better-auth 1.6.16 → 1.6.17

package/dist/api/routes/sign-in.mjs

@@ -80,7 +80,7 @@ const signInSocial = () => createAuthEndpoint("/sign-in/social", {
 		}
 		const { token, nonce } = c.body.idToken;
 		if (!await provider.verifyIdToken(token, nonce)) {
-			c.context.logger.error("Invalid id token", { provider: c.body.provider });
+			c.context.logger.warn("Invalid id token", { provider: c.body.provider });
 			throw APIError.from("UNAUTHORIZED", BASE_ERROR_CODES.INVALID_TOKEN);
 		}
 		const userInfo = await provider.getUserInfo({
@@ -205,26 +205,26 @@ const signInEmail = () => createAuthEndpoint("/sign-in/email", {
 	const user = await ctx.context.internalAdapter.findUserByEmail(email, { includeAccounts: true });
 	if (!user) {
 		await ctx.context.password.hash(password);
-		ctx.context.logger.error("User not found", { email });
+		ctx.context.logger.warn("User not found");
 		throw APIError.from("UNAUTHORIZED", BASE_ERROR_CODES.INVALID_EMAIL_OR_PASSWORD);
 	}
 	const credentialAccount = user.accounts.find((a) => a.providerId === "credential");
 	if (!credentialAccount) {
 		await ctx.context.password.hash(password);
-		ctx.context.logger.error("Credential account not found", { email });
+		ctx.context.logger.warn("Credential account not found");
 		throw APIError.from("UNAUTHORIZED", BASE_ERROR_CODES.INVALID_EMAIL_OR_PASSWORD);
 	}
 	const currentPassword = credentialAccount?.password;
 	if (!currentPassword) {
 		await ctx.context.password.hash(password);
-		ctx.context.logger.error("Password not found", { email });
+		ctx.context.logger.warn("Password not found");
 		throw APIError.from("UNAUTHORIZED", BASE_ERROR_CODES.INVALID_EMAIL_OR_PASSWORD);
 	}
 	if (!await ctx.context.password.verify({
 		hash: currentPassword,
 		password
 	})) {
-		ctx.context.logger.error("Invalid password");
+		ctx.context.logger.warn("Invalid password");
 		throw APIError.from("UNAUTHORIZED", BASE_ERROR_CODES.INVALID_EMAIL_OR_PASSWORD);
 	}
 	if (ctx.context.options?.emailAndPassword?.requireEmailVerification && !user.user.emailVerified) {

package/dist/api/routes/sign-up.mjs

@@ -150,12 +150,12 @@ const signUpEmail = () => createAuthEndpoint("/sign-up/email", {
 		if (!password || typeof password !== "string") throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.INVALID_PASSWORD);
 		const minPasswordLength = ctx.context.password.config.minPasswordLength;
 		if (password.length < minPasswordLength) {
-			ctx.context.logger.error("Password is too short");
+			ctx.context.logger.warn("Password is too short");
 			throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.PASSWORD_TOO_SHORT);
 		}
 		const maxPasswordLength = ctx.context.password.config.maxPasswordLength;
 		if (password.length > maxPasswordLength) {
-			ctx.context.logger.error("Password is too long");
+			ctx.context.logger.warn("Password is too long");
 			throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.PASSWORD_TOO_LONG);
 		}
 		const shouldReturnGenericDuplicateResponse = ctx.context.options.emailAndPassword.requireEmailVerification || ctx.context.options.emailAndPassword.autoSignIn === false;

package/dist/api/routes/update-session.mjs

@@ -1,6 +1,6 @@
 import { parseSessionInput, parseSessionOutput } from "../../db/schema.mjs";
 import { deleteSessionCookie, setSessionCookie } from "../../cookies/index.mjs";
-import { sessionMiddleware } from "./session.mjs";
+import { isStateful, sessionMiddleware } from "./session.mjs";
 import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
 import { createAuthEndpoint } from "@better-auth/core/api";
 import * as z from "zod";
@@ -38,8 +38,7 @@ const updateSession = () => createAuthEndpoint("/update-session", {
 		...additionalFields,
 		updatedAt: /* @__PURE__ */ new Date()
 	});
-	const isStateful = !!ctx.context.options.database || !!ctx.context.options.secondaryStorage;
-	if (!updatedSession && isStateful) {
+	if (!updatedSession && isStateful(ctx)) {
 		deleteSessionCookie(ctx);
 		throw APIError.from("UNAUTHORIZED", BASE_ERROR_CODES.FAILED_TO_GET_SESSION);
 	}

package/dist/api/routes/update-user.mjs

@@ -2,7 +2,7 @@ import { originCheck } from "../middlewares/origin-check.mjs";
 import { parseUserInput, parseUserOutput } from "../../db/schema.mjs";
 import { generateRandomString } from "../../crypto/random.mjs";
 import { deleteSessionCookie, setSessionCookie } from "../../cookies/index.mjs";
-import { getSessionFromCtx, sensitiveSessionMiddleware, sessionMiddleware } from "./session.mjs";
+import { getSessionFromCtx, isStateful, sensitiveSessionMiddleware, sessionMiddleware } from "./session.mjs";
 import { createEmailVerificationToken } from "./email-verification.mjs";
 import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
 import { createAuthEndpoint } from "@better-auth/core/api";
@@ -150,12 +150,12 @@ const changePassword = createAuthEndpoint("/change-password", {
 	const session = ctx.context.session;
 	const minPasswordLength = ctx.context.password.config.minPasswordLength;
 	if (newPassword.length < minPasswordLength) {
-		ctx.context.logger.error("Password is too short");
+		ctx.context.logger.warn("Password is too short");
 		throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.PASSWORD_TOO_SHORT);
 	}
 	const maxPasswordLength = ctx.context.password.config.maxPasswordLength;
 	if (newPassword.length > maxPasswordLength) {
-		ctx.context.logger.error("Password is too long");
+		ctx.context.logger.warn("Password is too long");
 		throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.PASSWORD_TOO_LONG);
 	}
 	const account = (await ctx.context.internalAdapter.findAccounts(session.user.id)).find((account) => account.providerId === "credential" && account.password);
@@ -182,7 +182,7 @@ const changePassword = createAuthEndpoint("/change-password", {
 		user: parseUserOutput(ctx.context.options, session.user)
 	});
 });
-const setPassword = createAuthEndpoint({
+const setPassword = createAuthEndpoint.serverOnly({
 	method: "POST",
 	body: z.object({ newPassword: z.string().meta({ description: "The new password to set is required" }) }),
 	use: [sensitiveSessionMiddleware]
@@ -191,12 +191,12 @@ const setPassword = createAuthEndpoint({
 	const session = ctx.context.session;
 	const minPasswordLength = ctx.context.password.config.minPasswordLength;
 	if (newPassword.length < minPasswordLength) {
-		ctx.context.logger.error("Password is too short");
+		ctx.context.logger.warn("Password is too short");
 		throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.PASSWORD_TOO_SHORT);
 	}
 	const maxPasswordLength = ctx.context.password.config.maxPasswordLength;
 	if (newPassword.length > maxPasswordLength) {
-		ctx.context.logger.error("Password is too long");
+		ctx.context.logger.warn("Password is too long");
 		throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.PASSWORD_TOO_LONG);
 	}
 	const account = (await ctx.context.internalAdapter.findAccounts(session.user.id)).find((account) => account.providerId === "credential" && account.password);
@@ -354,17 +354,15 @@ const deleteUserCallback = createAuthEndpoint("/delete-user/callback", {
 			code: "NOT_FOUND"
 		});
 	}
-	const session = await getSessionFromCtx(ctx);
+	const session = await getSessionFromCtx(ctx, { disableCookieCache: isStateful(ctx) });
 	if (!session) throw APIError.from("NOT_FOUND", BASE_ERROR_CODES.FAILED_TO_GET_USER_INFO);
-	const token = await ctx.context.internalAdapter.findVerificationValue(`delete-account-${ctx.query.token}`);
-	if (!token || token.expiresAt < /* @__PURE__ */ new Date()) throw APIError.from("NOT_FOUND", BASE_ERROR_CODES.INVALID_TOKEN);
-	if (token.value !== session.user.id) throw APIError.from("NOT_FOUND", BASE_ERROR_CODES.INVALID_TOKEN);
+	const token = await ctx.context.internalAdapter.consumeVerificationValue(`delete-account-${ctx.query.token}`);
+	if (!token || token.value !== session.user.id) throw APIError.from("NOT_FOUND", BASE_ERROR_CODES.INVALID_TOKEN);
 	const beforeDelete = ctx.context.options.user.deleteUser?.beforeDelete;
 	if (beforeDelete) await beforeDelete(session.user, ctx.request);
 	await ctx.context.internalAdapter.deleteUser(session.user.id);
 	await ctx.context.internalAdapter.deleteUserSessions(session.user.id);
 	await ctx.context.internalAdapter.deleteAccounts(session.user.id);
-	await ctx.context.internalAdapter.deleteVerificationByIdentifier(`delete-account-${ctx.query.token}`);
 	deleteSessionCookie(ctx);
 	const afterDelete = ctx.context.options.user.deleteUser?.afterDelete;
 	if (afterDelete) await afterDelete(session.user, ctx.request);
@@ -414,7 +412,7 @@ const changeEmail = createAuthEndpoint("/change-email", {
 	}
 	const newEmail = ctx.body.newEmail.toLowerCase();
 	if (newEmail === ctx.context.session.user.email) {
-		ctx.context.logger.error("Email is the same");
+		ctx.context.logger.warn("Email is the same");
 		throw APIError.fromStatus("BAD_REQUEST", { message: "Email is the same" });
 	}
 	/**

package/dist/auth/base.mjs

@@ -14,16 +14,20 @@ const createBetterAuth = (options, initFn) => {
 			let handlerCtx;
 			if (isDynamicBaseURLConfig(options.baseURL)) handlerCtx = await resolveRequestContext(ctx, request, resolveDynamicTrustedProxyHeaders(ctx.options));
 			else {
-				handlerCtx = ctx;
+				handlerCtx = Object.create(Object.getPrototypeOf(ctx), Object.getOwnPropertyDescriptors(ctx));
+				let trustOptions = ctx.options;
 				if (!ctx.options.baseURL) {
 					const baseURL = getBaseURL(void 0, basePath, request, void 0, ctx.options.advanced?.trustedProxyHeaders);
-					if (baseURL) {
-						ctx.baseURL = baseURL;
-						ctx.options.baseURL = getOrigin(ctx.baseURL) || void 0;
-					} else throw new BetterAuthError("Could not get base URL from request. Please provide a valid base URL.");
+					if (!baseURL) throw new BetterAuthError("Could not get base URL from request. Please provide a valid base URL.");
+					handlerCtx.baseURL = baseURL;
+					handlerCtx.options = {
+						...ctx.options,
+						baseURL: getOrigin(baseURL) || void 0
+					};
+					trustOptions = handlerCtx.options;
 				}
-				handlerCtx.trustedOrigins = await getTrustedOrigins(ctx.options, request);
-				handlerCtx.trustedProviders = await getTrustedProviders(ctx.options, request);
+				handlerCtx.trustedOrigins = await getTrustedOrigins(trustOptions, request);
+				handlerCtx.trustedProviders = await getTrustedProviders(trustOptions, request);
 			}
 			const { handler } = router(handlerCtx, options);
 			return runWithAdapter(handlerCtx.adapter, () => handler(request));

package/dist/client/equality.d.mts

@@ -0,0 +1,19 @@
+import { Store, StoreValue } from "nanostores";
+
+//#region src/client/equality.d.ts
+/**
+ * Deep structural equality for JSON-serializable values.
+ * Handles: primitives, null, arrays, and plain objects.
+ * Short-circuits on referential equality at every recursion level.
+ */
+declare function isJsonEqual(a: unknown, b: unknown): boolean;
+/**
+ * Attach an equality gate to a nanostores atom via `onSet`.
+ * When `isEqual(currentValue, newValue)` returns true, the `set()` call
+ * is aborted: no listeners fire, no framework re-renders occur.
+ *
+ * Returns the unsubscribe function from `onSet`.
+ */
+declare function withEquality<S extends Store>(store: S, isEqual: (a: StoreValue<S>, b: StoreValue<S>) => boolean): () => void;
+//#endregion
+export { isJsonEqual, withEquality };

package/dist/client/equality.mjs

@@ -0,0 +1,42 @@
+import { onSet } from "nanostores";
+//#region src/client/equality.ts
+function isPlainObject(value) {
+	if (typeof value !== "object" || value === null) return false;
+	const prototype = Object.getPrototypeOf(value);
+	return prototype === Object.prototype || prototype === null;
+}
+/**
+* Deep structural equality for JSON-serializable values.
+* Handles: primitives, null, arrays, and plain objects.
+* Short-circuits on referential equality at every recursion level.
+*/
+function isJsonEqual(a, b) {
+	if (a === b) return true;
+	if (Array.isArray(a) && Array.isArray(b)) {
+		if (a.length !== b.length) return false;
+		for (let i = 0; i < a.length; i++) if (!isJsonEqual(a[i], b[i])) return false;
+		return true;
+	}
+	if (isPlainObject(a) && isPlainObject(b)) {
+		const keysA = Object.keys(a);
+		const keysB = Object.keys(b);
+		if (keysA.length !== keysB.length) return false;
+		for (const key of keysA) if (!(key in b) || !isJsonEqual(a[key], b[key])) return false;
+		return true;
+	}
+	return false;
+}
+/**
+* Attach an equality gate to a nanostores atom via `onSet`.
+* When `isEqual(currentValue, newValue)` returns true, the `set()` call
+* is aborted: no listeners fire, no framework re-renders occur.
+*
+* Returns the unsubscribe function from `onSet`.
+*/
+function withEquality(store, isEqual) {
+	return onSet(store, ({ newValue, abort }) => {
+		if (isEqual(store.value, newValue)) abort();
+	});
+}
+//#endregion
+export { isJsonEqual, withEquality };

package/dist/client/index.d.mts

@@ -1,12 +1,13 @@
 import { ExtractPluginField, HasRequiredKeys, InferPluginFieldFromTuple, IsAny, OverrideMerge, Prettify, PrettifyDeep, RequiredKeysOf, StripEmptyObjects, UnionToIntersection } from "../types/helper.mjs";
-import { CamelCase, InferCtx, InferRoute, InferRoutes, InferSignUpEmailCtx, InferUserUpdateCtx, MergeRoutes, PathToObject, ProxyRequest } from "./path-to-object.mjs";
+import { CamelCase, InferCtx, InferRoute, InferRoutes, InferSessionUpdateCtx, InferSignUpEmailCtx, InferUserUpdateCtx, MergeRoutes, PathToObject, ProxyRequest } from "./path-to-object.mjs";
 import { BetterAuthClientOptions, BetterAuthClientPlugin, ClientAtomListener, ClientStore, InferActions, InferAdditionalFromClient, InferClientAPI, InferErrorCodes, InferSessionFromClient, InferUserFromClient, IsSignal, SessionQueryParams } from "./types.mjs";
 import { BroadcastChannel, BroadcastListener, BroadcastMessage, getGlobalBroadcastChannel, kBroadcastChannel } from "./broadcast-channel.mjs";
+import { isJsonEqual, withEquality } from "./equality.mjs";
 import { FocusListener, FocusManager, kFocusManager } from "./focus-manager.mjs";
 import { OnlineListener, OnlineManager, kOnlineManager } from "./online-manager.mjs";
 import { parseJSON } from "./parser.mjs";
-import { AuthQueryAtom, useAuthQuery } from "./query.mjs";
-import { SessionRefreshOptions, SessionResponse, createSessionRefreshManager } from "./session-refresh.mjs";
+import { AuthQueryAtom, AuthQueryState, useAuthQuery } from "./query.mjs";
+import { SessionRefreshOptions, createSessionRefreshManager } from "./session-refresh.mjs";
 import { AuthClient, createAuthClient } from "./vanilla.mjs";
 import { AccessControl, ArrayElement, ExactRoleStatements, Role, RoleAuthorizeRequest, RoleInput, RoleStatements, Statements, SubArray, Subset } from "../plugins/access/types.mjs";
 import { AuthorizeResponse, createAccessControl, role } from "../plugins/access/access.mjs";
@@ -31,4 +32,4 @@ declare function InferAuth<O extends {
   options: BetterAuthOptions;
 }>(): O["options"];
 //#endregion
-export { AccessControl, ArrayElement, AuthClient, AuthQueryAtom, AuthorizeResponse, BetterAuthClientOptions, BetterAuthClientPlugin, BroadcastChannel, BroadcastListener, BroadcastMessage, CamelCase, ClientAtomListener, ClientStore, type DBPrimitive, DefaultOrganizationPlugin, DynamicAccessControlEndpoints, ExactRoleStatements, ExtractPluginField, type FocusListener, type FocusManager, HasRequiredKeys, InferActions, InferAdditionalFromClient, InferAuth, InferClientAPI, InferCtx, InferErrorCodes, InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPlugin, InferPluginFieldFromTuple, InferRoute, InferRoutes, InferSessionFromClient, InferSignUpEmailCtx, InferTeam, InferUserFromClient, InferUserUpdateCtx, Invitation, InvitationInput, InvitationStatus, IsAny, IsSignal, Member, MemberInput, MergeRoutes, type OnlineListener, type OnlineManager, Organization, OrganizationCreator, OrganizationEndpoints, OrganizationInput, OrganizationOptions, OrganizationPlugin, OrganizationRole, OrganizationSchema, OverrideMerge, PathToObject, Prettify, PrettifyDeep, ProxyRequest, RequiredKeysOf, Role, RoleAuthorizeRequest, RoleInput, RoleStatements, SessionQueryParams, SessionRefreshOptions, SessionResponse, Statements, StripEmptyObjects, SubArray, Subset, Team, TeamEndpoints, TeamInput, TeamMember, TeamMemberInput, type UnionToIntersection, createAccessControl, createAuthClient, createSessionRefreshManager, defaultRolesSchema, getGlobalBroadcastChannel, getOrgAdapter, hasPermission, invitationSchema, invitationStatus, kBroadcastChannel, kFocusManager, kOnlineManager, memberSchema, organization, organizationRoleSchema, organizationSchema, parseJSON, parseRoles, role, roleSchema, teamMemberSchema, teamSchema, useAuthQuery };
+export { AccessControl, ArrayElement, AuthClient, AuthQueryAtom, AuthQueryState, AuthorizeResponse, BetterAuthClientOptions, BetterAuthClientPlugin, BroadcastChannel, BroadcastListener, BroadcastMessage, CamelCase, ClientAtomListener, ClientStore, type DBPrimitive, DefaultOrganizationPlugin, DynamicAccessControlEndpoints, ExactRoleStatements, ExtractPluginField, type FocusListener, type FocusManager, HasRequiredKeys, InferActions, InferAdditionalFromClient, InferAuth, InferClientAPI, InferCtx, InferErrorCodes, InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPlugin, InferPluginFieldFromTuple, InferRoute, InferRoutes, InferSessionFromClient, InferSessionUpdateCtx, InferSignUpEmailCtx, InferTeam, InferUserFromClient, InferUserUpdateCtx, Invitation, InvitationInput, InvitationStatus, IsAny, IsSignal, Member, MemberInput, MergeRoutes, type OnlineListener, type OnlineManager, Organization, OrganizationCreator, OrganizationEndpoints, OrganizationInput, OrganizationOptions, OrganizationPlugin, OrganizationRole, OrganizationSchema, OverrideMerge, PathToObject, Prettify, PrettifyDeep, ProxyRequest, RequiredKeysOf, Role, RoleAuthorizeRequest, RoleInput, RoleStatements, SessionQueryParams, SessionRefreshOptions, Statements, StripEmptyObjects, SubArray, Subset, Team, TeamEndpoints, TeamInput, TeamMember, TeamMemberInput, type UnionToIntersection, createAccessControl, createAuthClient, createSessionRefreshManager, defaultRolesSchema, getGlobalBroadcastChannel, getOrgAdapter, hasPermission, invitationSchema, invitationStatus, isJsonEqual, kBroadcastChannel, kFocusManager, kOnlineManager, memberSchema, organization, organizationRoleSchema, organizationSchema, parseJSON, parseRoles, role, roleSchema, teamMemberSchema, teamSchema, useAuthQuery, withEquality };

package/dist/client/index.mjs

@@ -1,5 +1,6 @@
 import { PACKAGE_VERSION } from "../version.mjs";
 import { getGlobalBroadcastChannel, kBroadcastChannel } from "./broadcast-channel.mjs";
+import { isJsonEqual, withEquality } from "./equality.mjs";
 import { kFocusManager } from "./focus-manager.mjs";
 import { kOnlineManager } from "./online-manager.mjs";
 import { parseJSON } from "./parser.mjs";
@@ -18,4 +19,4 @@ function InferAuth() {
 	return {};
 }
 //#endregion
-export { InferAuth, InferPlugin, createAuthClient, createSessionRefreshManager, getGlobalBroadcastChannel, kBroadcastChannel, kFocusManager, kOnlineManager, parseJSON, useAuthQuery };
+export { InferAuth, InferPlugin, createAuthClient, createSessionRefreshManager, getGlobalBroadcastChannel, isJsonEqual, kBroadcastChannel, kFocusManager, kOnlineManager, parseJSON, useAuthQuery, withEquality };

package/dist/client/path-to-object.d.mts

@@ -30,6 +30,9 @@ type InferUserUpdateCtx<ClientOpts extends BetterAuthClientOptions, FetchOptions
   name?: string | undefined;
   fetchOptions?: FetchOptions | undefined;
 } & Partial<UnionToIntersection<InferAdditionalFromClient<ClientOpts, "user", "input">>>;
+type InferSessionUpdateCtx<ClientOpts extends BetterAuthClientOptions, FetchOptions extends ClientFetchOption> = {
+  fetchOptions?: FetchOptions | undefined;
+} & Partial<UnionToIntersection<InferAdditionalFromClient<ClientOpts, "session", "input">>>;
 type InferCtxQuery<C extends InputContext<any, any>, FetchOptions extends ClientFetchOption> = C["query"] extends Record<string, any> ? {
   query: C["query"];
   fetchOptions?: FetchOptions | undefined;
@@ -51,7 +54,7 @@ type InferRoute<API, COpts extends BetterAuthClientOptions> = API extends Record
   scope: "http";
 } | {
   scope: "server";
-} ? {} : PathToObject<T["path"], T extends ((ctx: infer C) => infer R) ? C extends InputContext<any, any> ? <FetchOptions extends ClientFetchOption<Partial<C["body"]> & Record<string, any>, Partial<C["query"]> & Record<string, any>, C["params"]>>(...data: HasRequiredKeys<InferCtx<C, FetchOptions>> extends true ? [Prettify$1<T["path"] extends `/sign-up/email` ? InferSignUpEmailCtx<COpts, FetchOptions> : InferCtx<C, FetchOptions>>, FetchOptions?] : [Prettify$1<T["path"] extends `/update-user` ? InferUserUpdateCtx<COpts, FetchOptions> : InferCtx<C, FetchOptions>>?, FetchOptions?]) => Promise<BetterFetchResponse<T["options"]["metadata"] extends {
+} ? {} : PathToObject<T["path"], T extends ((ctx: infer C) => infer R) ? C extends InputContext<any, any> ? <FetchOptions extends ClientFetchOption<Partial<C["body"]> & Record<string, any>, Partial<C["query"]> & Record<string, any>, C["params"]>>(...data: HasRequiredKeys<InferCtx<C, FetchOptions>> extends true ? [Prettify$1<T["path"] extends `/sign-up/email` ? InferSignUpEmailCtx<COpts, FetchOptions> : InferCtx<C, FetchOptions>>, FetchOptions?] : [Prettify$1<T["path"] extends `/update-user` ? InferUserUpdateCtx<COpts, FetchOptions> : T["path"] extends `/update-session` ? InferSessionUpdateCtx<COpts, FetchOptions> : InferCtx<C, FetchOptions>>?, FetchOptions?]) => Promise<BetterFetchResponse<T["options"]["metadata"] extends {
   CUSTOM_SESSION: boolean;
 } ? MergeCustomSessionWithInferred<NonNullable<Awaited<R>>, COpts> : T["path"] extends "/get-session" ? {
   user: InferUserFromClient<COpts>;
@@ -69,4 +72,4 @@ type ProxyRequest = {
   [key: string]: any;
 };
 //#endregion
-export { CamelCase, InferCtx, InferRoute, InferRoutes, InferSignUpEmailCtx, InferUserUpdateCtx, MergeRoutes, PathToObject, ProxyRequest };
+export { CamelCase, InferCtx, InferRoute, InferRoutes, InferSessionUpdateCtx, InferSignUpEmailCtx, InferUserUpdateCtx, MergeRoutes, PathToObject, ProxyRequest };

package/dist/client/plugins/index.d.mts

@@ -19,6 +19,8 @@ import { JWKOptions, JWSAlgorithms, Jwk, JwtOptions } from "../../plugins/jwt/ty
 import { AuthorizationQuery, Client, CodeVerificationValue, OAuthAccessToken, OIDCMetadata, OIDCOptions, TokenBody } from "../../plugins/oidc-provider/types.mjs";
 import { MULTI_SESSION_ERROR_CODES } from "../../plugins/multi-session/error-codes.mjs";
 import { MultiSessionConfig } from "../../plugins/multi-session/index.mjs";
+import { POPUP_TOKEN_STORAGE_KEY } from "../../plugins/oauth-popup/constants.mjs";
+import { OAUTH_POPUP_ERROR_CODES } from "../../plugins/oauth-popup/error-codes.mjs";
 import { OneTimeTokenOptions } from "../../plugins/one-time-token/index.mjs";
 import { PhoneNumberOptions, UserWithPhoneNumber } from "../../plugins/phone-number/types.mjs";
 import { BackupCodeOptions, backupCode2fa, encodeBackupCodes, generateBackupCodes, getBackupCodes, verifyBackupCode } from "../../plugins/two-factor/backup-codes/index.mjs";
@@ -44,6 +46,7 @@ import { jwtClient } from "../../plugins/jwt/client.mjs";
 import { LastLoginMethodClientConfig, lastLoginMethodClient } from "../../plugins/last-login-method/client.mjs";
 import { magicLinkClient } from "../../plugins/magic-link/client.mjs";
 import { multiSessionClient } from "../../plugins/multi-session/client.mjs";
+import { SignInPopupOptions, SignInPopupResult, createSignInPopup, getStoredPopupToken, oauthPopupClient, popupBearerFetchPlugin } from "../../plugins/oauth-popup/client.mjs";
 import { OidcClientPlugin, oidcClient } from "../../plugins/oidc-provider/client.mjs";
 import { GoogleOneTapActionOptions, GoogleOneTapOptions, GsiButtonConfiguration, oneTapClient } from "../../plugins/one-tap/client.mjs";
 import { oneTimeTokenClient } from "../../plugins/one-time-token/client.mjs";
@@ -53,4 +56,4 @@ import { phoneNumberClient } from "../../plugins/phone-number/client.mjs";
 import { siweClient } from "../../plugins/siwe/client.mjs";
 import { usernameClient } from "../../plugins/username/client.mjs";
 import { InferServerPlugin } from "./infer-plugin.mjs";
-export { ADMIN_ERROR_CODES, ANONYMOUS_ERROR_CODES, AdminClientOptions, AdminOptions, AnonymousOptions, AnonymousSession, Auth0Options, AuthorizationQuery, BackupCodeOptions, BaseOAuthProviderOptions, Client, CodeVerificationValue, EMAIL_OTP_ERROR_CODES, ExtractPluginField, type FieldAttributeToObject, GENERIC_OAUTH_ERROR_CODES, GenericOAuthConfig, GenericOAuthOptions, GoogleOneTapActionOptions, GoogleOneTapOptions, GsiButtonConfiguration, GumroadOptions, HasRequiredKeys, HubSpotOptions, InferAdminRolesFromOption, InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginFieldFromTuple, InferServerPlugin, InferTeam, Invitation, InvitationInput, InvitationStatus, IsAny, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, KeycloakOptions, LastLoginMethodClientConfig, LineOptions, MULTI_SESSION_ERROR_CODES, Member, MemberInput, MicrosoftEntraIdOptions, MultiSessionConfig, OAuthAccessToken, OIDCMetadata, OIDCOptions, ORGANIZATION_ERROR_CODES, OTPOptions, OidcClientPlugin, OktaOptions, OneTimeTokenOptions, Organization, OrganizationClientOptions, OrganizationInput, OrganizationRole, OrganizationSchema, OverrideMerge, PHONE_NUMBER_ERROR_CODES, PatreonOptions, PhoneNumberOptions, Prettify, PrettifyDeep, type RemoveFieldsWithReturnedFalse, RequiredKeysOf, SessionWithImpersonatedBy, SlackOptions, StripEmptyObjects, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamInput, TeamMember, TeamMemberInput, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UnionToIntersection, UserWithAnonymous, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, adminClient, anonymousClient, auth0, backupCode2fa, clientSideHasPermission, customSessionClient, defaultRolesSchema, deviceAuthorizationClient, emailOTPClient, encodeBackupCodes, generateBackupCodes, genericOAuthClient, getBackupCodes, gumroad, hubspot, inferAdditionalFields, inferOrgAdditionalFields, invitationSchema, invitationStatus, jwtClient, keycloak, lastLoginMethodClient, line, magicLinkClient, memberSchema, microsoftEntraId, multiSessionClient, oidcClient, okta, oneTapClient, oneTimeTokenClient, organizationClient, organizationRoleSchema, organizationSchema, otp2fa, patreon, phoneNumberClient, roleSchema, schema, siweClient, slack, teamMemberSchema, teamSchema, totp2fa, twoFactorClient, usernameClient, verifyBackupCode };
+export { ADMIN_ERROR_CODES, ANONYMOUS_ERROR_CODES, AdminClientOptions, AdminOptions, AnonymousOptions, AnonymousSession, Auth0Options, AuthorizationQuery, BackupCodeOptions, BaseOAuthProviderOptions, Client, CodeVerificationValue, EMAIL_OTP_ERROR_CODES, ExtractPluginField, type FieldAttributeToObject, GENERIC_OAUTH_ERROR_CODES, GenericOAuthConfig, GenericOAuthOptions, GoogleOneTapActionOptions, GoogleOneTapOptions, GsiButtonConfiguration, GumroadOptions, HasRequiredKeys, HubSpotOptions, InferAdminRolesFromOption, InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginFieldFromTuple, InferServerPlugin, InferTeam, Invitation, InvitationInput, InvitationStatus, IsAny, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, KeycloakOptions, LastLoginMethodClientConfig, LineOptions, MULTI_SESSION_ERROR_CODES, Member, MemberInput, MicrosoftEntraIdOptions, MultiSessionConfig, OAUTH_POPUP_ERROR_CODES, OAuthAccessToken, OIDCMetadata, OIDCOptions, ORGANIZATION_ERROR_CODES, OTPOptions, OidcClientPlugin, OktaOptions, OneTimeTokenOptions, Organization, OrganizationClientOptions, OrganizationInput, OrganizationRole, OrganizationSchema, OverrideMerge, PHONE_NUMBER_ERROR_CODES, POPUP_TOKEN_STORAGE_KEY, PatreonOptions, PhoneNumberOptions, Prettify, PrettifyDeep, type RemoveFieldsWithReturnedFalse, RequiredKeysOf, SessionWithImpersonatedBy, SignInPopupOptions, SignInPopupResult, SlackOptions, StripEmptyObjects, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamInput, TeamMember, TeamMemberInput, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UnionToIntersection, UserWithAnonymous, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, adminClient, anonymousClient, auth0, backupCode2fa, clientSideHasPermission, createSignInPopup, customSessionClient, defaultRolesSchema, deviceAuthorizationClient, emailOTPClient, encodeBackupCodes, generateBackupCodes, genericOAuthClient, getBackupCodes, getStoredPopupToken, gumroad, hubspot, inferAdditionalFields, inferOrgAdditionalFields, invitationSchema, invitationStatus, jwtClient, keycloak, lastLoginMethodClient, line, magicLinkClient, memberSchema, microsoftEntraId, multiSessionClient, oauthPopupClient, oidcClient, okta, oneTapClient, oneTimeTokenClient, organizationClient, organizationRoleSchema, organizationSchema, otp2fa, patreon, phoneNumberClient, popupBearerFetchPlugin, roleSchema, schema, siweClient, slack, teamMemberSchema, teamSchema, totp2fa, twoFactorClient, usernameClient, verifyBackupCode };

package/dist/client/plugins/index.mjs

@@ -14,6 +14,9 @@ import { lastLoginMethodClient } from "../../plugins/last-login-method/client.mj
 import { magicLinkClient } from "../../plugins/magic-link/client.mjs";
 import { MULTI_SESSION_ERROR_CODES } from "../../plugins/multi-session/error-codes.mjs";
 import { multiSessionClient } from "../../plugins/multi-session/client.mjs";
+import { POPUP_TOKEN_STORAGE_KEY } from "../../plugins/oauth-popup/constants.mjs";
+import { OAUTH_POPUP_ERROR_CODES } from "../../plugins/oauth-popup/error-codes.mjs";
+import { createSignInPopup, getStoredPopupToken, oauthPopupClient, popupBearerFetchPlugin } from "../../plugins/oauth-popup/client.mjs";
 import { oidcClient } from "../../plugins/oidc-provider/client.mjs";
 import { oneTapClient } from "../../plugins/one-tap/client.mjs";
 import { oneTimeTokenClient } from "../../plugins/one-time-token/client.mjs";
@@ -27,4 +30,4 @@ import { twoFactorClient } from "../../plugins/two-factor/client.mjs";
 import { USERNAME_ERROR_CODES } from "../../plugins/username/error-codes.mjs";
 import { usernameClient } from "../../plugins/username/client.mjs";
 import { InferServerPlugin } from "./infer-plugin.mjs";
-export { ADMIN_ERROR_CODES, ANONYMOUS_ERROR_CODES, EMAIL_OTP_ERROR_CODES, GENERIC_OAUTH_ERROR_CODES, InferServerPlugin, MULTI_SESSION_ERROR_CODES, ORGANIZATION_ERROR_CODES, PHONE_NUMBER_ERROR_CODES, TWO_FACTOR_ERROR_CODES, USERNAME_ERROR_CODES, adminClient, anonymousClient, clientSideHasPermission, customSessionClient, deviceAuthorizationClient, emailOTPClient, genericOAuthClient, inferAdditionalFields, inferOrgAdditionalFields, jwtClient, lastLoginMethodClient, magicLinkClient, multiSessionClient, oidcClient, oneTapClient, oneTimeTokenClient, organizationClient, phoneNumberClient, siweClient, twoFactorClient, usernameClient };
+export { ADMIN_ERROR_CODES, ANONYMOUS_ERROR_CODES, EMAIL_OTP_ERROR_CODES, GENERIC_OAUTH_ERROR_CODES, InferServerPlugin, MULTI_SESSION_ERROR_CODES, OAUTH_POPUP_ERROR_CODES, ORGANIZATION_ERROR_CODES, PHONE_NUMBER_ERROR_CODES, POPUP_TOKEN_STORAGE_KEY, TWO_FACTOR_ERROR_CODES, USERNAME_ERROR_CODES, adminClient, anonymousClient, clientSideHasPermission, createSignInPopup, customSessionClient, deviceAuthorizationClient, emailOTPClient, genericOAuthClient, getStoredPopupToken, inferAdditionalFields, inferOrgAdditionalFields, jwtClient, lastLoginMethodClient, magicLinkClient, multiSessionClient, oauthPopupClient, oidcClient, oneTapClient, oneTimeTokenClient, organizationClient, phoneNumberClient, popupBearerFetchPlugin, siweClient, twoFactorClient, usernameClient };

package/dist/client/query.d.mts

@@ -4,7 +4,7 @@ import { PreinitializedWritableAtom } from "nanostores";
 import { BetterFetch, BetterFetchError } from "@better-fetch/fetch";
 
 //#region src/client/query.d.ts
-type AuthQueryAtom<T> = PreinitializedWritableAtom<{
+type AuthQueryState<T> = {
   data: null | T;
   error: null | BetterFetchError;
   isPending: boolean;
@@ -12,11 +12,12 @@ type AuthQueryAtom<T> = PreinitializedWritableAtom<{
   refetch: (queryParams?: {
     query?: SessionQueryParams;
   } | undefined) => Promise<void>;
-}>;
+};
+type AuthQueryAtom<T> = PreinitializedWritableAtom<AuthQueryState<T>>;
 declare const useAuthQuery: <T>(initializedAtom: PreinitializedWritableAtom<any> | PreinitializedWritableAtom<any>[], path: string, $fetch: BetterFetch, options?: (((value: {
   data: null | T;
   error: null | BetterFetchError;
   isPending: boolean;
 }) => ClientFetchOption) | ClientFetchOption) | undefined) => AuthQueryAtom<T>;
 //#endregion
-export { AuthQueryAtom, useAuthQuery };
+export { AuthQueryAtom, AuthQueryState, useAuthQuery };

package/dist/client/query.mjs

@@ -1,6 +1,10 @@
+import { isJsonEqual, withEquality } from "./equality.mjs";
 import { atom, onMount } from "nanostores";
 //#region src/client/query.ts
 const isServer = () => typeof window === "undefined";
+function isAuthQueryStateEqual(a, b) {
+	return isJsonEqual(a.data, b.data) && a.error === b.error && a.isPending === b.isPending && a.isRefetching === b.isRefetching && a.refetch === b.refetch;
+}
 const useAuthQuery = (initializedAtom, path, $fetch, options) => {
 	const value = atom({
 		data: null,
@@ -9,6 +13,7 @@ const useAuthQuery = (initializedAtom, path, $fetch, options) => {
 		isRefetching: false,
 		refetch: (queryParams) => fn(queryParams)
 	});
+	withEquality(value, isAuthQueryStateEqual);
 	const fn = async (queryParams) => {
 		return new Promise((resolve) => {
 			const opts = typeof options === "function" ? options({
@@ -23,8 +28,10 @@ const useAuthQuery = (initializedAtom, path, $fetch, options) => {
 					...queryParams?.query
 				},
 				async onSuccess(context) {
+					const current = value.get();
+					const stableData = current.data != null && context.data != null && isJsonEqual(current.data, context.data) ? current.data : context.data;
 					value.set({
-						data: context.data,
+						data: stableData,
 						error: null,
 						isPending: false,
 						isRefetching: false,
@@ -73,23 +80,26 @@ const useAuthQuery = (initializedAtom, path, $fetch, options) => {
 	};
 	initializedAtom = Array.isArray(initializedAtom) ? initializedAtom : [initializedAtom];
 	let isInitialized = false;
-	for (const initAtom of initializedAtom) initAtom.subscribe(async () => {
-		if (isServer()) return;
-		if (isInitialized) await fn();
-		else onMount(value, () => {
-			const timeoutId = setTimeout(async () => {
-				if (!isInitialized) {
-					isInitialized = true;
-					await fn();
-				}
-			}, 0);
-			return () => {
-				value.off();
-				initAtom.off();
-				clearTimeout(timeoutId);
-			};
+	const cleanups = [];
+	for (const initAtom of initializedAtom) {
+		const unbind = initAtom.subscribe(async () => {
+			if (isServer()) return;
+			if (isInitialized) await fn();
+			else onMount(value, () => {
+				const timeoutId = setTimeout(async () => {
+					if (!isInitialized) {
+						isInitialized = true;
+						await fn();
+					}
+				}, 0);
+				return () => {
+					for (const u of cleanups) u();
+					clearTimeout(timeoutId);
+				};
+			});
 		});
-	});
+		cleanups.push(unbind);
+	}
 	return value;
 };
 //#endregion

package/dist/client/session-atom.mjs

@@ -1,21 +1,146 @@
-import { useAuthQuery } from "./query.mjs";
+import { isJsonEqual, withEquality } from "./equality.mjs";
 import { createSessionRefreshManager } from "./session-refresh.mjs";
 import { atom, onMount } from "nanostores";
 //#region src/client/session-atom.ts
+const isServer = () => typeof window === "undefined";
+/**
+* Normalize $fetch response: `throw: true` returns data directly,
+* otherwise `{ data, error }`.
+*/
+function normalizeSessionResponse(res) {
+	if (typeof res === "object" && res !== null && "data" in res && "error" in res) return res;
+	return {
+		data: res,
+		error: null
+	};
+}
+function normalizeSessionData(data) {
+	if (!data) return null;
+	if (data.session === null && data.user === null) return null;
+	return data;
+}
+function isSessionAtomEqual(a, b) {
+	return isJsonEqual(a.data, b.data) && a.error === b.error && a.isPending === b.isPending && a.isRefetching === b.isRefetching && a.refetch === b.refetch;
+}
 function getSessionAtom($fetch, options) {
 	const $signal = atom(false);
-	const session = useAuthQuery($signal, "/get-session", $fetch, { method: "GET" });
+	let abortController;
+	const refetch = (queryParams) => fetchSession(queryParams);
+	const session = atom({
+		data: null,
+		error: null,
+		isPending: true,
+		isRefetching: false,
+		refetch
+	});
+	withEquality(session, isSessionAtomEqual);
+	const settleAbortedFetch = (controller) => {
+		if (abortController !== controller) return;
+		const current = session.get();
+		abortController = void 0;
+		if (!current.isPending && !current.isRefetching) return;
+		session.set({
+			...current,
+			isPending: false,
+			isRefetching: false,
+			refetch
+		});
+	};
+	const fetchSession = async (queryParams) => {
+		abortController?.abort();
+		const controller = new AbortController();
+		abortController = controller;
+		const current = session.get();
+		session.set({
+			...current,
+			isPending: current.data === null,
+			isRefetching: true,
+			error: null,
+			refetch
+		});
+		try {
+			const res = await $fetch("/get-session", {
+				method: "GET",
+				query: queryParams?.query,
+				signal: controller.signal
+			});
+			if (controller.signal.aborted) {
+				settleAbortedFetch(controller);
+				return;
+			}
+			let { data, error } = normalizeSessionResponse(res);
+			if (data?.needsRefresh) try {
+				const refreshRes = await $fetch("/get-session", {
+					method: "POST",
+					signal: controller.signal
+				});
+				if (controller.signal.aborted) {
+					settleAbortedFetch(controller);
+					return;
+				}
+				({data, error} = normalizeSessionResponse(refreshRes));
+			} catch {
+				if (controller.signal.aborted) {
+					settleAbortedFetch(controller);
+					return;
+				}
+			}
+			if (error) {
+				const latest = session.get();
+				const isUnauthorized = error?.status === 401;
+				session.set({
+					data: isUnauthorized ? null : latest.data,
+					error,
+					isPending: false,
+					isRefetching: false,
+					refetch
+				});
+				return;
+			}
+			const sessionData = normalizeSessionData(data);
+			const current = session.get();
+			const stableData = current.data != null && sessionData != null && isJsonEqual(current.data, sessionData) ? current.data : sessionData;
+			session.set({
+				data: stableData,
+				error: null,
+				isPending: false,
+				isRefetching: false,
+				refetch
+			});
+		} catch (fetchError) {
+			if (controller.signal.aborted) {
+				settleAbortedFetch(controller);
+				return;
+			}
+			const latest = session.get();
+			session.set({
+				data: latest.data,
+				error: fetchError,
+				isPending: false,
+				isRefetching: false,
+				refetch
+			});
+		}
+	};
 	let broadcastSessionUpdate = () => {};
 	onMount(session, () => {
+		let timeoutId;
+		if (!isServer()) timeoutId = setTimeout(() => {
+			fetchSession();
+		}, 0);
 		const refreshManager = createSessionRefreshManager({
-			sessionAtom: session,
+			fetchSession,
+			shouldPollSession: () => session.get().data != null,
 			sessionSignal: $signal,
-			$fetch,
 			options
 		});
 		refreshManager.init();
 		broadcastSessionUpdate = refreshManager.broadcastSessionUpdate;
 		return () => {
+			if (timeoutId) clearTimeout(timeoutId);
+			const controller = abortController;
+			controller?.abort();
+			if (controller) settleAbortedFetch(controller);
 			refreshManager.cleanup();
 		};
 	});