better-auth 1.6.16 → 1.6.17

package/dist/plugins/two-factor/otp/index.mjs

@@ -158,17 +158,12 @@ const otp2fa = (options) => {
 				} }
 			}, async (ctx) => {
 				const { session, key, valid, invalid } = await verifyTwoFactor(ctx);
-				const toCheckOtp = await ctx.context.internalAdapter.findVerificationValue(`2fa-otp-${key}`);
-				const [otp, counter] = toCheckOtp?.value?.split(":") ?? [];
-				if (!toCheckOtp || toCheckOtp.expiresAt < /* @__PURE__ */ new Date()) {
-					if (toCheckOtp) await ctx.context.internalAdapter.deleteVerificationByIdentifier(`2fa-otp-${key}`);
-					throw APIError.from("BAD_REQUEST", TWO_FACTOR_ERROR_CODES.OTP_HAS_EXPIRED);
-				}
+				const consumed = await ctx.context.internalAdapter.consumeVerificationValue(`2fa-otp-${key}`);
+				if (!consumed) throw APIError.from("BAD_REQUEST", TWO_FACTOR_ERROR_CODES.OTP_HAS_EXPIRED);
+				const [otp, counter] = consumed.value?.split(":") ?? [];
 				const allowedAttempts = options?.allowedAttempts || 5;
-				if (parseInt(counter) >= allowedAttempts) {
-					await ctx.context.internalAdapter.deleteVerificationByIdentifier(`2fa-otp-${key}`);
-					throw APIError.from("BAD_REQUEST", TWO_FACTOR_ERROR_CODES.TOO_MANY_ATTEMPTS_REQUEST_NEW_CODE);
-				}
+				const attempts = parseInt(counter, 10) || 0;
+				if (attempts >= allowedAttempts) throw APIError.from("BAD_REQUEST", TWO_FACTOR_ERROR_CODES.TOO_MANY_ATTEMPTS_REQUEST_NEW_CODE);
 				const [storedValue, inputValue] = await decryptOrHashForComparison(ctx, otp, ctx.body.code);
 				if (constantTimeEqual(new TextEncoder().encode(storedValue), new TextEncoder().encode(inputValue))) {
 					if (!session.user.twoFactorEnabled) {
@@ -186,10 +181,13 @@ const otp2fa = (options) => {
 						});
 					}
 					return valid(ctx);
-				} else {
-					await ctx.context.internalAdapter.updateVerificationByIdentifier(`2fa-otp-${key}`, { value: `${otp}:${(parseInt(counter, 10) || 0) + 1}` });
-					return invalid("INVALID_CODE");
 				}
+				await ctx.context.internalAdapter.createVerificationValue({
+					value: `${otp}:${attempts + 1}`,
+					identifier: `2fa-otp-${key}`,
+					expiresAt: consumed.expiresAt
+				});
+				return invalid("INVALID_CODE");
 			})
 		}
 	};

package/dist/plugins/two-factor/totp/index.mjs

@@ -28,7 +28,7 @@ const totp2fa = (options) => {
 		id: "totp",
 		version: PACKAGE_VERSION,
 		endpoints: {
-			generateTOTP: createAuthEndpoint({
+			generateTOTP: createAuthEndpoint.serverOnly({
 				method: "POST",
 				body: generateTOTPBodySchema,
 				metadata: { openapi: {

package/dist/plugins/two-factor/verify-two-factor.mjs

@@ -23,12 +23,16 @@ async function verifyTwoFactor(ctx) {
 		const dontRememberMe = await ctx.getSignedCookie(ctx.context.authCookies.dontRememberToken.name, ctx.context.secret);
 		return {
 			valid: async (ctx) => {
-				const session = await ctx.context.internalAdapter.createSession(verificationToken.value, !!dontRememberMe);
+				const consumed = await ctx.context.internalAdapter.consumeVerificationValue(signedTwoFactorCookie);
+				if (!consumed || consumed.value !== user.id) {
+					expireCookie(ctx, twoFactorCookie);
+					throw APIError.from("UNAUTHORIZED", TWO_FACTOR_ERROR_CODES.INVALID_TWO_FACTOR_COOKIE);
+				}
+				const session = await ctx.context.internalAdapter.createSession(consumed.value, !!dontRememberMe);
 				if (!session) throw APIError.from("INTERNAL_SERVER_ERROR", {
 					message: "failed to create session",
 					code: "FAILED_TO_CREATE_SESSION"
 				});
-				await ctx.context.internalAdapter.deleteVerificationByIdentifier(signedTwoFactorCookie);
 				await setSessionCookie(ctx, {
 					session,
 					user

package/dist/plugins/username/index.mjs

@@ -145,18 +145,18 @@ const username = (options) => {
 				} }
 			}, async (ctx) => {
 				if (!ctx.body.username || !ctx.body.password) {
-					ctx.context.logger.error("Username or password not found");
+					ctx.context.logger.warn("Username or password not found");
 					throw APIError.from("UNAUTHORIZED", USERNAME_ERROR_CODES.INVALID_USERNAME_OR_PASSWORD);
 				}
 				const username = options?.validationOrder?.username === "pre-normalization" ? normalizer(ctx.body.username) : ctx.body.username;
 				const minUsernameLength = options?.minUsernameLength || 3;
 				const maxUsernameLength = options?.maxUsernameLength || 30;
 				if (username.length < minUsernameLength) {
-					ctx.context.logger.error("Username too short", { username });
+					ctx.context.logger.warn("Username too short");
 					throw APIError.from("UNPROCESSABLE_ENTITY", USERNAME_ERROR_CODES.USERNAME_TOO_SHORT);
 				}
 				if (username.length > maxUsernameLength) {
-					ctx.context.logger.error("Username too long", { username });
+					ctx.context.logger.warn("Username too long");
 					throw APIError.from("UNPROCESSABLE_ENTITY", USERNAME_ERROR_CODES.USERNAME_TOO_LONG);
 				}
 				if (!await (options?.usernameValidator || defaultUsernameValidator)(username)) throw APIError.from("UNPROCESSABLE_ENTITY", USERNAME_ERROR_CODES.INVALID_USERNAME);
@@ -169,7 +169,7 @@ const username = (options) => {
 				});
 				if (!user) {
 					await ctx.context.password.hash(ctx.body.password);
-					ctx.context.logger.error("User not found", { username });
+					ctx.context.logger.warn("User not found");
 					throw APIError.from("UNAUTHORIZED", USERNAME_ERROR_CODES.INVALID_USERNAME_OR_PASSWORD);
 				}
 				const account = await ctx.context.adapter.findOne({
@@ -185,14 +185,14 @@ const username = (options) => {
 				if (!account) throw APIError.from("UNAUTHORIZED", USERNAME_ERROR_CODES.INVALID_USERNAME_OR_PASSWORD);
 				const currentPassword = account?.password;
 				if (!currentPassword) {
-					ctx.context.logger.error("Password not found", { username });
+					ctx.context.logger.warn("Password not found");
 					throw APIError.from("UNAUTHORIZED", USERNAME_ERROR_CODES.INVALID_USERNAME_OR_PASSWORD);
 				}
 				if (!await ctx.context.password.verify({
 					hash: currentPassword,
 					password: ctx.body.password
 				})) {
-					ctx.context.logger.error("Invalid password");
+					ctx.context.logger.warn("Invalid password");
 					throw APIError.from("UNAUTHORIZED", USERNAME_ERROR_CODES.INVALID_USERNAME_OR_PASSWORD);
 				}
 				if (ctx.context.options?.emailAndPassword?.requireEmailVerification && !user.emailVerified) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "better-auth",
-  "version": "1.6.16",
+  "version": "1.6.17",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "license": "MIT",
@@ -480,7 +480,7 @@
   },
   "dependencies": {
     "@better-auth/utils": "0.4.1",
-    "@better-fetch/fetch": "1.2.2",
+    "@better-fetch/fetch": "1.3.0",
     "@noble/ciphers": "^2.1.1",
     "@noble/hashes": "^2.0.1",
     "better-call": "1.3.6",
@@ -489,13 +489,13 @@
     "kysely": "^0.28.17 || ^0.29.0",
     "nanostores": "^1.1.1",
     "zod": "^4.3.6",
-    "@better-auth/core": "1.6.16",
-    "@better-auth/drizzle-adapter": "1.6.16",
-    "@better-auth/kysely-adapter": "1.6.16",
-    "@better-auth/memory-adapter": "1.6.16",
-    "@better-auth/mongo-adapter": "1.6.16",
-    "@better-auth/prisma-adapter": "1.6.16",
-    "@better-auth/telemetry": "1.6.16"
+    "@better-auth/core": "1.6.17",
+    "@better-auth/drizzle-adapter": "1.6.17",
+    "@better-auth/kysely-adapter": "1.6.17",
+    "@better-auth/memory-adapter": "1.6.17",
+    "@better-auth/mongo-adapter": "1.6.17",
+    "@better-auth/prisma-adapter": "1.6.17",
+    "@better-auth/telemetry": "1.6.17"
   },
   "devDependencies": {
     "@lynx-js/react": "^0.116.3",