better-auth 1.6.16 → 1.6.17

package/dist/api/index.d.mts

@@ -11,7 +11,7 @@ import { createEmailVerificationToken, sendVerificationEmail, sendVerificationEm
 import { error } from "./routes/error.mjs";
 import { ok } from "./routes/ok.mjs";
 import { requestPasswordReset, requestPasswordResetCallback, resetPassword, verifyPassword } from "./routes/password.mjs";
-import { freshSessionMiddleware, getSession, getSessionFromCtx, listSessions, requestOnlySessionMiddleware, revokeOtherSessions, revokeSession, revokeSessions, sensitiveSessionMiddleware, sessionMiddleware } from "./routes/session.mjs";
+import { freshSessionMiddleware, getSession, getSessionFromCtx, isStateful, listSessions, requestOnlySessionMiddleware, revokeOtherSessions, revokeSession, revokeSessions, sensitiveSessionMiddleware, sessionMiddleware } from "./routes/session.mjs";
 import { signInEmail, signInSocial } from "./routes/sign-in.mjs";
 import { signOut } from "./routes/sign-out.mjs";
 import { signUpEmail } from "./routes/sign-up.mjs";
@@ -3961,4 +3961,4 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
   } extends infer T_2 ? { [K in keyof T_2 as K extends keyof T_1 ? never : K]: T_2[K] } : never) & T_1> : never : never : never;
 };
 //#endregion
-export { APIError, type AuthEndpoint, type AuthMiddleware, type DispatchContext, accountInfo, callbackOAuth, changeEmail, changePassword, checkEndpointConflicts, createAuthEndpoint, createAuthMiddleware, createEmailVerificationToken, deleteUser, deleteUserCallback, dispatchAuthEndpoint, error, formCsrfMiddleware, freshSessionMiddleware, getAccessToken, getEndpoints, getIp, getOAuthState, getSession, getSessionFromCtx, getShouldSkipSessionRefresh, isAPIError, linkSocialAccount, listSessions, listUserAccounts, ok, optionsMiddleware, originCheck, originCheckMiddleware, refreshToken, requestOnlySessionMiddleware, requestPasswordReset, requestPasswordResetCallback, requireOrgRole, requireResourceOwnership, resetPassword, revokeOtherSessions, revokeSession, revokeSessions, router, sendVerificationEmail, sendVerificationEmailFn, sensitiveSessionMiddleware, sessionMiddleware, setPassword, setShouldSkipSessionRefresh, signInEmail, signInSocial, signOut, signUpEmail, unlinkAccount, updateSession, updateUser, verifyEmail, verifyPassword };
+export { APIError, type AuthEndpoint, type AuthMiddleware, type DispatchContext, accountInfo, callbackOAuth, changeEmail, changePassword, checkEndpointConflicts, createAuthEndpoint, createAuthMiddleware, createEmailVerificationToken, deleteUser, deleteUserCallback, dispatchAuthEndpoint, error, formCsrfMiddleware, freshSessionMiddleware, getAccessToken, getEndpoints, getIp, getOAuthState, getSession, getSessionFromCtx, getShouldSkipSessionRefresh, isAPIError, isStateful, linkSocialAccount, listSessions, listUserAccounts, ok, optionsMiddleware, originCheck, originCheckMiddleware, refreshToken, requestOnlySessionMiddleware, requestPasswordReset, requestPasswordResetCallback, requireOrgRole, requireResourceOwnership, resetPassword, revokeOtherSessions, revokeSession, revokeSessions, router, sendVerificationEmail, sendVerificationEmailFn, sensitiveSessionMiddleware, sessionMiddleware, setPassword, setShouldSkipSessionRefresh, signInEmail, signInSocial, signOut, signUpEmail, unlinkAccount, updateSession, updateUser, verifyEmail, verifyPassword };

package/dist/api/index.mjs

@@ -2,10 +2,10 @@ import { isAPIError } from "../utils/is-api-error.mjs";
 import { requireOrgRole, requireResourceOwnership } from "./middlewares/authorization.mjs";
 import { formCsrfMiddleware, originCheck, originCheckMiddleware } from "./middlewares/origin-check.mjs";
 import { getIp } from "../utils/get-request-ip.mjs";
-import { onRequestRateLimit, onResponseRateLimit } from "./rate-limiter/index.mjs";
+import { onRequestRateLimit } from "./rate-limiter/index.mjs";
 import { getOAuthState } from "./state/oauth.mjs";
 import { getShouldSkipSessionRefresh, setShouldSkipSessionRefresh } from "./state/should-session-refresh.mjs";
-import { freshSessionMiddleware, getSession, getSessionFromCtx, listSessions, requestOnlySessionMiddleware, revokeOtherSessions, revokeSession, revokeSessions, sensitiveSessionMiddleware, sessionMiddleware } from "./routes/session.mjs";
+import { freshSessionMiddleware, getSession, getSessionFromCtx, isStateful, listSessions, requestOnlySessionMiddleware, revokeOtherSessions, revokeSession, revokeSessions, sensitiveSessionMiddleware, sessionMiddleware } from "./routes/session.mjs";
 import { accountInfo, getAccessToken, linkSocialAccount, listUserAccounts, refreshToken, unlinkAccount } from "./routes/account.mjs";
 import { callbackOAuth } from "./routes/callback.mjs";
 import { createEmailVerificationToken, sendVerificationEmail, sendVerificationEmailFn, verifyEmail } from "./routes/email-verification.mjs";
@@ -178,7 +178,6 @@ const router = (ctx, options) => {
 			return currentRequest;
 		},
 		async onResponse(res, req) {
-			await onResponseRateLimit(req, ctx);
 			for (const plugin of ctx.options.plugins || []) if (plugin.onResponse) {
 				const response = await withSpan(`onResponse ${plugin.id}`, {
 					[ATTR_HOOK_TYPE]: "onResponse",
@@ -214,4 +213,4 @@ const router = (ctx, options) => {
 	});
 };
 //#endregion
-export { APIError, accountInfo, callbackOAuth, changeEmail, changePassword, checkEndpointConflicts, createAuthEndpoint, createAuthMiddleware, createEmailVerificationToken, deleteUser, deleteUserCallback, dispatchAuthEndpoint, error, formCsrfMiddleware, freshSessionMiddleware, getAccessToken, getEndpoints, getIp, getOAuthState, getSession, getSessionFromCtx, getShouldSkipSessionRefresh, isAPIError, linkSocialAccount, listSessions, listUserAccounts, ok, optionsMiddleware, originCheck, originCheckMiddleware, refreshToken, requestOnlySessionMiddleware, requestPasswordReset, requestPasswordResetCallback, requireOrgRole, requireResourceOwnership, resetPassword, revokeOtherSessions, revokeSession, revokeSessions, router, sendVerificationEmail, sendVerificationEmailFn, sensitiveSessionMiddleware, sessionMiddleware, setPassword, setShouldSkipSessionRefresh, signInEmail, signInSocial, signOut, signUpEmail, unlinkAccount, updateSession, updateUser, verifyEmail, verifyPassword };
+export { APIError, accountInfo, callbackOAuth, changeEmail, changePassword, checkEndpointConflicts, createAuthEndpoint, createAuthMiddleware, createEmailVerificationToken, deleteUser, deleteUserCallback, dispatchAuthEndpoint, error, formCsrfMiddleware, freshSessionMiddleware, getAccessToken, getEndpoints, getIp, getOAuthState, getSession, getSessionFromCtx, getShouldSkipSessionRefresh, isAPIError, isStateful, linkSocialAccount, listSessions, listUserAccounts, ok, optionsMiddleware, originCheck, originCheckMiddleware, refreshToken, requestOnlySessionMiddleware, requestPasswordReset, requestPasswordResetCallback, requireOrgRole, requireResourceOwnership, resetPassword, revokeOtherSessions, revokeSession, revokeSessions, router, sendVerificationEmail, sendVerificationEmailFn, sensitiveSessionMiddleware, sessionMiddleware, setPassword, setShouldSkipSessionRefresh, signInEmail, signInSocial, signOut, signUpEmail, unlinkAccount, updateSession, updateUser, verifyEmail, verifyPassword };

package/dist/api/middlewares/origin-check.mjs

@@ -23,7 +23,10 @@ function shouldSkipOriginCheck(ctx) {
 	if (Array.isArray(skipOriginCheck) && ctx.request) try {
 		const basePath = new URL(ctx.context.baseURL).pathname;
 		const currentPath = normalizePathname(ctx.request.url, basePath);
-		return skipOriginCheck.some((skipPath) => currentPath.startsWith(skipPath));
+		return skipOriginCheck.some((skipPath) => {
+			const normalizedSkipPath = skipPath.replace(/\/+$/, "");
+			return currentPath === normalizedSkipPath || currentPath.startsWith(`${normalizedSkipPath}/`);
+		});
 	} catch {}
 	return false;
 }
@@ -47,6 +50,7 @@ const originCheckMiddleware = createAuthMiddleware(async (ctx) => {
 	const newUserCallbackURL = body?.newUserCallbackURL;
 	const validateURL = (url, label) => {
 		if (!url) return;
+		if (typeof url !== "string") throw APIError.fromStatus("BAD_REQUEST", { message: `Invalid ${label}: expected a string` });
 		if (!ctx.context.isTrustedOrigin(url, { allowRelativePaths: label !== "origin" })) {
 			ctx.context.logger.error(`Invalid ${label}: ${url}`);
 			ctx.context.logger.info(`If it's a valid URL, please add ${url} to trustedOrigins in your auth config\n`, `Current list of trustedOrigins: ${ctx.context.trustedOrigins}`);

package/dist/api/rate-limiter/index.mjs

@@ -5,10 +5,62 @@ import { normalizePathname } from "@better-auth/core/utils/url";
 import { createRateLimitKey } from "@better-auth/core/utils/ip";
 //#region src/api/rate-limiter/index.ts
 const memory = /* @__PURE__ */ new Map();
-function shouldRateLimit(max, window, rateLimitData) {
+const MEMORY_STORE_MAX_ENTRIES = 1e5;
+function pruneMemoryStore() {
 	const now = Date.now();
-	const windowInMs = window * 1e3;
-	return now - rateLimitData.lastRequest < windowInMs && rateLimitData.count >= max;
+	for (const [key, entry] of memory) if (now >= entry.expiresAt) memory.delete(key);
+	if (memory.size <= MEMORY_STORE_MAX_ENTRIES) return;
+	const overflow = memory.size - MEMORY_STORE_MAX_ENTRIES;
+	let removed = 0;
+	for (const key of memory.keys()) {
+		memory.delete(key);
+		if (++removed >= overflow) break;
+	}
+}
+/**
+* Decide an atomic rate-limit step against an in-memory `RateLimit` snapshot
+* for the rolling `window` (seconds) and `max`. Shared by the memory backend
+* (read-decide-write is atomic under single-threaded JS) and as the fallback
+* for storages lacking an atomic primitive.
+*/
+function decideConsume(data, rule, now) {
+	const windowInMs = rule.window * 1e3;
+	if (!data) return {
+		next: {
+			key: "",
+			count: 1,
+			lastRequest: now
+		},
+		update: false,
+		allowed: true,
+		retryAfter: null
+	};
+	if (now - data.lastRequest > windowInMs) return {
+		next: {
+			...data,
+			count: 1,
+			lastRequest: now
+		},
+		update: true,
+		allowed: true,
+		retryAfter: null
+	};
+	if (data.count >= rule.max) return {
+		next: data,
+		update: true,
+		allowed: false,
+		retryAfter: getRetryAfter(data.lastRequest, rule.window)
+	};
+	return {
+		next: {
+			...data,
+			count: data.count + 1,
+			lastRequest: now
+		},
+		update: true,
+		allowed: true,
+		retryAfter: null
+	};
 }
 function rateLimitResponse(retryAfter) {
 	return new Response(JSON.stringify({ message: "Too many requests. Please try again later." }), {
@@ -25,18 +77,109 @@ function getRetryAfter(lastRequest, window) {
 function createDatabaseStorageWrapper(ctx) {
 	const model = "rateLimit";
 	const db = ctx.adapter;
-	return {
-		get: async (key) => {
-			const data = (await db.findMany({
+	const readRow = async (key) => {
+		const data = (await db.findMany({
+			model,
+			where: [{
+				field: "key",
+				value: key
+			}]
+		}))[0];
+		if (typeof data?.lastRequest === "bigint") data.lastRequest = Number(data.lastRequest);
+		return data;
+	};
+	const consume = async (key, rule) => {
+		const windowInMs = rule.window * 1e3;
+		const data = await readRow(key);
+		const now = Date.now();
+		if (!data) try {
+			await db.create({
+				model,
+				data: {
+					key,
+					count: 1,
+					lastRequest: now
+				}
+			});
+			return {
+				allowed: true,
+				retryAfter: null
+			};
+		} catch (error) {
+			if (!await readRow(key)) throw error;
+			return consume(key, rule);
+		}
+		if (now - data.lastRequest > windowInMs) {
+			if (await db.incrementOne({
 				model,
 				where: [{
 					field: "key",
 					value: key
-				}]
-			}))[0];
-			if (typeof data?.lastRequest === "bigint") data.lastRequest = Number(data.lastRequest);
-			return data;
-		},
+				}, {
+					field: "lastRequest",
+					operator: "lte",
+					value: data.lastRequest
+				}],
+				increment: {},
+				set: {
+					count: 1,
+					lastRequest: now
+				}
+			})) {
+				deleteExpiredRows(now);
+				return {
+					allowed: true,
+					retryAfter: null
+				};
+			}
+			return consume(key, rule);
+		}
+		const windowStart = now - windowInMs;
+		if (await db.incrementOne({
+			model,
+			where: [
+				{
+					field: "key",
+					value: key
+				},
+				{
+					field: "lastRequest",
+					operator: "gt",
+					value: windowStart
+				},
+				{
+					field: "count",
+					operator: "lt",
+					value: rule.max
+				}
+			],
+			increment: { count: 1 },
+			set: { lastRequest: now }
+		})) return {
+			allowed: true,
+			retryAfter: null
+		};
+		const fresh = await readRow(key);
+		if (!fresh) return consume(key, rule);
+		if (now - fresh.lastRequest > windowInMs) return consume(key, rule);
+		return {
+			allowed: false,
+			retryAfter: getRetryAfter(fresh.lastRequest, rule.window)
+		};
+	};
+	const deleteExpiredRows = (now) => {
+		const cutoff = now - Math.max(ctx.rateLimit.window, ...getDefaultSpecialRules().map((r) => r.window)) * 1e3;
+		ctx.runInBackground(db.deleteMany({
+			model,
+			where: [{
+				field: "lastRequest",
+				operator: "lt",
+				value: cutoff
+			}]
+		}).then(() => void 0).catch((e) => ctx.logger.error("Error pruning rate limit rows", e)));
+	};
+	return {
+		get: readRow,
 		set: async (key, value, _update) => {
 			try {
 				if (_update) await db.updateMany({
@@ -61,58 +204,88 @@ function createDatabaseStorageWrapper(ctx) {
 			} catch (e) {
 				ctx.logger.error("Error setting rate limit", e);
 			}
-		}
+		},
+		consume
 	};
 }
 function getRateLimitStorage(ctx, rateLimitSettings) {
 	if (ctx.options.rateLimit?.customStorage) return ctx.options.rateLimit.customStorage;
 	const storage = ctx.rateLimit.storage;
-	if (storage === "secondary-storage") return {
-		get: async (key) => {
-			const data = await ctx.options.secondaryStorage?.get(key);
-			return data ? safeJSONParse(data) : null;
-		},
-		set: async (key, value, _update) => {
-			const ttl = rateLimitSettings?.window ?? ctx.options.rateLimit?.window ?? 10;
-			await ctx.options.secondaryStorage?.set?.(key, JSON.stringify(value), ttl);
-		}
-	};
-	else if (storage === "memory") return {
-		async get(key) {
-			const entry = memory.get(key);
-			if (!entry) return null;
-			if (Date.now() >= entry.expiresAt) {
-				memory.delete(key);
-				return null;
+	if (storage === "secondary-storage") {
+		const ttlFor = (window) => window ?? ctx.options.rateLimit?.window ?? 10;
+		return {
+			get: async (key) => {
+				const data = await ctx.options.secondaryStorage?.get(key);
+				return data ? safeJSONParse(data) : null;
+			},
+			set: async (key, value, _update) => {
+				await ctx.options.secondaryStorage?.set?.(key, JSON.stringify(value), ttlFor(rateLimitSettings.window));
+			},
+			consume: ctx.options.secondaryStorage?.increment ? async (key, rule) => {
+				if (await ctx.options.secondaryStorage.increment(key, ttlFor(rule.window)) <= rule.max) return {
+					allowed: true,
+					retryAfter: null
+				};
+				return {
+					allowed: false,
+					retryAfter: rule.window
+				};
+			} : void 0
+		};
+	} else if (storage === "memory") {
+		const ttlFor = (window) => window ?? ctx.options.rateLimit?.window ?? 10;
+		return {
+			async get(key) {
+				const entry = memory.get(key);
+				if (!entry) return null;
+				if (Date.now() >= entry.expiresAt) {
+					memory.delete(key);
+					return null;
+				}
+				return entry.data;
+			},
+			async set(key, value, _update) {
+				const expiresAt = Date.now() + ttlFor(rateLimitSettings.window) * 1e3;
+				memory.set(key, {
+					data: value,
+					expiresAt
+				});
+			},
+			async consume(key, rule) {
+				pruneMemoryStore();
+				const now = Date.now();
+				const entry = memory.get(key);
+				const decision = decideConsume(entry && now < entry.expiresAt ? entry.data : void 0, rule, now);
+				if (decision.allowed) memory.set(key, {
+					data: {
+						...decision.next,
+						key
+					},
+					expiresAt: now + ttlFor(rule.window) * 1e3
+				});
+				return {
+					allowed: decision.allowed,
+					retryAfter: decision.retryAfter
+				};
 			}
-			return entry.data;
-		},
-		async set(key, value, _update) {
-			const ttl = rateLimitSettings?.window ?? ctx.options.rateLimit?.window ?? 10;
-			const expiresAt = Date.now() + ttl * 1e3;
-			memory.set(key, {
-				data: value,
-				expiresAt
-			});
-		}
-	};
+		};
+	}
 	return createDatabaseStorageWrapper(ctx);
 }
 let ipWarningLogged = false;
+const NO_TRUSTED_IP_KEY = "no-trusted-ip";
 async function resolveRateLimitConfig(req, ctx) {
 	const basePath = new URL(ctx.baseURL).pathname;
 	const path = normalizePathname(req.url, basePath);
 	let currentWindow = ctx.rateLimit.window;
 	let currentMax = ctx.rateLimit.max;
 	const ip = getIp(req, ctx.options);
-	if (!ip) {
-		if (!ipWarningLogged) {
-			ctx.logger.warn("Rate limiting skipped: could not determine client IP address. Ensure your runtime forwards a trusted client IP header and configure `advanced.ipAddress.ipAddressHeaders` if needed.");
-			ipWarningLogged = true;
-		}
-		return null;
+	if (!ip && ctx.options.advanced?.ipAddress?.disableIpTracking) return null;
+	if (!ip && !ipWarningLogged) {
+		ctx.logger.warn("Rate limiting could not determine a client IP and is falling back to a single shared per-path bucket. Ensure your runtime forwards a trusted client IP header and configure `advanced.ipAddress.ipAddressHeaders` if needed.");
+		ipWarningLogged = true;
 	}
-	const key = createRateLimitKey(ip, path);
+	const key = createRateLimitKey(ip ?? NO_TRUSTED_IP_KEY, path);
 	const specialRule = getDefaultSpecialRules().find((rule) => rule.pathMatcher(path));
 	if (specialRule) {
 		currentWindow = specialRule.window;
@@ -150,37 +323,50 @@ async function resolveRateLimitConfig(req, ctx) {
 		currentMax
 	};
 }
+let legacyFallbackWarningLogged = false;
+/**
+* Decides the rate limit for the request in a single atomic step. The whole
+* check-and-increment happens here in the request phase; there is no separate
+* response-phase write-back, so concurrent requests cannot all pass a stale
+* read before any increment lands.
+*/
 async function onRequestRateLimit(req, ctx) {
 	if (!ctx.rateLimit.enabled) return;
 	const config = await resolveRateLimitConfig(req, ctx);
 	if (!config) return;
 	const { key, currentWindow, currentMax } = config;
-	const data = await getRateLimitStorage(ctx, { window: currentWindow }).get(key);
-	if (data && shouldRateLimit(currentMax, currentWindow, data)) return rateLimitResponse(getRetryAfter(data.lastRequest, currentWindow));
-}
-async function onResponseRateLimit(req, ctx) {
-	if (!ctx.rateLimit.enabled) return;
-	const config = await resolveRateLimitConfig(req, ctx);
-	if (!config) return;
-	const { key, currentWindow } = config;
 	const storage = getRateLimitStorage(ctx, { window: currentWindow });
-	const data = await storage.get(key);
-	const now = Date.now();
-	if (!data) await storage.set(key, {
-		key,
-		count: 1,
-		lastRequest: now
-	});
-	else if (now - data.lastRequest > currentWindow * 1e3) await storage.set(key, {
-		...data,
-		count: 1,
-		lastRequest: now
-	}, true);
-	else await storage.set(key, {
-		...data,
-		count: data.count + 1,
-		lastRequest: now
-	}, true);
+	const rule = {
+		window: currentWindow,
+		max: currentMax
+	};
+	if (storage.consume) {
+		const { allowed, retryAfter } = await storage.consume(key, rule);
+		if (!allowed) return rateLimitResponse(retryAfter ?? currentWindow);
+		return;
+	}
+	return legacyConsume(ctx, storage, key, rule);
+}
+/**
+* Non-atomic check-then-increment for storages that do not implement `consume`
+* (custom storages, or secondary storages without `increment`). Under
+* concurrency this is best-effort: simultaneous requests can each pass the
+* check before either write lands.
+*
+* FIXME(rate-limit-consume-required): remove on `next` once `consume` is the
+* sole required member of the storage contract.
+*/
+async function legacyConsume(ctx, storage, key, rule) {
+	if (!legacyFallbackWarningLogged) {
+		ctx.logger.warn("Rate limiting is best-effort: the configured storage has no atomic `consume`, so concurrent requests may bypass the limit. Provide a storage that implements `consume` for strict enforcement.");
+		legacyFallbackWarningLogged = true;
+	}
+	const decision = decideConsume(await storage.get(key), rule, Date.now());
+	if (!decision.allowed) return rateLimitResponse(decision.retryAfter ?? rule.window);
+	await storage.set(key, {
+		...decision.next,
+		key
+	}, decision.update);
 }
 function getDefaultSpecialRules() {
 	return [{
@@ -198,4 +384,4 @@ function getDefaultSpecialRules() {
 	}];
 }
 //#endregion
-export { onRequestRateLimit, onResponseRateLimit };
+export { onRequestRateLimit };

package/dist/api/routes/account.mjs

@@ -1,3 +1,4 @@
+import { shouldBindAccountCookieToSessionUser } from "../../context/store-capabilities.mjs";
 import { parseAccountOutput } from "../../db/schema.mjs";
 import { getAccountCookie, setAccountCookie } from "../../cookies/session-store.mjs";
 import { getAwaitableValue } from "../../context/helpers.mjs";
@@ -5,7 +6,7 @@ import { missingEmailLogMessage } from "../../oauth2/errors.mjs";
 import { decryptOAuthToken, setTokenUtil } from "../../oauth2/utils.mjs";
 import { applyUpdateUserInfoOnLink } from "../../oauth2/link-account.mjs";
 import { generateState } from "../../oauth2/state.mjs";
-import { freshSessionMiddleware, getSessionFromCtx, sessionMiddleware } from "./session.mjs";
+import { freshSessionMiddleware, getSessionFromCtx, isStateful, sessionMiddleware } from "./session.mjs";
 import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
 import { SocialProviderListEnum } from "@better-auth/core/social-providers";
 import { createAuthEndpoint } from "@better-auth/core/api";
@@ -121,7 +122,7 @@ const linkSocialAccount = createAuthEndpoint("/link-social", {
 		}
 		const { token, nonce } = c.body.idToken;
 		if (!await provider.verifyIdToken(token, nonce)) {
-			c.context.logger.error("Invalid id token", { provider: c.body.provider });
+			c.context.logger.warn("Invalid id token", { provider: c.body.provider });
 			throw APIError.from("UNAUTHORIZED", BASE_ERROR_CODES.INVALID_TOKEN);
 		}
 		const linkingUserInfo = await provider.getUserInfo({
@@ -233,7 +234,7 @@ const unlinkAccount = createAuthEndpoint("/unlink-account", {
 * so the cache is left in place for them.
 */
 async function resolveUserId(ctx, userId) {
-	const session = await getSessionFromCtx(ctx, { disableCookieCache: !!ctx.context.options.database || !!ctx.context.options.secondaryStorage });
+	const session = await getSessionFromCtx(ctx, { disableCookieCache: isStateful(ctx) });
 	if (!session && (ctx.request || ctx.headers)) throw ctx.error("UNAUTHORIZED");
 	const resolvedUserId = session?.user?.id || userId;
 	if (!resolvedUserId) throw APIError.from("BAD_REQUEST", {
@@ -242,6 +243,9 @@ async function resolveUserId(ctx, userId) {
 	});
 	return resolvedUserId;
 }
+function matchesAccountSelection(ctx, account, { resolvedUserId, providerId, accountId }) {
+	return (!shouldBindAccountCookieToSessionUser(ctx.context.options) || account.userId === resolvedUserId) && (!providerId || providerId === account.providerId) && (!accountId || account.accountId === accountId);
+}
 /**
 * Fetches a currently-valid access token for a user's provider account,
 * refreshing and persisting it when it is within five seconds of expiry.
@@ -257,7 +261,11 @@ async function getValidAccessToken(ctx, { resolvedUserId, providerId, accountId,
 	let account = resolvedAccount;
 	if (!account) {
 		const accountData = await getAccountCookie(ctx);
-		if (accountData && accountData.userId === resolvedUserId && providerId === accountData.providerId && (!accountId || accountData.accountId === accountId)) account = accountData;
+		if (accountData && matchesAccountSelection(ctx, accountData, {
+			resolvedUserId,
+			providerId,
+			accountId
+		})) account = accountData;
 		else account = (await ctx.context.internalAdapter.findAccounts(resolvedUserId)).find((acc) => accountId ? acc.accountId === accountId && acc.providerId === providerId : acc.providerId === providerId);
 	}
 	if (!account) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.ACCOUNT_NOT_FOUND);
@@ -388,7 +396,11 @@ const refreshToken = createAuthEndpoint("/refresh-token", {
 	});
 	let account = void 0;
 	const accountData = await getAccountCookie(ctx);
-	const usedAccountCookie = !!accountData && accountData.userId === resolvedUserId && providerId === accountData.providerId && (!accountId || accountData.accountId === accountId);
+	const usedAccountCookie = !!accountData && matchesAccountSelection(ctx, accountData, {
+		resolvedUserId,
+		providerId,
+		accountId
+	});
 	if (usedAccountCookie) account = accountData;
 	else account = (await ctx.context.internalAdapter.findAccounts(resolvedUserId)).find((acc) => accountId ? acc.accountId === accountId && acc.providerId === providerId : acc.providerId === providerId);
 	if (!account) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.ACCOUNT_NOT_FOUND);
@@ -484,7 +496,10 @@ const accountInfo = createAuthEndpoint("/account-info", {
 	if (!providedAccountId) {
 		if (ctx.context.options.account?.storeAccountCookie) {
 			const accountData = await getAccountCookie(ctx);
-			if (accountData) account = accountData;
+			if (accountData && matchesAccountSelection(ctx, accountData, {
+				resolvedUserId,
+				providerId: providedProviderId
+			})) account = accountData;
 		}
 	} else {
 		const matchingAccounts = (await ctx.context.internalAdapter.findAccounts(resolvedUserId)).filter((acc) => acc.accountId === providedAccountId && (!providedProviderId || acc.providerId === providedProviderId));
@@ -494,7 +509,7 @@ const accountInfo = createAuthEndpoint("/account-info", {
 		});
 		account = matchingAccounts[0];
 	}
-	if (!account || account.userId !== resolvedUserId) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.ACCOUNT_NOT_FOUND);
+	if (!account || !matchesAccountSelection(ctx, account, { resolvedUserId })) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.ACCOUNT_NOT_FOUND);
 	const provider = await getAwaitableValue(ctx.context.socialProviders, { value: account.providerId });
 	if (!provider) throw APIError.from("BAD_REQUEST", {
 		message: "Account is not associated with a configured social provider.",

package/dist/api/routes/callback.mjs

@@ -55,12 +55,12 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 	const resolvedErrorURL = errorURL ?? defaultErrorURL;
 	if (error) redirectOnError(c, resolvedErrorURL, error, error_description);
 	if (!code) {
-		c.context.logger.error("Code not found");
+		c.context.logger.warn("Code not found");
 		redirectOnError(c, resolvedErrorURL, "no_code");
 	}
 	const provider = await getAwaitableValue(c.context.socialProviders, { value: c.params.id });
 	if (!provider) {
-		c.context.logger.error("Oauth provider with id", c.params.id, "not found");
+		c.context.logger.warn("OAuth provider not found", { providerId: c.params.id });
 		redirectOnError(c, resolvedErrorURL, "oauth_provider_not_found");
 	}
 	let tokens;

package/dist/api/routes/index.d.mts

@@ -4,7 +4,7 @@ import { createEmailVerificationToken, sendVerificationEmail, sendVerificationEm
 import { error } from "./error.mjs";
 import { ok } from "./ok.mjs";
 import { requestPasswordReset, requestPasswordResetCallback, resetPassword, verifyPassword } from "./password.mjs";
-import { freshSessionMiddleware, getSession, getSessionFromCtx, listSessions, requestOnlySessionMiddleware, revokeOtherSessions, revokeSession, revokeSessions, sensitiveSessionMiddleware, sessionMiddleware } from "./session.mjs";
+import { freshSessionMiddleware, getSession, getSessionFromCtx, isStateful, listSessions, requestOnlySessionMiddleware, revokeOtherSessions, revokeSession, revokeSessions, sensitiveSessionMiddleware, sessionMiddleware } from "./session.mjs";
 import { signInEmail, signInSocial } from "./sign-in.mjs";
 import { signOut } from "./sign-out.mjs";
 import { signUpEmail } from "./sign-up.mjs";

package/dist/api/routes/password.mjs

@@ -55,7 +55,7 @@ const requestPasswordReset = createAuthEndpoint("/request-password-reset", {
 		*/
 		generateId(24);
 		await ctx.context.internalAdapter.findVerificationValue("dummy-verification-token");
-		ctx.context.logger.error("Reset Password: User not found", { email });
+		ctx.context.logger.warn("Reset Password: User not found");
 		return ctx.json({
 			status: true,
 			message: "If this email exists in our system, check your email for the reset link"
@@ -145,8 +145,8 @@ const resetPassword = createAuthEndpoint("/reset-password", {
 	if (newPassword.length < minLength) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.PASSWORD_TOO_SHORT);
 	if (newPassword.length > maxLength) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.PASSWORD_TOO_LONG);
 	const id = `reset-password:${token}`;
-	const verification = await ctx.context.internalAdapter.findVerificationValue(id);
-	if (!verification || verification.expiresAt < /* @__PURE__ */ new Date()) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.INVALID_TOKEN);
+	const verification = await ctx.context.internalAdapter.consumeVerificationValue(id);
+	if (!verification) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.INVALID_TOKEN);
 	const userId = verification.value;
 	const hashedPassword = await ctx.context.password.hash(newPassword);
 	if (!(await ctx.context.internalAdapter.findAccounts(userId)).find((ac) => ac.providerId === "credential")) await ctx.context.internalAdapter.createAccount({
@@ -156,7 +156,6 @@ const resetPassword = createAuthEndpoint("/reset-password", {
 		accountId: userId
 	});
 	else await ctx.context.internalAdapter.updatePassword(userId, hashedPassword);
-	await ctx.context.internalAdapter.deleteVerificationByIdentifier(id);
 	if (ctx.context.options.emailAndPassword?.onPasswordReset) {
 		const user = await ctx.context.internalAdapter.findUserById(userId);
 		if (user) await ctx.context.options.emailAndPassword.onPasswordReset({ user }, ctx.request);

package/dist/api/routes/session.d.mts

@@ -45,6 +45,17 @@ declare const getSession: <Option extends BetterAuthOptions>() => better_call0.S
   session: Session$1<Option["session"], Option["plugins"]>;
   user: User$1<Option["user"], Option["plugins"]>;
 } | null>;
+/**
+ * Whether the deployment keeps sessions in a durable server-side store
+ * (a database or secondary storage) rather than only in the signed cookie.
+ *
+ * Sensitive operations use this to decide whether the cookie cache is merely an
+ * optimization that must be bypassed for an authoritative read (`true`), or the
+ * only place the session lives and therefore the authority itself (`false`, for
+ * stateless / DB-less deployments). Pass the result as `disableCookieCache` so a
+ * revoked-but-cached session cannot authorize a sensitive action.
+ */
+declare const isStateful: (ctx: GenericEndpointContext) => boolean;
 declare const getSessionFromCtx: <U extends Record<string, any> = Record<string, any>, S extends Record<string, any> = Record<string, any>>(ctx: GenericEndpointContext, config?: {
   disableCookieCache?: boolean;
   disableRefresh?: boolean;
@@ -409,4 +420,4 @@ declare const revokeOtherSessions: better_call0.StrictEndpoint<"/revoke-other-se
   status: boolean;
 }>;
 //#endregion
-export { freshSessionMiddleware, getSession, getSessionFromCtx, listSessions, requestOnlySessionMiddleware, revokeOtherSessions, revokeSession, revokeSessions, sensitiveSessionMiddleware, sessionMiddleware };
+export { freshSessionMiddleware, getSession, getSessionFromCtx, isStateful, listSessions, requestOnlySessionMiddleware, revokeOtherSessions, revokeSession, revokeSessions, sensitiveSessionMiddleware, sessionMiddleware };

package/dist/api/routes/session.mjs

@@ -1,4 +1,5 @@
 import { isAPIError } from "../../utils/is-api-error.mjs";
+import { hasServerSessionStore } from "../../context/store-capabilities.mjs";
 import { symmetricDecodeJWT, verifyJWT } from "../../crypto/jwt.mjs";
 import { parseSessionOutput, parseUserOutput } from "../../db/schema.mjs";
 import { getDate } from "../../utils/date.mjs";
@@ -265,6 +266,17 @@ const getSession = () => createAuthEndpoint("/get-session", {
 		throw APIError.from("INTERNAL_SERVER_ERROR", BASE_ERROR_CODES.FAILED_TO_GET_SESSION);
 	}
 });
+/**
+* Whether the deployment keeps sessions in a durable server-side store
+* (a database or secondary storage) rather than only in the signed cookie.
+*
+* Sensitive operations use this to decide whether the cookie cache is merely an
+* optimization that must be bypassed for an authoritative read (`true`), or the
+* only place the session lives and therefore the authority itself (`false`, for
+* stateless / DB-less deployments). Pass the result as `disableCookieCache` so a
+* revoked-but-cached session cannot authorize a sensitive action.
+*/
+const isStateful = (ctx) => hasServerSessionStore(ctx.context.options);
 const getSessionFromCtx = async (ctx, config) => {
 	if (ctx.context.session) return ctx.context.session;
 	const session = await getSession()({
@@ -488,4 +500,4 @@ const revokeOtherSessions = createAuthEndpoint("/revoke-other-sessions", {
 	return ctx.json({ status: true });
 });
 //#endregion
-export { freshSessionMiddleware, getSession, getSessionFromCtx, listSessions, requestOnlySessionMiddleware, revokeOtherSessions, revokeSession, revokeSessions, sensitiveSessionMiddleware, sessionMiddleware };
+export { freshSessionMiddleware, getSession, getSessionFromCtx, isStateful, listSessions, requestOnlySessionMiddleware, revokeOtherSessions, revokeSession, revokeSessions, sensitiveSessionMiddleware, sessionMiddleware };