const maximumMembersPerTeam = await resolveMaximumMembersPerTeam(ctx.context.orgOptions.teams, {
+					teamId,
+					organizationId: acceptedI.organizationId,
+					session
+				});
+				if (maximumMembersPerTeam !== void 0) {
+					if ((await adapter.addTeamMemberWithLimit({
+						teamId,
+						userId: session.user.id,
+						maximumMembersPerTeam
+					})).status === "limitReached") throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.TEAM_MEMBER_LIMIT_REACHED);
+				} else await adapter.findOrCreateTeamMember({
+					teamId,
+					userId: session.user.id
+				});
+			}
+			if (onlyOne) {
+				const teamId = teamIds[0];
+				await setSessionCookie(ctx, {
+					session: await adapter.setActiveTeam(session.session.token, teamId, ctx),
+					user: session.user
+				});
 			}
 		}
-		if (onlyOne) {
-			const teamId = teamIds[0];
-			await setSessionCookie(ctx, {
-				session: await adapter.setActiveTeam(session.session.token, teamId, ctx),
-				user: session.user
-			});
-		}
-	}
-	const member = await adapter.createMember({
-		organizationId: invitation.organizationId,
-		userId: session.user.id,
-		role: invitation.role,
-		createdAt: /* @__PURE__ */ new Date()
+		const createdMember = await adapter.createMember({
+			organizationId: acceptedI.organizationId,
+			userId: session.user.id,
+			role: acceptedI.role,
+			createdAt: /* @__PURE__ */ new Date()
+		});
+		await adapter.setActiveOrganization(session.session.token, acceptedI.organizationId, ctx);
+		return createdMember;
+	}).catch(async (error) => {
+		await adapter.updateInvitation({
+			invitationId: ctx.body.invitationId,
+			status: "pending"
+		});
+		throw error;
 	});
-	await adapter.setActiveOrganization(session.session.token, invitation.organizationId, ctx);
 	if (options?.organizationHooks?.afterAcceptInvitation) await options?.organizationHooks.afterAcceptInvitation({
 		invitation: acceptedI,
 		member,

package/dist/plugins/organization/routes/crud-members.mjs

@@ -1,7 +1,8 @@
 import { toZodSchema } from "../../../db/to-zod.mjs";
 import { getSessionFromCtx, sessionMiddleware } from "../../../api/routes/session.mjs";
+import { defaultRoles } from "../access/statement.mjs";
 import { ORGANIZATION_ERROR_CODES } from "../error-codes.mjs";
-import { getOrgAdapter } from "../adapter.mjs";
+import { getOrgAdapter, resolveMaximumMembersPerTeam } from "../adapter.mjs";
 import { orgMiddleware, orgSessionMiddleware } from "../call.mjs";
 import { hasPermission } from "../has-permission.mjs";
 import { parseRoles } from "../organization.mjs";
@@ -21,7 +22,7 @@ const addMember = (option) => {
 		fields: option?.schema?.member?.additionalFields || {},
 		isClientSide: true
 	});
-	return createAuthEndpoint({
+	return createAuthEndpoint.serverOnly({
 		method: "POST",
 		body: z.object({
 			...baseMemberSchema.shape,
@@ -87,11 +88,22 @@ const addMember = (option) => {
 				...response.data
 			};
 		}
-		const createdMember = await adapter.createMember(memberData);
-		if (teamId) await adapter.findOrCreateTeamMember({
+		const maximumMembersPerTeam = teamId ? await resolveMaximumMembersPerTeam(ctx.context.orgOptions.teams, {
+			teamId,
+			organizationId: orgId,
+			session
+		}) : void 0;
+		if (teamId) if (maximumMembersPerTeam !== void 0) {
+			if ((await adapter.addTeamMemberWithLimit({
+				teamId,
+				userId: user.id,
+				maximumMembersPerTeam
+			})).status === "limitReached") throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.TEAM_MEMBER_LIMIT_REACHED);
+		} else await adapter.findOrCreateTeamMember({
 			userId: user.id,
 			teamId
 		});
+		const createdMember = await adapter.createMember(memberData);
 		if (option?.organizationHooks?.afterAddMember) await option?.organizationHooks.afterAddMember({
 			member: createdMember,
 			user,
@@ -241,7 +253,31 @@ const updateMemberRole = (option) => createAuthEndpoint("/organization/update-me
 	const organizationId = ctx.body.organizationId || session.session.activeOrganizationId;
 	if (!organizationId) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.NO_ACTIVE_ORGANIZATION);
 	const adapter = getOrgAdapter(ctx.context, ctx.context.orgOptions);
-	const roleToSet = Array.isArray(ctx.body.role) ? ctx.body.role : ctx.body.role ? [ctx.body.role] : [];
+	const roleToSet = (Array.isArray(ctx.body.role) ? ctx.body.role : [ctx.body.role]).flatMap((role) => role.split(",")).map((role) => role.trim()).filter(Boolean);
+	if (roleToSet.length === 0) throw APIError.fromStatus("BAD_REQUEST");
+	const validStaticRoles = new Set([...Object.keys(defaultRoles), ...Object.keys(ctx.context.orgOptions.roles || {})]);
+	const unknownRoles = roleToSet.filter((role) => !validStaticRoles.has(role));
+	if (unknownRoles.length > 0) if (ctx.context.orgOptions.dynamicAccessControl?.enabled) {
+		const foundRoleNames = (await ctx.context.adapter.findMany({
+			model: "organizationRole",
+			where: [{
+				field: "organizationId",
+				value: organizationId
+			}, {
+				field: "role",
+				value: unknownRoles,
+				operator: "in"
+			}]
+		})).map((r) => r.role);
+		const stillInvalid = unknownRoles.filter((r) => !foundRoleNames.includes(r));
+		if (stillInvalid.length > 0) throw new APIError("BAD_REQUEST", {
+			code: ORGANIZATION_ERROR_CODES.ROLE_NOT_FOUND.code,
+			message: `${ORGANIZATION_ERROR_CODES.ROLE_NOT_FOUND.code}: ${stillInvalid.join(", ")}`
+		});
+	} else throw new APIError("BAD_REQUEST", {
+		code: ORGANIZATION_ERROR_CODES.ROLE_NOT_FOUND.code,
+		message: `${ORGANIZATION_ERROR_CODES.ROLE_NOT_FOUND.code}: ${unknownRoles.join(", ")}`
+	});
 	const member = await adapter.findMemberByOrgId({
 		userId: session.user.id,
 		organizationId
@@ -280,7 +316,7 @@ const updateMemberRole = (option) => createAuthEndpoint("/organization/update-me
 	const userBeingUpdated = await ctx.context.internalAdapter.findUserById(toBeUpdatedMember.userId);
 	if (!userBeingUpdated) throw APIError.fromStatus("BAD_REQUEST", { message: "User not found" });
 	const previousRole = toBeUpdatedMember.role;
-	const newRole = parseRoles(ctx.body.role);
+	const newRole = parseRoles(roleToSet);
 	if (option?.organizationHooks?.beforeUpdateMemberRole) {
 		const response = await option?.organizationHooks.beforeUpdateMemberRole({
 			member: toBeUpdatedMember,

package/dist/plugins/organization/routes/crud-team.mjs

@@ -2,10 +2,11 @@ import { setSessionCookie } from "../../../cookies/index.mjs";
 import { toZodSchema } from "../../../db/to-zod.mjs";
 import { getSessionFromCtx } from "../../../api/routes/session.mjs";
 import { ORGANIZATION_ERROR_CODES } from "../error-codes.mjs";
-import { getOrgAdapter } from "../adapter.mjs";
+import { getOrgAdapter, resolveMaximumMembersPerTeam } from "../adapter.mjs";
 import { orgMiddleware, orgSessionMiddleware } from "../call.mjs";
 import { hasPermission } from "../has-permission.mjs";
 import { teamSchema } from "../schema.mjs";
+import { getCurrentAdapter, runWithTransaction } from "@better-auth/core/context";
 import { APIError } from "@better-auth/core/error";
 import { createAuthEndpoint } from "@better-auth/core/api";
 import * as z from "zod";
@@ -185,7 +186,25 @@ const removeTeam = (options) => createAuthEndpoint("/organization/remove-team",
 		user: session?.user,
 		organization
 	});
-	await adapter.deleteTeam(team.id);
+	await runWithTransaction(ctx.context.adapter, async () => {
+		await adapter.deleteTeam(team.id);
+		const pendingInvitations = await adapter.findPendingInvitations({ organizationId });
+		const trx = await getCurrentAdapter(ctx.context.adapter);
+		for (const invitation of pendingInvitations) {
+			if (!("teamId" in invitation) || !invitation.teamId) continue;
+			const teamIds = invitation.teamId.split(",");
+			if (!teamIds.includes(team.id)) continue;
+			const remainingTeamIds = teamIds.filter((id) => id !== team.id);
+			await trx.update({
+				model: "invitation",
+				where: [{
+					field: "id",
+					value: invitation.id
+				}],
+				update: { teamId: remainingTeamIds.length > 0 ? remainingTeamIds.join(",") : null }
+			});
+		}
+	});
 	if (options?.organizationHooks?.afterDeleteTeam) await options?.organizationHooks.afterDeleteTeam({
 		team,
 		user: session?.user,
@@ -441,8 +460,15 @@ const listUserTeams = (options) => createAuthEndpoint("/organization/list-user-t
 	use: [orgMiddleware, orgSessionMiddleware]
 }, async (ctx) => {
 	const session = ctx.context.session;
-	const teams = await getOrgAdapter(ctx.context, ctx.context.orgOptions).listTeamsByUser({ userId: session.user.id });
-	return ctx.json(teams);
+	const adapter = getOrgAdapter(ctx.context, ctx.context.orgOptions);
+	const teams = await adapter.listTeamsByUser({ userId: session.user.id });
+	const orgIds = [...new Set(teams.map((team) => team.organizationId))];
+	const memberships = await Promise.all(orgIds.map((organizationId) => adapter.checkMembership({
+		userId: session.user.id,
+		organizationId
+	})));
+	const memberOrgIds = new Set(orgIds.filter((_, index) => memberships[index]));
+	return ctx.json(teams.filter((team) => memberOrgIds.has(team.organizationId)));
 });
 const listTeamMembersQuerySchema = z.optional(z.object({ teamId: z.string().optional().meta({ description: "The team whose members we should return. If this is not provided the members of the current active team get returned." }) }));
 const listTeamMembers = (options) => createAuthEndpoint("/organization/list-team-members", {
@@ -494,6 +520,12 @@ const listTeamMembers = (options) => createAuthEndpoint("/organization/list-team
 	const adapter = getOrgAdapter(ctx.context, ctx.context.orgOptions);
 	const teamId = ctx.query?.teamId || session?.session.activeTeamId;
 	if (!teamId) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.YOU_DO_NOT_HAVE_AN_ACTIVE_TEAM);
+	const team = await adapter.findTeamById({ teamId });
+	if (!team) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.TEAM_NOT_FOUND);
+	if (!await adapter.checkMembership({
+		userId: session.user.id,
+		organizationId: team.organizationId
+	})) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.USER_IS_NOT_A_MEMBER_OF_THE_TEAM);
 	if (!await adapter.findTeamMember({
 		userId: session.user.id,
 		teamId
@@ -587,7 +619,21 @@ const addTeamMember = (options) => createAuthEndpoint("/organization/add-team-me
 		});
 		if (response && typeof response === "object" && "data" in response) {}
 	}
-	const teamMember = await adapter.findOrCreateTeamMember({
+	const maximumMembersPerTeam = await resolveMaximumMembersPerTeam(ctx.context.orgOptions.teams, {
+		teamId: ctx.body.teamId,
+		organizationId,
+		session
+	});
+	let teamMember;
+	if (maximumMembersPerTeam !== void 0) {
+		const result = await adapter.addTeamMemberWithLimit({
+			teamId: ctx.body.teamId,
+			userId: ctx.body.userId,
+			maximumMembersPerTeam
+		});
+		if (result.status === "limitReached") throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.TEAM_MEMBER_LIMIT_REACHED);
+		teamMember = result.member;
+	} else teamMember = await adapter.findOrCreateTeamMember({
 		teamId: ctx.body.teamId,
 		userId: ctx.body.userId
 	});

package/dist/plugins/organization/schema.d.mts

@@ -183,6 +183,7 @@ interface SessionDefaultFields {
   activeOrganizationId: {
     type: "string";
     required: false;
+    input: false;
   };
 }
 type OrganizationSchema<O extends OrganizationOptions> = (O["dynamicAccessControl"] extends {
@@ -222,6 +223,7 @@ type OrganizationSchema<O extends OrganizationOptions> = (O["dynamicAccessContro
       activeTeamId: {
         type: "string";
         required: false;
+        input: false;
       };
     } : {});
   };