better-auth 1.6.16 → 1.6.17

package/dist/client/session-refresh.d.mts

@@ -1,28 +1,13 @@
-import { Session, User } from "../types/models.mjs";
-import { AuthQueryAtom } from "./query.mjs";
 import { BetterAuthClientOptions } from "@better-auth/core";
 import { WritableAtom } from "nanostores";
-import { BetterFetch } from "@better-fetch/fetch";
 
 //#region src/client/session-refresh.d.ts
 interface SessionRefreshOptions {
-  sessionAtom: AuthQueryAtom<{
-    user: User;
-    session: Session;
-  } & Record<string, any>>;
+  fetchSession: () => Promise<void>;
+  shouldPollSession?: () => boolean;
   sessionSignal: WritableAtom<boolean>;
-  $fetch: BetterFetch;
   options?: BetterAuthClientOptions | undefined;
 }
-type SessionResponse = ({
-  session: null;
-  user: null;
-  needsRefresh?: boolean;
-} | {
-  session: Session;
-  user: User;
-  needsRefresh?: boolean;
-}) & Record<string, any>;
 declare function createSessionRefreshManager(opts: SessionRefreshOptions): {
   init: () => void;
   cleanup: () => void;
@@ -32,4 +17,4 @@ declare function createSessionRefreshManager(opts: SessionRefreshOptions): {
   broadcastSessionUpdate: (trigger: "signout" | "getSession" | "updateUser") => void;
 };
 //#endregion
-export { SessionRefreshOptions, SessionResponse, createSessionRefreshManager };
+export { SessionRefreshOptions, createSessionRefreshManager };

package/dist/client/session-refresh.mjs

@@ -4,28 +4,17 @@ import { getGlobalOnlineManager } from "./online-manager.mjs";
 //#region src/client/session-refresh.ts
 const now = () => Math.floor(Date.now() / 1e3);
 /**
-* Normalize $fetch response: `throw: true` returns data directly, otherwise `{ data, error }`.
-*/
-function normalizeSessionResponse(res) {
-	if (typeof res === "object" && res !== null && "data" in res && "error" in res) return res;
-	return {
-		data: res,
-		error: null
-	};
-}
-/**
 * Rate limit: don't refetch on focus if a session request was made within this many seconds
 */
 const FOCUS_REFETCH_RATE_LIMIT_SECONDS = 5;
 function createSessionRefreshManager(opts) {
-	const { sessionAtom, sessionSignal, $fetch, options = {} } = opts;
+	const { fetchSession, shouldPollSession = () => true, sessionSignal, options = {} } = opts;
 	const refetchInterval = options.sessionOptions?.refetchInterval ?? 0;
 	const refetchOnWindowFocus = options.sessionOptions?.refetchOnWindowFocus ?? true;
 	const refetchWhenOffline = options.sessionOptions?.refetchWhenOffline ?? false;
 	const state = {
-		lastSync: 0,
-		lastSessionRequest: 0,
-		cachedSession: void 0
+		isInitialized: false,
+		lastSessionRequest: 0
 	};
 	const shouldRefetch = () => {
 		return refetchWhenOffline || getGlobalOnlineManager().isOnline;
@@ -33,45 +22,21 @@ function createSessionRefreshManager(opts) {
 	const triggerRefetch = (event) => {
 		if (!shouldRefetch()) return;
 		if (event?.event === "storage") {
-			state.lastSync = now();
-			sessionSignal.set(!sessionSignal.get());
+			fetchSession();
 			return;
 		}
-		const currentSession = sessionAtom.get();
-		const fetchSessionWithRefresh = () => {
-			state.lastSessionRequest = now();
-			$fetch("/get-session").then(async (res) => {
-				let { data, error } = normalizeSessionResponse(res);
-				if (data?.needsRefresh) try {
-					const refreshRes = await $fetch("/get-session", { method: "POST" });
-					({data, error} = normalizeSessionResponse(refreshRes));
-				} catch {}
-				const sessionData = data?.session && data?.user ? data : null;
-				sessionAtom.set({
-					...currentSession,
-					data: sessionData,
-					error
-				});
-				state.lastSync = now();
-				sessionSignal.set(!sessionSignal.get());
-			}).catch(() => {});
-		};
 		if (event?.event === "poll") {
-			fetchSessionWithRefresh();
+			state.lastSessionRequest = now();
+			fetchSession();
 			return;
 		}
 		if (event?.event === "visibilitychange") {
 			if (now() - state.lastSessionRequest < FOCUS_REFETCH_RATE_LIMIT_SECONDS) return;
 			state.lastSessionRequest = now();
-		}
-		if (event?.event === "visibilitychange") {
-			fetchSessionWithRefresh();
+			fetchSession();
 			return;
 		}
-		if (currentSession?.data === null || currentSession?.data === void 0) {
-			state.lastSync = now();
-			sessionSignal.set(!sessionSignal.get());
-		}
+		fetchSession();
 	};
 	const broadcastSessionUpdate = (trigger) => {
 		getGlobalBroadcastChannel().post({
@@ -82,7 +47,7 @@ function createSessionRefreshManager(opts) {
 	};
 	const setupPolling = () => {
 		if (refetchInterval && refetchInterval > 0) state.pollInterval = setInterval(() => {
-			if (sessionAtom.get()?.data) triggerRefetch({ event: "poll" });
+			if (shouldPollSession()) triggerRefetch({ event: "poll" });
 		}, refetchInterval * 1e3);
 	};
 	const setupBroadcast = () => {
@@ -101,16 +66,25 @@ function createSessionRefreshManager(opts) {
 			if (online) triggerRefetch({ event: "visibilitychange" });
 		});
 	};
+	const setupSignalSubscription = () => {
+		state.unsubscribeSignal = sessionSignal.listen(() => {
+			fetchSession();
+		});
+	};
 	const init = () => {
+		if (state.isInitialized) return;
+		state.isInitialized = true;
 		setupPolling();
 		setupBroadcast();
 		setupFocusRefetch();
 		setupOnlineRefetch();
-		getGlobalBroadcastChannel().setup();
-		getGlobalFocusManager().setup();
-		getGlobalOnlineManager().setup();
+		setupSignalSubscription();
+		state.cleanupBroadcastSetup = getGlobalBroadcastChannel().setup();
+		state.cleanupFocusSetup = getGlobalFocusManager().setup();
+		state.cleanupOnlineSetup = getGlobalOnlineManager().setup();
 	};
 	const cleanup = () => {
+		if (!state.isInitialized) return;
 		if (state.pollInterval) {
 			clearInterval(state.pollInterval);
 			state.pollInterval = void 0;
@@ -127,9 +101,24 @@ function createSessionRefreshManager(opts) {
 			state.unsubscribeOnline();
 			state.unsubscribeOnline = void 0;
 		}
-		state.lastSync = 0;
+		if (state.unsubscribeSignal) {
+			state.unsubscribeSignal();
+			state.unsubscribeSignal = void 0;
+		}
+		if (state.cleanupBroadcastSetup) {
+			state.cleanupBroadcastSetup();
+			state.cleanupBroadcastSetup = void 0;
+		}
+		if (state.cleanupFocusSetup) {
+			state.cleanupFocusSetup();
+			state.cleanupFocusSetup = void 0;
+		}
+		if (state.cleanupOnlineSetup) {
+			state.cleanupOnlineSetup();
+			state.cleanupOnlineSetup = void 0;
+		}
+		state.isInitialized = false;
 		state.lastSessionRequest = 0;
-		state.cachedSession = void 0;
 	};
 	return {
 		init,

package/dist/client/types.d.mts

@@ -3,7 +3,7 @@ import { StripEmptyObjects, UnionToIntersection } from "../types/helper.mjs";
 import { InferRoutes } from "./path-to-object.mjs";
 import { Session as Session$1, User as User$1 } from "../types/models.mjs";
 import { Auth } from "../types/auth.mjs";
-import { BetterAuthClientOptions as BetterAuthClientOptions$1, BetterAuthClientPlugin as BetterAuthClientPlugin$1, ClientAtomListener, ClientStore } from "@better-auth/core";
+import { BetterAuthClientOptions as BetterAuthClientOptions$1, BetterAuthClientPlugin as BetterAuthClientPlugin$1, ClientAtomListener, ClientStore as ClientStore$1 } from "@better-auth/core";
 import { BetterAuthPluginDBSchema, InferDBFieldsOutput } from "@better-auth/core/db";
 import { RawError } from "@better-auth/core/utils/error-codes";
 
@@ -37,4 +37,4 @@ type SessionQueryParams = {
   disableRefresh?: boolean | undefined;
 };
 //#endregion
-export { type BetterAuthClientOptions$1 as BetterAuthClientOptions, type BetterAuthClientPlugin$1 as BetterAuthClientPlugin, type ClientAtomListener, type ClientStore, InferActions, InferAdditionalFromClient, InferClientAPI, InferErrorCodes, InferSessionFromClient, InferUserFromClient, IsSignal, SessionQueryParams };
+export { type BetterAuthClientOptions$1 as BetterAuthClientOptions, type BetterAuthClientPlugin$1 as BetterAuthClientPlugin, type ClientAtomListener, type ClientStore$1 as ClientStore, InferActions, InferAdditionalFromClient, InferClientAPI, InferErrorCodes, InferSessionFromClient, InferUserFromClient, IsSignal, SessionQueryParams };

package/dist/context/create-context.mjs

@@ -1,5 +1,6 @@
 import { getBaseURL, isDynamicBaseURLConfig } from "../utils/url.mjs";
 import { matchesOriginPattern } from "../auth/trusted-origins.mjs";
+import { hasServerSessionStore } from "./store-capabilities.mjs";
 import { isPromise } from "../utils/is-promise.mjs";
 import { hashPassword, verifyPassword } from "../crypto/password.mjs";
 import { createCookieGetter, getCookies } from "../cookies/index.mjs";
@@ -42,7 +43,7 @@ function validateSecret(secret, logger) {
 	if (estimateEntropy(secret) < 120) logger.warn("[better-auth] Warning: your BETTER_AUTH_SECRET appears low-entropy. Use a randomly generated secret for production.");
 }
 async function createAuthContext(adapter, options, getDatabaseType) {
-	const isStateful = !!options.database || !!options.secondaryStorage;
+	const isStateful = hasServerSessionStore(options);
 	if (!isStateful) options = defu$1(options, { session: { cookieCache: {
 		enabled: true,
 		strategy: "jwe",

package/dist/context/store-capabilities.mjs

@@ -0,0 +1,12 @@
+//#region src/context/store-capabilities.ts
+function hasServerSessionStore(options) {
+	return !!options.database || !!options.secondaryStorage;
+}
+function hasServerAccountStore(options) {
+	return !!options.database;
+}
+function shouldBindAccountCookieToSessionUser(options) {
+	return hasServerAccountStore(options);
+}
+//#endregion
+export { hasServerSessionStore, shouldBindAccountCookieToSessionUser };

package/dist/cookies/index.mjs

@@ -1,4 +1,5 @@
 import { isDynamicBaseURLConfig } from "../utils/url.mjs";
+import { shouldBindAccountCookieToSessionUser } from "../context/store-capabilities.mjs";
 import { signJWT, symmetricDecodeJWT, symmetricEncodeJWT, verifyJWT } from "../crypto/jwt.mjs";
 import { parseUserOutput } from "../db/schema.mjs";
 import { getDate } from "../utils/date.mjs";
@@ -114,9 +115,9 @@ async function setCookieCache(ctx, session, dontRememberMe) {
 		}
 		ctx.setCookie(ctx.context.authCookies.sessionData.name, data, options);
 	}
-	if (ctx.context.options.account?.storeAccountCookie) {
+	if (ctx.context.options.account?.storeAccountCookie && !hasPendingSetCookie(ctx, ctx.context.authCookies.accountData.name)) {
 		const accountData = await getAccountCookie(ctx);
-		if (accountData) if (accountData.userId === session.user.id) await setAccountCookie(ctx, accountData);
+		if (accountData) if (!shouldBindAccountCookieToSessionUser(ctx.context.options) || accountData.userId === session.user.id) await setAccountCookie(ctx, accountData);
 		else {
 			expireCookie(ctx, ctx.context.authCookies.accountData);
 			const accountStore = createAccountStore(ctx.context.authCookies.accountData.name, ctx.context.authCookies.accountData.attributes, ctx);
@@ -175,6 +176,20 @@ function removeSetCookieEntries(ctx, cookieName) {
 	}
 }
 /**
+* Whether the response already has a pending `Set-Cookie` for `cookieName`
+* or a chunked variant.
+*/
+function hasPendingSetCookie(ctx, cookieName) {
+	const scoped = ctx;
+	const targets = /* @__PURE__ */ new Set();
+	if (scoped.responseHeaders) targets.add(scoped.responseHeaders);
+	if (scoped.context?.responseHeaders) targets.add(scoped.context.responseHeaders);
+	const exact = `${cookieName}=`;
+	const chunk = `${cookieName}.`;
+	for (const headers of targets) if ((typeof headers.getSetCookie === "function" ? headers.getSetCookie() : splitSetCookieHeader(headers.get("set-cookie") || "")).some((entry) => entry.startsWith(exact) || entry.startsWith(chunk))) return true;
+	return false;
+}
+/**
 * Expires a cookie by setting `maxAge: 0` while preserving its attributes
 */
 function expireCookie(ctx, cookie) {
@@ -236,6 +251,10 @@ const getCookieCache = async (request, config) => {
 		const secret = config?.secret || env.BETTER_AUTH_SECRET;
 		if (!secret) throw new BetterAuthError("getCookieCache requires a secret to be provided. Either pass it as an option or set the BETTER_AUTH_SECRET environment variable");
 		const strategy = config?.strategy || "compact";
+		const isEmbeddedSessionExpired = (payload) => {
+			const expiresAt = payload.session?.expiresAt;
+			return !!expiresAt && new Date(expiresAt).getTime() < Date.now();
+		};
 		if (strategy === "jwe") {
 			const payload = await symmetricDecodeJWT(sessionData, secret, "better-auth-session");
 			if (payload && payload.session && payload.user) {
@@ -249,6 +268,7 @@ const getCookieCache = async (request, config) => {
 					}
 					if (cookieVersion !== expectedVersion) return null;
 				}
+				if (isEmbeddedSessionExpired(payload)) return null;
 				return payload;
 			}
 			return null;
@@ -265,6 +285,7 @@ const getCookieCache = async (request, config) => {
 					}
 					if (cookieVersion !== expectedVersion) return null;
 				}
+				if (isEmbeddedSessionExpired(payload)) return null;
 				return payload;
 			}
 			return null;
@@ -285,6 +306,8 @@ const getCookieCache = async (request, config) => {
 				}
 				if (cookieVersion !== expectedVersion) return null;
 			}
+			if (typeof sessionDataPayload.expiresAt === "number" && sessionDataPayload.expiresAt < Date.now()) return null;
+			if (isEmbeddedSessionExpired(sessionDataPayload.session)) return null;
 			return sessionDataPayload.session;
 		}
 	}

package/dist/db/internal-adapter.mjs

@@ -6,6 +6,8 @@ import { getWithHooks } from "./with-hooks.mjs";
 import { getCurrentAdapter, getCurrentAuthContext, runWithTransaction } from "@better-auth/core/context";
 import { generateId } from "@better-auth/core/utils/id";
 import { safeJSONParse } from "@better-auth/core/utils/json";
+import { base64Url } from "@better-auth/utils/base64";
+import { createHash } from "@better-auth/utils/hash";
 //#region src/db/internal-adapter.ts
 function getTTLSeconds(expiresAt, now = Date.now()) {
 	const expiresMs = typeof expiresAt === "number" ? expiresAt : expiresAt.getTime();
@@ -717,6 +719,55 @@ const createInternalAdapter = (adapter, ctx) => {
 			if (!consumed || consumed.expiresAt < /* @__PURE__ */ new Date()) return null;
 			return consumed;
 		},
+		reserveVerificationValue: async (data) => {
+			const reservationId = base64Url.encode(new Uint8Array(await createHash("SHA-256").digest(new TextEncoder().encode("reserve:" + data.identifier))), { padding: false });
+			const storageOption = getStorageOption(data.identifier, options.verification?.storeIdentifier);
+			const storedIdentifier = await processIdentifier(data.identifier, storageOption);
+			if (secondaryStorage && !options.verification?.storeInDatabase) {
+				const cacheKey = `verification:${storedIdentifier}`;
+				if (await secondaryStorage.get(cacheKey)) return false;
+				await secondaryStorage.set(cacheKey, JSON.stringify({
+					id: reservationId,
+					identifier: storedIdentifier,
+					value: data.value,
+					expiresAt: data.expiresAt
+				}), getTTLSeconds(data.expiresAt));
+				return true;
+			}
+			try {
+				await adapter.create({
+					model: "verification",
+					data: {
+						id: reservationId,
+						identifier: storedIdentifier,
+						value: data.value,
+						expiresAt: data.expiresAt,
+						createdAt: /* @__PURE__ */ new Date(),
+						updatedAt: /* @__PURE__ */ new Date()
+					},
+					forceAllowId: true
+				});
+			} catch (error) {
+				if (await adapter.findOne({
+					model: "verification",
+					where: [{
+						field: "id",
+						value: reservationId
+					}]
+				})) return false;
+				throw error;
+			}
+			if (secondaryStorage) {
+				const ttl = getTTLSeconds(data.expiresAt);
+				if (ttl > 0) await secondaryStorage.set(`verification:${storedIdentifier}`, JSON.stringify({
+					id: reservationId,
+					identifier: storedIdentifier,
+					value: data.value,
+					expiresAt: data.expiresAt
+				}), ttl);
+			}
+			return true;
+		},
 		updateVerificationByIdentifier: async (identifier, data) => {
 			const storedIdentifier = await processIdentifier(identifier, getStorageOption(identifier, options.verification?.storeIdentifier));
 			if (secondaryStorage) {

package/dist/package.mjs

@@ -1,4 +1,4 @@
 //#region package.json
-var version = "1.6.16";
+var version = "1.6.17";
 //#endregion
 export { version };

package/dist/plugins/access/access.mjs

@@ -1,33 +1,63 @@
 import { BetterAuthError } from "@better-auth/core/error";
 //#region src/plugins/access/access.ts
+function unknownResourceResponse(requestedResource) {
+	return {
+		success: false,
+		error: `You are not allowed to access resource: ${requestedResource}`
+	};
+}
+function unauthorizedResourceResponse(requestedResource) {
+	return {
+		success: false,
+		error: `unauthorized to access resource "${requestedResource}"`
+	};
+}
+function normalizeConnector(connector) {
+	return connector === "OR" ? "OR" : "AND";
+}
+function isActionList(actions) {
+	return Array.isArray(actions);
+}
+function normalizeActionRequest(requestedActions) {
+	if (isActionList(requestedActions)) return {
+		actions: requestedActions,
+		connector: "AND"
+	};
+	if (!requestedActions || typeof requestedActions !== "object") throw new BetterAuthError("Invalid access control request");
+	const { actions, connector } = requestedActions;
+	if (!isActionList(actions)) return {
+		actions: [],
+		connector: normalizeConnector(connector)
+	};
+	return {
+		actions,
+		connector: normalizeConnector(connector)
+	};
+}
+function hasAllowedAction(allowedActions, requestedAction) {
+	return typeof requestedAction === "string" && allowedActions.includes(requestedAction);
+}
+function isResourceAuthorized(allowedActions, { actions, connector }) {
+	if (actions.length === 0) return false;
+	if (connector === "OR") return actions.some((requestedAction) => hasAllowedAction(allowedActions, requestedAction));
+	return actions.every((requestedAction) => hasAllowedAction(allowedActions, requestedAction));
+}
 function role(statements) {
 	return {
 		authorize(request, connector = "AND") {
-			let success = false;
+			let hasAuthorizedResource = false;
 			for (const [requestedResource, requestedActions] of Object.entries(request)) {
 				const allowedActions = statements[requestedResource];
 				if (!allowedActions) {
-					if (connector === "AND") return {
-						success: false,
-						error: `You are not allowed to access resource: ${requestedResource}`
-					};
-					success = false;
+					if (connector === "AND") return unknownResourceResponse(requestedResource);
 					continue;
 				}
-				if (Array.isArray(requestedActions)) success = requestedActions.length > 0 && requestedActions.every((requestedAction) => allowedActions.includes(requestedAction));
-				else if (typeof requestedActions === "object") {
-					const actions = requestedActions;
-					if (!Array.isArray(actions.actions) || actions.actions.length === 0) success = false;
-					else if (actions.connector === "OR") success = actions.actions.some((requestedAction) => allowedActions.includes(requestedAction));
-					else success = actions.actions.every((requestedAction) => allowedActions.includes(requestedAction));
-				} else throw new BetterAuthError("Invalid access control request");
-				if (success && connector === "OR") return { success };
-				if (!success && connector === "AND") return {
-					success: false,
-					error: `unauthorized to access resource "${requestedResource}"`
-				};
+				const isAuthorized = isResourceAuthorized(allowedActions, normalizeActionRequest(requestedActions));
+				if (isAuthorized) hasAuthorizedResource = true;
+				if (isAuthorized && connector === "OR") return { success: true };
+				if (!isAuthorized && connector === "AND") return unauthorizedResourceResponse(requestedResource);
 			}
-			if (success) return { success };
+			if (hasAuthorizedResource) return { success: true };
 			return {
 				success: false,
 				error: "Not authorized"

package/dist/plugins/admin/routes.mjs

@@ -816,16 +816,23 @@ const setUserPassword = (opts) => createAuthEndpoint("/admin/set-user-password",
 	const { newPassword, userId } = ctx.body;
 	const minPasswordLength = ctx.context.password.config.minPasswordLength;
 	if (newPassword.length < minPasswordLength) {
-		ctx.context.logger.error("Password is too short");
+		ctx.context.logger.warn("Password is too short");
 		throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.PASSWORD_TOO_SHORT);
 	}
 	const maxPasswordLength = ctx.context.password.config.maxPasswordLength;
 	if (newPassword.length > maxPasswordLength) {
-		ctx.context.logger.error("Password is too long");
+		ctx.context.logger.warn("Password is too long");
 		throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.PASSWORD_TOO_LONG);
 	}
+	if (!await ctx.context.internalAdapter.findUserById(userId)) throw APIError.from("NOT_FOUND", BASE_ERROR_CODES.USER_NOT_FOUND);
 	const hashedPassword = await ctx.context.password.hash(newPassword);
-	await ctx.context.internalAdapter.updatePassword(userId, hashedPassword);
+	if ((await ctx.context.internalAdapter.findAccounts(userId)).find((account) => account.providerId === "credential")) await ctx.context.internalAdapter.updatePassword(userId, hashedPassword);
+	else await ctx.context.internalAdapter.createAccount({
+		userId,
+		providerId: "credential",
+		accountId: userId,
+		password: hashedPassword
+	});
 	return ctx.json({ status: true });
 });
 const userHasPermissionBodySchema = z.object({

package/dist/plugins/captcha/constants.mjs

@@ -1,4 +1,11 @@
 //#region src/plugins/captcha/constants.ts
+/**
+* Upper bound (in milliseconds) for a single provider verification request.
+* Without it, a hanging provider would tie up the request indefinitely before
+* any rate limiting applies, so every verify handler aborts at this deadline
+* and fails closed.
+*/
+const CAPTCHA_VERIFY_TIMEOUT_MS = 1e4;
 const defaultEndpoints = [
 	"/sign-up/email",
 	"/sign-in/email",
@@ -17,4 +24,4 @@ const siteVerifyMap = {
 	[Providers.CAPTCHAFOX]: "https://api.captchafox.com/siteverify"
 };
 //#endregion
-export { Providers, defaultEndpoints, siteVerifyMap };
+export { CAPTCHA_VERIFY_TIMEOUT_MS, Providers, defaultEndpoints, siteVerifyMap };

package/dist/plugins/captcha/index.mjs

@@ -42,10 +42,16 @@ const captcha = (options) => ({
 				secretKey: options.secretKey,
 				remoteIP: remoteUserIP
 			};
-			if (options.provider === Providers.CLOUDFLARE_TURNSTILE) return await cloudflareTurnstile(handlerParams);
+			if (options.provider === Providers.CLOUDFLARE_TURNSTILE) return await cloudflareTurnstile({
+				...handlerParams,
+				expectedAction: options.expectedAction,
+				allowedHostnames: options.allowedHostnames
+			});
 			if (options.provider === Providers.GOOGLE_RECAPTCHA) return await googleRecaptcha({
 				...handlerParams,
-				minScore: options.minScore
+				minScore: options.minScore,
+				expectedAction: options.expectedAction,
+				allowedHostnames: options.allowedHostnames
 			});
 			if (options.provider === Providers.HCAPTCHA) return await hCaptcha({
 				...handlerParams,

package/dist/plugins/captcha/types.d.mts

@@ -10,9 +10,30 @@ interface BaseCaptchaOptions {
 interface GoogleRecaptchaOptions extends BaseCaptchaOptions {
   provider: typeof Providers.GOOGLE_RECAPTCHA;
   minScore?: number | undefined;
+  /**
+   * Expected reCAPTCHA v3 `action`. When set, a verification whose action does
+   * not match is rejected, preventing a token minted for another action on the
+   * same site key from being replayed against this endpoint.
+   */
+  expectedAction?: string | undefined;
+  /**
+   * Allow-list of hostnames the token must have been issued for. When set, a
+   * verification reporting a different hostname is rejected.
+   */
+  allowedHostnames?: string[] | undefined;
 }
 interface CloudflareTurnstileOptions extends BaseCaptchaOptions {
   provider: typeof Providers.CLOUDFLARE_TURNSTILE;
+  /**
+   * Expected Turnstile `action`. When set, a verification whose action does
+   * not match is rejected, preventing cross-context token reuse.
+   */
+  expectedAction?: string | undefined;
+  /**
+   * Allow-list of hostnames the token must have been issued for. When set, a
+   * verification reporting a different or missing hostname is rejected.
+   */
+  allowedHostnames?: string[] | undefined;
 }
 interface HCaptchaOptions extends BaseCaptchaOptions {
   provider: typeof Providers.HCAPTCHA;

package/dist/plugins/captcha/verify-handlers/captchafox.mjs

@@ -1,4 +1,5 @@
 import { middlewareResponse } from "../../../utils/middleware-response.mjs";
+import { CAPTCHA_VERIFY_TIMEOUT_MS } from "../constants.mjs";
 import { EXTERNAL_ERROR_CODES, INTERNAL_ERROR_CODES } from "../error-codes.mjs";
 import { encodeToURLParams } from "../utils.mjs";
 import { betterFetch } from "@better-fetch/fetch";
@@ -6,6 +7,7 @@ import { betterFetch } from "@better-fetch/fetch";
 const captchaFox = async ({ siteVerifyURL, captchaResponse, secretKey, siteKey, remoteIP }) => {
 	const response = await betterFetch(siteVerifyURL, {
 		method: "POST",
+		timeout: CAPTCHA_VERIFY_TIMEOUT_MS,
 		headers: { "Content-Type": "application/x-www-form-urlencoded" },
 		body: encodeToURLParams({
 			secret: secretKey,

package/dist/plugins/captcha/verify-handlers/cloudflare-turnstile.mjs

@@ -1,10 +1,12 @@
 import { middlewareResponse } from "../../../utils/middleware-response.mjs";
+import { CAPTCHA_VERIFY_TIMEOUT_MS } from "../constants.mjs";
 import { EXTERNAL_ERROR_CODES, INTERNAL_ERROR_CODES } from "../error-codes.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/plugins/captcha/verify-handlers/cloudflare-turnstile.ts
-const cloudflareTurnstile = async ({ siteVerifyURL, captchaResponse, secretKey, remoteIP }) => {
+const cloudflareTurnstile = async ({ siteVerifyURL, captchaResponse, secretKey, remoteIP, expectedAction, allowedHostnames }) => {
 	const response = await betterFetch(siteVerifyURL, {
 		method: "POST",
+		timeout: CAPTCHA_VERIFY_TIMEOUT_MS,
 		headers: { "Content-Type": "application/json" },
 		body: JSON.stringify({
 			secret: secretKey,
@@ -13,11 +15,14 @@ const cloudflareTurnstile = async ({ siteVerifyURL, captchaResponse, secretKey,
 		})
 	});
 	if (!response.data || response.error) throw new Error(INTERNAL_ERROR_CODES.SERVICE_UNAVAILABLE.message);
-	if (!response.data.success) return middlewareResponse({
+	const verificationFailed = () => middlewareResponse({
 		message: EXTERNAL_ERROR_CODES.VERIFICATION_FAILED.message,
 		code: EXTERNAL_ERROR_CODES.VERIFICATION_FAILED.code,
 		status: 403
 	});
+	if (!response.data.success) return verificationFailed();
+	if (expectedAction && response.data.action !== expectedAction) return verificationFailed();
+	if (allowedHostnames && allowedHostnames.length > 0 && !(response.data.hostname && allowedHostnames.includes(response.data.hostname))) return verificationFailed();
 };
 //#endregion
 export { cloudflareTurnstile };

package/dist/plugins/captcha/verify-handlers/google-recaptcha.mjs

@@ -1,4 +1,5 @@
 import { middlewareResponse } from "../../../utils/middleware-response.mjs";
+import { CAPTCHA_VERIFY_TIMEOUT_MS } from "../constants.mjs";
 import { EXTERNAL_ERROR_CODES, INTERNAL_ERROR_CODES } from "../error-codes.mjs";
 import { encodeToURLParams } from "../utils.mjs";
 import { betterFetch } from "@better-fetch/fetch";
@@ -6,9 +7,10 @@ import { betterFetch } from "@better-fetch/fetch";
 const isV3 = (response) => {
 	return "score" in response && typeof response.score === "number";
 };
-const googleRecaptcha = async ({ siteVerifyURL, captchaResponse, secretKey, minScore = .5, remoteIP }) => {
+const googleRecaptcha = async ({ siteVerifyURL, captchaResponse, secretKey, minScore = .5, remoteIP, expectedAction, allowedHostnames }) => {
 	const response = await betterFetch(siteVerifyURL, {
 		method: "POST",
+		timeout: CAPTCHA_VERIFY_TIMEOUT_MS,
 		headers: { "Content-Type": "application/x-www-form-urlencoded" },
 		body: encodeToURLParams({
 			secret: secretKey,
@@ -17,11 +19,14 @@ const googleRecaptcha = async ({ siteVerifyURL, captchaResponse, secretKey, minS
 		})
 	});
 	if (!response.data || response.error) throw new Error(INTERNAL_ERROR_CODES.SERVICE_UNAVAILABLE.message);
-	if (!response.data.success || isV3(response.data) && response.data.score < minScore) return middlewareResponse({
+	const verificationFailed = () => middlewareResponse({
 		message: EXTERNAL_ERROR_CODES.VERIFICATION_FAILED.message,
 		code: EXTERNAL_ERROR_CODES.VERIFICATION_FAILED.code,
 		status: 403
 	});
+	if (!response.data.success || isV3(response.data) && response.data.score < minScore) return verificationFailed();
+	if (expectedAction && response.data.action !== expectedAction) return verificationFailed();
+	if (allowedHostnames && allowedHostnames.length > 0 && !allowedHostnames.includes(response.data.hostname)) return verificationFailed();
 };
 //#endregion
 export { googleRecaptcha };

package/dist/plugins/captcha/verify-handlers/h-captcha.mjs

@@ -1,4 +1,5 @@
 import { middlewareResponse } from "../../../utils/middleware-response.mjs";
+import { CAPTCHA_VERIFY_TIMEOUT_MS } from "../constants.mjs";
 import { EXTERNAL_ERROR_CODES, INTERNAL_ERROR_CODES } from "../error-codes.mjs";
 import { encodeToURLParams } from "../utils.mjs";
 import { betterFetch } from "@better-fetch/fetch";
@@ -6,6 +7,7 @@ import { betterFetch } from "@better-fetch/fetch";
 const hCaptcha = async ({ siteVerifyURL, captchaResponse, secretKey, siteKey, remoteIP }) => {
 	const response = await betterFetch(siteVerifyURL, {
 		method: "POST",
+		timeout: CAPTCHA_VERIFY_TIMEOUT_MS,
 		headers: { "Content-Type": "application/x-www-form-urlencoded" },
 		body: encodeToURLParams({
 			secret: secretKey,