better-auth 1.6.16 → 1.6.17

package/dist/plugins/device-authorization/routes.mjs

@@ -243,7 +243,21 @@ Follow [rfc8628#section-3.4](https://datatracker.ietf.org/doc/html/rfc8628#secti
 		});
 	}
 	if (deviceCodeRecord.status === "approved" && deviceCodeRecord.userId) {
-		const user = await ctx.context.internalAdapter.findUserById(deviceCodeRecord.userId);
+		const claimedDeviceCode = await ctx.context.adapter.consumeOne({
+			model: "deviceCode",
+			where: [{
+				field: "deviceCode",
+				value: device_code
+			}, {
+				field: "status",
+				value: "approved"
+			}]
+		});
+		if (!claimedDeviceCode?.userId) throw new APIError("BAD_REQUEST", {
+			error: "invalid_grant",
+			error_description: DEVICE_AUTHORIZATION_ERROR_CODES.INVALID_DEVICE_CODE.message
+		});
+		const user = await ctx.context.internalAdapter.findUserById(claimedDeviceCode.userId);
 		if (!user) throw new APIError("INTERNAL_SERVER_ERROR", {
 			error: "server_error",
 			error_description: DEVICE_AUTHORIZATION_ERROR_CODES.USER_NOT_FOUND.message
@@ -261,18 +275,11 @@ Follow [rfc8628#section-3.4](https://datatracker.ietf.org/doc/html/rfc8628#secti
 			user,
 			session
 		}), Math.floor((new Date(session.expiresAt).getTime() - Date.now()) / 1e3));
-		await ctx.context.adapter.delete({
-			model: "deviceCode",
-			where: [{
-				field: "id",
-				value: deviceCodeRecord.id
-			}]
-		});
 		return ctx.json({
 			access_token: session.token,
 			token_type: "Bearer",
 			expires_in: Math.floor((new Date(session.expiresAt).getTime() - Date.now()) / 1e3),
-			scope: deviceCodeRecord.scope || ""
+			scope: claimedDeviceCode.scope || ""
 		}, { headers: {
 			"Cache-Control": "no-store",
 			Pragma: "no-cache"

package/dist/plugins/email-otp/routes.mjs

@@ -115,7 +115,7 @@ const createVerificationOTPBodySchema = z.object({
 		description: "Type of the OTP"
 	})
 });
-const createVerificationOTP = (opts) => createAuthEndpoint({
+const createVerificationOTP = (opts) => createAuthEndpoint.serverOnly({
 	method: "POST",
 	body: createVerificationOTPBodySchema,
 	metadata: { openapi: {
@@ -159,7 +159,7 @@ const getVerificationOTPBodySchema = z.object({
 *
 * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/email-otp#api-method-email-otp-get-verification-otp)
 */
-const getVerificationOTP = (opts) => createAuthEndpoint({
+const getVerificationOTP = (opts) => createAuthEndpoint.serverOnly({
 	method: "GET",
 	query: getVerificationOTPBodySchema,
 	metadata: { openapi: {
@@ -636,24 +636,7 @@ const requestEmailChangeEmailOTP = (opts) => createAuthEndpoint("/email-otp/requ
 	}
 	if (opts.changeEmail?.verifyCurrentEmail) {
 		if (!ctx.body.otp) throw APIError$1.fromStatus("BAD_REQUEST", { message: "OTP is required to verify current email" });
-		const currentEmailVerificationValue = await ctx.context.internalAdapter.findVerificationValue(toOTPIdentifier("email-verification", email));
-		if (!currentEmailVerificationValue) throw APIError$1.from("BAD_REQUEST", EMAIL_OTP_ERROR_CODES.INVALID_OTP);
-		const currentEmailIdentifier = toOTPIdentifier("email-verification", email);
-		if (currentEmailVerificationValue.expiresAt < /* @__PURE__ */ new Date()) {
-			await ctx.context.internalAdapter.deleteVerificationByIdentifier(currentEmailIdentifier);
-			throw APIError$1.from("BAD_REQUEST", EMAIL_OTP_ERROR_CODES.OTP_EXPIRED);
-		}
-		const [otpValue, attempts] = splitAtLastColon(currentEmailVerificationValue.value);
-		const allowedAttempts = opts?.allowedAttempts || 3;
-		if (attempts && parseInt(attempts) >= allowedAttempts) {
-			await ctx.context.internalAdapter.deleteVerificationByIdentifier(currentEmailIdentifier);
-			throw APIError$1.from("FORBIDDEN", EMAIL_OTP_ERROR_CODES.TOO_MANY_ATTEMPTS);
-		}
-		if (!await verifyStoredOTP(ctx, opts, otpValue, ctx.body.otp)) {
-			await ctx.context.internalAdapter.updateVerificationByIdentifier(currentEmailIdentifier, { value: `${otpValue}:${parseInt(attempts || "0") + 1}` });
-			throw APIError$1.from("BAD_REQUEST", EMAIL_OTP_ERROR_CODES.INVALID_OTP);
-		}
-		await ctx.context.internalAdapter.deleteVerificationByIdentifier(currentEmailIdentifier);
+		await atomicVerifyOTP(ctx, opts, toOTPIdentifier("email-verification", email), ctx.body.otp);
 	} else if (ctx.body.otp) ctx.context.logger.warn("OTP provided but not required for verifying current email. If you want to require OTP verification for current email, please set the changeEmail.verifyCurrentEmail option to true in the configuration");
 	const otp = opts.generateOTP({
 		email: newEmail,
@@ -723,24 +706,7 @@ const changeEmailEmailOTP = (opts) => createAuthEndpoint("/email-otp/change-emai
 		ctx.context.logger.error("Email is the same");
 		throw APIError$1.fromStatus("BAD_REQUEST", { message: "Email is the same" });
 	}
-	const verificationValue = await ctx.context.internalAdapter.findVerificationValue(toOTPIdentifier("change-email", `${email}-${newEmail}`));
-	if (!verificationValue) throw APIError$1.from("BAD_REQUEST", EMAIL_OTP_ERROR_CODES.INVALID_OTP);
-	const changeEmailIdentifier = toOTPIdentifier("change-email", `${email}-${newEmail}`);
-	if (verificationValue.expiresAt < /* @__PURE__ */ new Date()) {
-		await ctx.context.internalAdapter.deleteVerificationByIdentifier(changeEmailIdentifier);
-		throw APIError$1.from("BAD_REQUEST", EMAIL_OTP_ERROR_CODES.OTP_EXPIRED);
-	}
-	const [otpValue, attempts] = splitAtLastColon(verificationValue.value);
-	const allowedAttempts = opts?.allowedAttempts || 3;
-	if (attempts && parseInt(attempts) >= allowedAttempts) {
-		await ctx.context.internalAdapter.deleteVerificationByIdentifier(changeEmailIdentifier);
-		throw APIError$1.from("FORBIDDEN", EMAIL_OTP_ERROR_CODES.TOO_MANY_ATTEMPTS);
-	}
-	if (!await verifyStoredOTP(ctx, opts, otpValue, ctx.body.otp)) {
-		await ctx.context.internalAdapter.updateVerificationByIdentifier(changeEmailIdentifier, { value: `${otpValue}:${parseInt(attempts || "0") + 1}` });
-		throw APIError$1.from("BAD_REQUEST", EMAIL_OTP_ERROR_CODES.INVALID_OTP);
-	}
-	await ctx.context.internalAdapter.deleteVerificationByIdentifier(changeEmailIdentifier);
+	await atomicVerifyOTP(ctx, opts, toOTPIdentifier("change-email", `${email}-${newEmail}`), ctx.body.otp);
 	const currentUser = await ctx.context.internalAdapter.findUserByEmail(email);
 	if (!currentUser)
  /**
@@ -770,29 +736,33 @@ const changeEmailEmailOTP = (opts) => createAuthEndpoint("/email-otp/change-emai
 });
 const defaultOTPGenerator = (options) => generateRandomString(options.otpLength ?? 6, "0-9");
 /**
-* Atomically verifies OTP with race condition protection.
-* Deletes token before verification to prevent concurrent reuse.
-* Re-creates token with incremented attempts on failure.
+* Verifies a single-use OTP with race-condition protection.
+*
+* The atomic consume is the single gate: only the first concurrent caller
+* receives the record, every later racer receives `null` and is rejected, so
+* a correct OTP can only ever be accepted once. When the submitted code is
+* wrong the record is recreated with the same value and expiry and an
+* incremented attempt count so the next try can still find it; the budget is
+* enforced before verification, and a record whose attempts are exhausted is
+* left consumed (no recreate), locking the identifier out.
 */
 async function atomicVerifyOTP(ctx, opts, identifier, providedOTP) {
-	const verificationValue = await ctx.context.internalAdapter.findVerificationValue(identifier);
-	if (!verificationValue) throw APIError$1.from("BAD_REQUEST", EMAIL_OTP_ERROR_CODES.INVALID_OTP);
-	if (verificationValue.expiresAt < /* @__PURE__ */ new Date()) {
+	const existing = await ctx.context.internalAdapter.findVerificationValue(identifier);
+	if (existing && existing.expiresAt < /* @__PURE__ */ new Date()) {
 		await ctx.context.internalAdapter.deleteVerificationByIdentifier(identifier);
 		throw APIError$1.from("BAD_REQUEST", EMAIL_OTP_ERROR_CODES.OTP_EXPIRED);
 	}
-	const [otpValue, attempts] = splitAtLastColon(verificationValue.value);
+	const consumed = await ctx.context.internalAdapter.consumeVerificationValue(identifier);
+	if (!consumed) throw APIError$1.from("BAD_REQUEST", EMAIL_OTP_ERROR_CODES.INVALID_OTP);
+	const [otpValue, attempts] = splitAtLastColon(consumed.value);
 	const allowedAttempts = opts?.allowedAttempts || 3;
-	if (attempts && parseInt(attempts) >= allowedAttempts) {
-		await ctx.context.internalAdapter.deleteVerificationByIdentifier(identifier);
-		throw APIError$1.from("FORBIDDEN", EMAIL_OTP_ERROR_CODES.TOO_MANY_ATTEMPTS);
-	}
-	await ctx.context.internalAdapter.deleteVerificationByIdentifier(identifier);
+	const usedAttempts = parseInt(attempts || "0");
+	if (usedAttempts >= allowedAttempts) throw APIError$1.from("FORBIDDEN", EMAIL_OTP_ERROR_CODES.TOO_MANY_ATTEMPTS);
 	if (!await verifyStoredOTP(ctx, opts, otpValue, providedOTP)) {
 		await ctx.context.internalAdapter.createVerificationValue({
-			value: `${otpValue}:${parseInt(attempts || "0") + 1}`,
+			value: `${otpValue}:${usedAttempts + 1}`,
 			identifier,
-			expiresAt: verificationValue.expiresAt
+			expiresAt: consumed.expiresAt
 		});
 		throw APIError$1.from("BAD_REQUEST", EMAIL_OTP_ERROR_CODES.INVALID_OTP);
 	}

package/dist/plugins/generic-oauth/index.mjs

@@ -14,6 +14,9 @@ import { APIError } from "@better-auth/core/error";
 import { applyDefaultAccessTokenExpiry, createAuthorizationURL, refreshAccessToken, validateAuthorizationCode } from "@better-auth/core/oauth2";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/plugins/generic-oauth/index.ts
+function isNonEmptyOAuthId(id) {
+	return id !== void 0 && id !== null && id !== "";
+}
 /**
 * A generic OAuth plugin that can be used to add OAuth support to any provider
 */
@@ -114,14 +117,16 @@ const genericOAuth = (options) => {
 						const userInfo = c.getUserInfo ? await c.getUserInfo(tokens) : await getUserInfo(tokens, finalUserInfoUrl);
 						if (!userInfo) return null;
 						const userMap = await c.mapProfileToUser?.(userInfo);
+						const rawId = isNonEmptyOAuthId(userMap?.id) ? userMap.id : isNonEmptyOAuthId(userInfo.id) ? userInfo.id : isNonEmptyOAuthId(userInfo.sub) ? userInfo.sub : void 0;
+						if (rawId === void 0) return null;
 						return {
 							user: {
-								id: userInfo?.id,
 								email: userInfo?.email,
 								emailVerified: userInfo?.emailVerified,
 								image: userInfo?.image,
 								name: userInfo?.name,
-								...userMap
+								...userMap,
+								id: String(rawId)
 							},
 							data: userInfo
 						};

package/dist/plugins/generic-oauth/routes.mjs

@@ -15,6 +15,9 @@ import * as z from "zod";
 import { decodeJwt } from "jose";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/plugins/generic-oauth/routes.ts
+function isNonEmptyOAuthId(id) {
+	return id !== void 0 && id !== null && id !== "";
+}
 const signInWithOAuth2BodySchema = z.object({
 	providerId: z.string().meta({ description: "The provider ID for the OAuth provider" }),
 	callbackURL: z.string().meta({ description: "The URL to redirect to after sign in" }).optional(),
@@ -209,8 +212,8 @@ const oAuth2Callback = (options) => createAuthEndpoint("/oauth2/callback/:provid
 			ctx.context.logger.error(missingEmailLogMessage(providerConfig.providerId, { source: "generic" }), userInfo);
 			redirectOnError(ctx, resolvedErrorURL, "email_is_missing");
 		}
-		const rawId = mapUser.id !== void 0 && mapUser.id !== null && mapUser.id !== "" ? mapUser.id : userInfo.id;
-		const id = rawId !== void 0 && rawId !== null ? String(rawId) : "";
+		const rawId = isNonEmptyOAuthId(mapUser.id) ? mapUser.id : isNonEmptyOAuthId(userInfo.id) ? userInfo.id : isNonEmptyOAuthId(userInfo.sub) ? userInfo.sub : void 0;
+		const id = rawId !== void 0 ? String(rawId) : "";
 		if (!id) {
 			ctx.context.logger.error("Provider did not return an account id (e.g. `sub`). Unable to sign in.", userInfo);
 			redirectOnError(ctx, resolvedErrorURL, "id_is_missing");
@@ -399,19 +402,20 @@ async function getUserInfo(tokens, finalUserInfoUrl) {
 		}
 	}
 	if (!finalUserInfoUrl) return null;
-	const userInfo = await betterFetch(finalUserInfoUrl, {
+	const profile = (await betterFetch(finalUserInfoUrl, {
 		method: "GET",
 		headers: { Authorization: `Bearer ${tokens.accessToken}` }
-	});
-	const subjectId = userInfo.data?.sub ?? userInfo.data?.id;
-	if (subjectId === void 0 || subjectId === null || subjectId === "") return null;
+	})).data;
+	if (!profile) return null;
+	const { id: profileId, ...profileFields } = profile;
+	const subjectId = isNonEmptyOAuthId(profileId) ? profileId : isNonEmptyOAuthId(profile.sub) ? profile.sub : void 0;
 	return {
-		id: subjectId,
-		emailVerified: userInfo.data?.email_verified ?? false,
-		email: userInfo.data?.email,
-		image: userInfo.data?.picture,
-		name: userInfo.data?.name,
-		...userInfo.data
+		...profileFields,
+		...subjectId !== void 0 ? { id: subjectId } : {},
+		email: profile?.email,
+		emailVerified: profile?.email_verified ?? false,
+		image: profile?.picture,
+		name: profile?.name
 	};
 }
 //#endregion

package/dist/plugins/haveibeenpwned/index.d.mts

@@ -17,7 +17,7 @@ interface HaveIBeenPwnedOptions {
   /**
    * Paths to check for password
    *
-   * @default ["/sign-up/email", "/change-password", "/reset-password"]
+   * @default ["/sign-up/email", "/change-password", "/reset-password", "/email-otp/reset-password", "/phone-number/reset-password", "/admin/create-user", "/admin/set-user-password"]
    */
   paths?: string[];
   /**

package/dist/plugins/haveibeenpwned/index.mjs

@@ -31,7 +31,11 @@ const haveIBeenPwned = (options) => {
 	const paths = options?.paths || [
 		"/sign-up/email",
 		"/change-password",
-		"/reset-password"
+		"/reset-password",
+		"/email-otp/reset-password",
+		"/phone-number/reset-password",
+		"/admin/create-user",
+		"/admin/set-user-password"
 	];
 	return {
 		id: "have-i-been-pwned",

package/dist/plugins/index.d.mts

@@ -41,6 +41,10 @@ import { getClient, getMetadata, oidcProvider } from "./oidc-provider/index.mjs"
 import { getMCPProtectedResourceMetadata, getMCPProviderMetadata, mcp, oAuthDiscoveryMetadata, oAuthProtectedResourceMetadata, withMcpAuth } from "./mcp/index.mjs";
 import { MULTI_SESSION_ERROR_CODES } from "./multi-session/error-codes.mjs";
 import { MultiSessionConfig, multiSession } from "./multi-session/index.mjs";
+import { OAUTH_POPUP_DATA_ELEMENT_ID, OAUTH_POPUP_MESSAGE_TYPE, POPUP_MARKER_COOKIE } from "./oauth-popup/constants.mjs";
+import { OAUTH_POPUP_ERROR_CODES } from "./oauth-popup/error-codes.mjs";
+import { OAuthPopupData, OAuthPopupMessage } from "./oauth-popup/types.mjs";
+import { OAUTH_POPUP_COMPLETE_SCRIPT, OAUTH_POPUP_SCRIPT_CSP_HASH, oauthPopup } from "./oauth-popup/index.mjs";
 import { OAuthProxyOptions, oAuthProxy } from "./oauth-proxy/index.mjs";
 import { OneTapOptions, oneTap } from "./one-tap/index.mjs";
 import { OneTimeTokenOptions, oneTimeToken } from "./one-time-token/index.mjs";
@@ -62,4 +66,4 @@ import { USERNAME_ERROR_CODES } from "./username/error-codes.mjs";
 import { UsernameOptions, username } from "./username/index.mjs";
 import { hasPermission } from "./organization/has-permission.mjs";
 import { DefaultOrganizationPlugin, DynamicAccessControlEndpoints, OrganizationCreator, OrganizationEndpoints, OrganizationPlugin, TeamEndpoints, organization, parseRoles } from "./organization/organization.mjs";
-export { AccessControl, AdminOptions, AnonymousOptions, AnonymousSession, ArrayElement, Auth0Options, AuthorizationQuery, AuthorizeResponse, BackupCodeOptions, BaseCaptchaOptions, BaseOAuthProviderOptions, BearerOptions, CaptchaFoxOptions, CaptchaOptions, Client, CloudflareTurnstileOptions, CodeVerificationValue, CustomSessionPluginOptions, DefaultOrganizationPlugin, DeviceAuthorizationOptions, DynamicAccessControlEndpoints, MULTI_SESSION_ERROR_CODES as ERROR_CODES, EmailOTPOptions, ExactRoleStatements, FieldSchema, GenericOAuthConfig, GenericOAuthOptions, GoogleRecaptchaOptions, GumroadOptions, HCaptchaOptions, HIDE_METADATA, HaveIBeenPwnedOptions, HubSpotOptions, InferAdminRolesFromOption, InferInvitation, InferMember, InferOptionSchema, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginContext, InferPluginErrorCodes, InferPluginIDs, InferTeam, Invitation, InvitationInput, InvitationStatus, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, KeycloakOptions, LastLoginMethodOptions, LineOptions, LoginResult, MagicLinkOptions, Member, MemberInput, MicrosoftEntraIdOptions, MultiSessionConfig, OAuthAccessToken, OAuthProxyOptions, OIDCMetadata, OIDCOptions, OTPOptions, OktaOptions, OneTapOptions, OneTimeTokenOptions, OpenAPIModelSchema, OpenAPIOptions, Organization, OrganizationCreator, OrganizationEndpoints, OrganizationInput, OrganizationOptions, OrganizationPlugin, OrganizationRole, OrganizationSchema, Path, PatreonOptions, PhoneNumberOptions, Provider, Role, RoleAuthorizeRequest, RoleInput, RoleStatements, SIWEPluginOptions, SessionWithImpersonatedBy, SlackOptions, Statements, SubArray, Subset, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamEndpoints, TeamInput, TeamMember, TeamMemberInput, TestCookie, TestHelpers, TestUtilsOptions, TimeString, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UserWithAnonymous, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, UsernameOptions, admin, anonymous, auth0, backupCode2fa, bearer, captcha, createAccessControl, createJwk, customSession, defaultRolesSchema, deviceAuthorization, deviceAuthorizationOptionsSchema, emailOTP, encodeBackupCodes, generateBackupCodes, generateExportedKeyPair, generator, genericOAuth, getBackupCodes, getClient, getJwtToken, getMCPProtectedResourceMetadata, getMCPProviderMetadata, getMetadata, getOrgAdapter, gumroad, hasPermission, haveIBeenPwned, hubspot, invitationSchema, invitationStatus, jwt, keycloak, lastLoginMethod, line, magicLink, mcp, memberSchema, microsoftEntraId, ms, multiSession, oAuthDiscoveryMetadata, oAuthProtectedResourceMetadata, oAuthProxy, oidcProvider, okta, oneTap, oneTimeToken, openAPI, organization, organizationRoleSchema, organizationSchema, otp2fa, parseRoles, patreon, phoneNumber, role, roleSchema, sec, signJWT, siwe, slack, teamMemberSchema, teamSchema, testUtils, toExpJWT, totp2fa, twoFactor, twoFactorClient, username, verifyBackupCode, verifyJWT, withMcpAuth };
+export { AccessControl, AdminOptions, AnonymousOptions, AnonymousSession, ArrayElement, Auth0Options, AuthorizationQuery, AuthorizeResponse, BackupCodeOptions, BaseCaptchaOptions, BaseOAuthProviderOptions, BearerOptions, CaptchaFoxOptions, CaptchaOptions, Client, CloudflareTurnstileOptions, CodeVerificationValue, CustomSessionPluginOptions, DefaultOrganizationPlugin, DeviceAuthorizationOptions, DynamicAccessControlEndpoints, MULTI_SESSION_ERROR_CODES as ERROR_CODES, EmailOTPOptions, ExactRoleStatements, FieldSchema, GenericOAuthConfig, GenericOAuthOptions, GoogleRecaptchaOptions, GumroadOptions, HCaptchaOptions, HIDE_METADATA, HaveIBeenPwnedOptions, HubSpotOptions, InferAdminRolesFromOption, InferInvitation, InferMember, InferOptionSchema, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginContext, InferPluginErrorCodes, InferPluginIDs, InferTeam, Invitation, InvitationInput, InvitationStatus, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, KeycloakOptions, LastLoginMethodOptions, LineOptions, LoginResult, MagicLinkOptions, Member, MemberInput, MicrosoftEntraIdOptions, MultiSessionConfig, OAUTH_POPUP_COMPLETE_SCRIPT, OAUTH_POPUP_DATA_ELEMENT_ID, OAUTH_POPUP_ERROR_CODES, OAUTH_POPUP_MESSAGE_TYPE, OAUTH_POPUP_SCRIPT_CSP_HASH, OAuthAccessToken, OAuthPopupData, OAuthPopupMessage, OAuthProxyOptions, OIDCMetadata, OIDCOptions, OTPOptions, OktaOptions, OneTapOptions, OneTimeTokenOptions, OpenAPIModelSchema, OpenAPIOptions, Organization, OrganizationCreator, OrganizationEndpoints, OrganizationInput, OrganizationOptions, OrganizationPlugin, OrganizationRole, OrganizationSchema, POPUP_MARKER_COOKIE, Path, PatreonOptions, PhoneNumberOptions, Provider, Role, RoleAuthorizeRequest, RoleInput, RoleStatements, SIWEPluginOptions, SessionWithImpersonatedBy, SlackOptions, Statements, SubArray, Subset, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamEndpoints, TeamInput, TeamMember, TeamMemberInput, TestCookie, TestHelpers, TestUtilsOptions, TimeString, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UserWithAnonymous, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, UsernameOptions, admin, anonymous, auth0, backupCode2fa, bearer, captcha, createAccessControl, createJwk, customSession, defaultRolesSchema, deviceAuthorization, deviceAuthorizationOptionsSchema, emailOTP, encodeBackupCodes, generateBackupCodes, generateExportedKeyPair, generator, genericOAuth, getBackupCodes, getClient, getJwtToken, getMCPProtectedResourceMetadata, getMCPProviderMetadata, getMetadata, getOrgAdapter, gumroad, hasPermission, haveIBeenPwned, hubspot, invitationSchema, invitationStatus, jwt, keycloak, lastLoginMethod, line, magicLink, mcp, memberSchema, microsoftEntraId, ms, multiSession, oAuthDiscoveryMetadata, oAuthProtectedResourceMetadata, oAuthProxy, oauthPopup, oidcProvider, okta, oneTap, oneTimeToken, openAPI, organization, organizationRoleSchema, organizationSchema, otp2fa, parseRoles, patreon, phoneNumber, role, roleSchema, sec, signJWT, siwe, slack, teamMemberSchema, teamSchema, testUtils, toExpJWT, totp2fa, twoFactor, twoFactorClient, username, verifyBackupCode, verifyJWT, withMcpAuth };

package/dist/plugins/index.mjs

@@ -1,6 +1,8 @@
 import { HIDE_METADATA } from "../utils/hide-metadata.mjs";
 import { createAccessControl, role } from "./access/access.mjs";
 import { MULTI_SESSION_ERROR_CODES } from "./multi-session/error-codes.mjs";
+import { OAUTH_POPUP_DATA_ELEMENT_ID, OAUTH_POPUP_MESSAGE_TYPE, POPUP_MARKER_COOKIE } from "./oauth-popup/constants.mjs";
+import { OAUTH_POPUP_ERROR_CODES } from "./oauth-popup/error-codes.mjs";
 import { TWO_FACTOR_ERROR_CODES } from "./two-factor/error-code.mjs";
 import { twoFactorClient } from "./two-factor/client.mjs";
 import { USERNAME_ERROR_CODES } from "./username/error-codes.mjs";
@@ -31,6 +33,7 @@ import { magicLink } from "./magic-link/index.mjs";
 import { getClient, getMetadata, oidcProvider } from "./oidc-provider/index.mjs";
 import { getMCPProtectedResourceMetadata, getMCPProviderMetadata, mcp, oAuthDiscoveryMetadata, oAuthProtectedResourceMetadata, withMcpAuth } from "./mcp/index.mjs";
 import { multiSession } from "./multi-session/index.mjs";
+import { OAUTH_POPUP_COMPLETE_SCRIPT, OAUTH_POPUP_SCRIPT_CSP_HASH, oauthPopup } from "./oauth-popup/index.mjs";
 import { oAuthProxy } from "./oauth-proxy/index.mjs";
 import { oneTap } from "./one-tap/index.mjs";
 import { oneTimeToken } from "./one-time-token/index.mjs";
@@ -43,4 +46,4 @@ import { siwe } from "./siwe/index.mjs";
 import { testUtils } from "./test-utils/index.mjs";
 import { twoFactor } from "./two-factor/index.mjs";
 import { username } from "./username/index.mjs";
-export { MULTI_SESSION_ERROR_CODES as ERROR_CODES, HIDE_METADATA, TWO_FACTOR_ERROR_CODES, USERNAME_ERROR_CODES, admin, anonymous, auth0, bearer, captcha, createAccessControl, createJwk, customSession, deviceAuthorization, deviceAuthorizationOptionsSchema, emailOTP, generateExportedKeyPair, genericOAuth, getClient, getJwtToken, getMCPProtectedResourceMetadata, getMCPProviderMetadata, getMetadata, getOrgAdapter, gumroad, hasPermission, haveIBeenPwned, hubspot, jwt, keycloak, lastLoginMethod, line, magicLink, mcp, microsoftEntraId, multiSession, oAuthDiscoveryMetadata, oAuthProtectedResourceMetadata, oAuthProxy, oidcProvider, okta, oneTap, oneTimeToken, openAPI, organization, parseRoles, patreon, phoneNumber, role, signJWT, siwe, slack, testUtils, toExpJWT, twoFactor, twoFactorClient, username, verifyJWT, withMcpAuth };
+export { MULTI_SESSION_ERROR_CODES as ERROR_CODES, HIDE_METADATA, OAUTH_POPUP_COMPLETE_SCRIPT, OAUTH_POPUP_DATA_ELEMENT_ID, OAUTH_POPUP_ERROR_CODES, OAUTH_POPUP_MESSAGE_TYPE, OAUTH_POPUP_SCRIPT_CSP_HASH, POPUP_MARKER_COOKIE, TWO_FACTOR_ERROR_CODES, USERNAME_ERROR_CODES, admin, anonymous, auth0, bearer, captcha, createAccessControl, createJwk, customSession, deviceAuthorization, deviceAuthorizationOptionsSchema, emailOTP, generateExportedKeyPair, genericOAuth, getClient, getJwtToken, getMCPProtectedResourceMetadata, getMCPProviderMetadata, getMetadata, getOrgAdapter, gumroad, hasPermission, haveIBeenPwned, hubspot, jwt, keycloak, lastLoginMethod, line, magicLink, mcp, microsoftEntraId, multiSession, oAuthDiscoveryMetadata, oAuthProtectedResourceMetadata, oAuthProxy, oauthPopup, oidcProvider, okta, oneTap, oneTimeToken, openAPI, organization, parseRoles, patreon, phoneNumber, role, signJWT, siwe, slack, testUtils, toExpJWT, twoFactor, twoFactorClient, username, verifyJWT, withMcpAuth };

package/dist/plugins/jwt/index.mjs

@@ -144,7 +144,7 @@ const jwt = (options) => {
 				const jwt = await getJwtToken(ctx, options);
 				return ctx.json({ token: jwt });
 			}),
-			signJWT: createAuthEndpoint({
+			signJWT: createAuthEndpoint.serverOnly({
 				method: "POST",
 				metadata: { $Infer: { body: {} } },
 				body: signJWTBodySchema
@@ -158,7 +158,7 @@ const jwt = (options) => {
 				});
 				return c.json({ token: jwt });
 			}),
-			verifyJWT: createAuthEndpoint({
+			verifyJWT: createAuthEndpoint.serverOnly({
 				method: "POST",
 				metadata: { $Infer: {
 					body: {},

package/dist/plugins/mcp/client/index.mjs

@@ -65,6 +65,7 @@ function createMcpAuthClient(options) {
 			if (!response.ok) return null;
 			const data = await response.json();
 			if (!data || !data.userId) return null;
+			if (data.accessTokenExpiresAt && new Date(data.accessTokenExpiresAt).getTime() < Date.now()) return null;
 			return data;
 		} catch {
 			return null;

package/dist/plugins/mcp/index.mjs

@@ -302,6 +302,10 @@ const mcp = (options) => {
 						error_description: "refresh token expired",
 						error: "invalid_grant"
 					});
+					if (!token.scopes?.split(" ").includes("offline_access")) throw new APIError("UNAUTHORIZED", {
+						error_description: "refresh token was not issued for the offline_access scope",
+						error: "invalid_grant"
+					});
 					const refreshClient = await ctx.context.adapter.findOne({
 						model: modelName.oauthClient,
 						where: [{
@@ -693,6 +697,10 @@ const mcp = (options) => {
 					}]
 				});
 				if (!accessTokenData) return c.json(null);
+				if (accessTokenData.accessTokenExpiresAt < /* @__PURE__ */ new Date()) {
+					c.headers?.set("WWW-Authenticate", "Bearer");
+					return c.json(null);
+				}
 				return c.json(accessTokenData);
 			})
 		},

package/dist/plugins/multi-session/index.mjs

@@ -55,8 +55,9 @@ const multiSession = (options) => {
 			}, async (ctx) => {
 				const sessionToken = ctx.body.sessionToken;
 				const multiSessionCookieName = `${ctx.context.authCookies.sessionToken.name}_multi-${sessionToken.toLowerCase()}`;
-				if (!await ctx.getSignedCookie(multiSessionCookieName, ctx.context.secret)) throw APIError.from("UNAUTHORIZED", MULTI_SESSION_ERROR_CODES.INVALID_SESSION_TOKEN);
-				const session = await ctx.context.internalAdapter.findSession(sessionToken);
+				const sessionCookie = await ctx.getSignedCookie(multiSessionCookieName, ctx.context.secret);
+				if (!sessionCookie) throw APIError.from("UNAUTHORIZED", MULTI_SESSION_ERROR_CODES.INVALID_SESSION_TOKEN);
+				const session = await ctx.context.internalAdapter.findSession(sessionCookie);
 				if (!session || session.session.expiresAt < /* @__PURE__ */ new Date()) {
 					expireCookie(ctx, {
 						name: multiSessionCookieName,
@@ -88,13 +89,14 @@ const multiSession = (options) => {
 			}, async (ctx) => {
 				const sessionToken = ctx.body.sessionToken;
 				const multiSessionCookieName = `${ctx.context.authCookies.sessionToken.name}_multi-${sessionToken.toLowerCase()}`;
-				if (!await ctx.getSignedCookie(multiSessionCookieName, ctx.context.secret)) throw APIError.from("UNAUTHORIZED", MULTI_SESSION_ERROR_CODES.INVALID_SESSION_TOKEN);
-				await ctx.context.internalAdapter.deleteSession(sessionToken);
+				const sessionCookie = await ctx.getSignedCookie(multiSessionCookieName, ctx.context.secret);
+				if (!sessionCookie) throw APIError.from("UNAUTHORIZED", MULTI_SESSION_ERROR_CODES.INVALID_SESSION_TOKEN);
+				await ctx.context.internalAdapter.deleteSession(sessionCookie);
 				expireCookie(ctx, {
 					name: multiSessionCookieName,
 					attributes: ctx.context.authCookies.sessionToken.attributes
 				});
-				if (!(ctx.context.session?.session.token === sessionToken)) return ctx.json({ status: true });
+				if (!(ctx.context.session?.session.token === sessionCookie)) return ctx.json({ status: true });
 				const cookieHeader = ctx.headers?.get("cookie");
 				if (cookieHeader) {
 					const cookies = Object.fromEntries(parseCookies(cookieHeader));

package/dist/plugins/oauth-popup/client.d.mts

@@ -0,0 +1,82 @@
+import { POPUP_TOKEN_STORAGE_KEY } from "./constants.mjs";
+import { OAUTH_POPUP_ERROR_CODES } from "./error-codes.mjs";
+import { oauthPopup } from "./index.mjs";
+import { BetterAuthClientOptions, ClientStore } from "@better-auth/core";
+import * as _better_auth_core_utils_error_codes0 from "@better-auth/core/utils/error-codes";
+import { BetterFetch, BetterFetchPlugin } from "@better-fetch/fetch";
+
+//#region src/plugins/oauth-popup/client.d.ts
+/** Inputs for `authClient.signIn.popup`; mirror the redirect sign-in. */
+interface SignInPopupOptions {
+  /** Built-in social provider id (e.g. `"google"`). */
+  provider?: string;
+  /** Generic OAuth provider id (registered via `genericOAuth`). */
+  providerId?: string;
+  callbackURL?: string;
+  errorCallbackURL?: string;
+  newUserCallbackURL?: string;
+  requestSignUp?: boolean;
+  scopes?: string[];
+  additionalData?: Record<string, unknown>;
+  /** `window.open` feature string; defaults to a centered 500x600 window. */
+  windowFeatures?: string;
+  /** How long (ms) to wait for the popup to complete. Default 5 minutes. */
+  timeoutMs?: number;
+}
+interface SignInPopupResult {
+  data: {
+    success: boolean;
+  } | null;
+  error: {
+    code: string;
+    message: string;
+    status?: number;
+  } | null;
+}
+/** Reads the stored popup token (browser-only; null otherwise). */
+declare function getStoredPopupToken(): string | null;
+/**
+ * Attaches the popup token as a bearer header when embedded (where the cookie is
+ * partitioned), and clears it once the session ends so it can't be reused.
+ */
+declare const popupBearerFetchPlugin: BetterFetchPlugin;
+interface SignInPopupDeps {
+  $fetch: BetterFetch;
+  options?: BetterAuthClientOptions | undefined;
+  /** Refreshes the reactive session, as the redirect flow's atom listeners do. */
+  notifySessionSignal: () => void;
+}
+/**
+ * Builds `signIn.popup`. Runs the sign-in in the popup's own first-party
+ * context (so the OAuth state cookie lands there), waits for the completion
+ * page to post the session token back, stores it for the bearer fetch plugin,
+ * and refreshes the reactive session.
+ */
+declare function createSignInPopup({
+  $fetch,
+  options,
+  notifySessionSignal
+}: SignInPopupDeps): (opts: SignInPopupOptions) => Promise<SignInPopupResult>;
+/**
+ * Client plugin for popup OAuth sign-in. Adds `authClient.signIn.popup`. Pair
+ * with the server `oauthPopup` and `bearer` plugins.
+ */
+declare const oauthPopupClient: () => {
+  id: "oauth-popup";
+  version: string;
+  $InferServerPlugin: ReturnType<typeof oauthPopup>;
+  $ERROR_CODES: {
+    POPUP_SIGN_IN_FAILED: _better_auth_core_utils_error_codes0.RawError<"POPUP_SIGN_IN_FAILED">;
+    POPUP_BLOCKED: _better_auth_core_utils_error_codes0.RawError<"POPUP_BLOCKED">;
+    POPUP_CLOSED: _better_auth_core_utils_error_codes0.RawError<"POPUP_CLOSED">;
+    POPUP_TIMEOUT: _better_auth_core_utils_error_codes0.RawError<"POPUP_TIMEOUT">;
+  };
+  fetchPlugins: BetterFetchPlugin[];
+  getActions: ($fetch: BetterFetch, $store: ClientStore, options: BetterAuthClientOptions | undefined) => {
+    signIn: {
+      popup: (opts: SignInPopupOptions) => Promise<SignInPopupResult>;
+    };
+  };
+};
+//#endregion
+export { SignInPopupOptions, SignInPopupResult, createSignInPopup, getStoredPopupToken, oauthPopupClient, popupBearerFetchPlugin };