better-auth 1.6.16 → 1.6.18

package/dist/plugins/access/access.mjs

@@ -1,33 +1,63 @@
 import { BetterAuthError } from "@better-auth/core/error";
 //#region src/plugins/access/access.ts
+function unknownResourceResponse(requestedResource) {
+	return {
+		success: false,
+		error: `You are not allowed to access resource: ${requestedResource}`
+	};
+}
+function unauthorizedResourceResponse(requestedResource) {
+	return {
+		success: false,
+		error: `unauthorized to access resource "${requestedResource}"`
+	};
+}
+function normalizeConnector(connector) {
+	return connector === "OR" ? "OR" : "AND";
+}
+function isActionList(actions) {
+	return Array.isArray(actions);
+}
+function normalizeActionRequest(requestedActions) {
+	if (isActionList(requestedActions)) return {
+		actions: requestedActions,
+		connector: "AND"
+	};
+	if (!requestedActions || typeof requestedActions !== "object") throw new BetterAuthError("Invalid access control request");
+	const { actions, connector } = requestedActions;
+	if (!isActionList(actions)) return {
+		actions: [],
+		connector: normalizeConnector(connector)
+	};
+	return {
+		actions,
+		connector: normalizeConnector(connector)
+	};
+}
+function hasAllowedAction(allowedActions, requestedAction) {
+	return typeof requestedAction === "string" && allowedActions.includes(requestedAction);
+}
+function isResourceAuthorized(allowedActions, { actions, connector }) {
+	if (actions.length === 0) return false;
+	if (connector === "OR") return actions.some((requestedAction) => hasAllowedAction(allowedActions, requestedAction));
+	return actions.every((requestedAction) => hasAllowedAction(allowedActions, requestedAction));
+}
 function role(statements) {
 	return {
 		authorize(request, connector = "AND") {
-			let success = false;
+			let hasAuthorizedResource = false;
 			for (const [requestedResource, requestedActions] of Object.entries(request)) {
 				const allowedActions = statements[requestedResource];
 				if (!allowedActions) {
-					if (connector === "AND") return {
-						success: false,
-						error: `You are not allowed to access resource: ${requestedResource}`
-					};
-					success = false;
+					if (connector === "AND") return unknownResourceResponse(requestedResource);
 					continue;
 				}
-				if (Array.isArray(requestedActions)) success = requestedActions.length > 0 && requestedActions.every((requestedAction) => allowedActions.includes(requestedAction));
-				else if (typeof requestedActions === "object") {
-					const actions = requestedActions;
-					if (!Array.isArray(actions.actions) || actions.actions.length === 0) success = false;
-					else if (actions.connector === "OR") success = actions.actions.some((requestedAction) => allowedActions.includes(requestedAction));
-					else success = actions.actions.every((requestedAction) => allowedActions.includes(requestedAction));
-				} else throw new BetterAuthError("Invalid access control request");
-				if (success && connector === "OR") return { success };
-				if (!success && connector === "AND") return {
-					success: false,
-					error: `unauthorized to access resource "${requestedResource}"`
-				};
+				const isAuthorized = isResourceAuthorized(allowedActions, normalizeActionRequest(requestedActions));
+				if (isAuthorized) hasAuthorizedResource = true;
+				if (isAuthorized && connector === "OR") return { success: true };
+				if (!isAuthorized && connector === "AND") return unauthorizedResourceResponse(requestedResource);
 			}
-			if (success) return { success };
+			if (hasAuthorizedResource) return { success: true };
 			return {
 				success: false,
 				error: "Not authorized"

package/dist/plugins/admin/routes.mjs

@@ -816,16 +816,23 @@ const setUserPassword = (opts) => createAuthEndpoint("/admin/set-user-password",
 	const { newPassword, userId } = ctx.body;
 	const minPasswordLength = ctx.context.password.config.minPasswordLength;
 	if (newPassword.length < minPasswordLength) {
-		ctx.context.logger.error("Password is too short");
+		ctx.context.logger.warn("Password is too short");
 		throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.PASSWORD_TOO_SHORT);
 	}
 	const maxPasswordLength = ctx.context.password.config.maxPasswordLength;
 	if (newPassword.length > maxPasswordLength) {
-		ctx.context.logger.error("Password is too long");
+		ctx.context.logger.warn("Password is too long");
 		throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.PASSWORD_TOO_LONG);
 	}
+	if (!await ctx.context.internalAdapter.findUserById(userId)) throw APIError.from("NOT_FOUND", BASE_ERROR_CODES.USER_NOT_FOUND);
 	const hashedPassword = await ctx.context.password.hash(newPassword);
-	await ctx.context.internalAdapter.updatePassword(userId, hashedPassword);
+	if ((await ctx.context.internalAdapter.findAccounts(userId)).find((account) => account.providerId === "credential")) await ctx.context.internalAdapter.updatePassword(userId, hashedPassword);
+	else await ctx.context.internalAdapter.createAccount({
+		userId,
+		providerId: "credential",
+		accountId: userId,
+		password: hashedPassword
+	});
 	return ctx.json({ status: true });
 });
 const userHasPermissionBodySchema = z.object({

package/dist/plugins/captcha/constants.mjs

@@ -1,4 +1,11 @@
 //#region src/plugins/captcha/constants.ts
+/**
+* Upper bound (in milliseconds) for a single provider verification request.
+* Without it, a hanging provider would tie up the request indefinitely before
+* any rate limiting applies, so every verify handler aborts at this deadline
+* and fails closed.
+*/
+const CAPTCHA_VERIFY_TIMEOUT_MS = 1e4;
 const defaultEndpoints = [
 	"/sign-up/email",
 	"/sign-in/email",
@@ -17,4 +24,4 @@ const siteVerifyMap = {
 	[Providers.CAPTCHAFOX]: "https://api.captchafox.com/siteverify"
 };
 //#endregion
-export { Providers, defaultEndpoints, siteVerifyMap };
+export { CAPTCHA_VERIFY_TIMEOUT_MS, Providers, defaultEndpoints, siteVerifyMap };

package/dist/plugins/captcha/index.mjs

@@ -42,10 +42,16 @@ const captcha = (options) => ({
 				secretKey: options.secretKey,
 				remoteIP: remoteUserIP
 			};
-			if (options.provider === Providers.CLOUDFLARE_TURNSTILE) return await cloudflareTurnstile(handlerParams);
+			if (options.provider === Providers.CLOUDFLARE_TURNSTILE) return await cloudflareTurnstile({
+				...handlerParams,
+				expectedAction: options.expectedAction,
+				allowedHostnames: options.allowedHostnames
+			});
 			if (options.provider === Providers.GOOGLE_RECAPTCHA) return await googleRecaptcha({
 				...handlerParams,
-				minScore: options.minScore
+				minScore: options.minScore,
+				expectedAction: options.expectedAction,
+				allowedHostnames: options.allowedHostnames
 			});
 			if (options.provider === Providers.HCAPTCHA) return await hCaptcha({
 				...handlerParams,

package/dist/plugins/captcha/types.d.mts

@@ -10,9 +10,30 @@ interface BaseCaptchaOptions {
 interface GoogleRecaptchaOptions extends BaseCaptchaOptions {
   provider: typeof Providers.GOOGLE_RECAPTCHA;
   minScore?: number | undefined;
+  /**
+   * Expected reCAPTCHA v3 `action`. When set, a verification whose action does
+   * not match is rejected, preventing a token minted for another action on the
+   * same site key from being replayed against this endpoint.
+   */
+  expectedAction?: string | undefined;
+  /**
+   * Allow-list of hostnames the token must have been issued for. When set, a
+   * verification reporting a different hostname is rejected.
+   */
+  allowedHostnames?: string[] | undefined;
 }
 interface CloudflareTurnstileOptions extends BaseCaptchaOptions {
   provider: typeof Providers.CLOUDFLARE_TURNSTILE;
+  /**
+   * Expected Turnstile `action`. When set, a verification whose action does
+   * not match is rejected, preventing cross-context token reuse.
+   */
+  expectedAction?: string | undefined;
+  /**
+   * Allow-list of hostnames the token must have been issued for. When set, a
+   * verification reporting a different or missing hostname is rejected.
+   */
+  allowedHostnames?: string[] | undefined;
 }
 interface HCaptchaOptions extends BaseCaptchaOptions {
   provider: typeof Providers.HCAPTCHA;

package/dist/plugins/captcha/verify-handlers/captchafox.mjs

@@ -1,4 +1,5 @@
 import { middlewareResponse } from "../../../utils/middleware-response.mjs";
+import { CAPTCHA_VERIFY_TIMEOUT_MS } from "../constants.mjs";
 import { EXTERNAL_ERROR_CODES, INTERNAL_ERROR_CODES } from "../error-codes.mjs";
 import { encodeToURLParams } from "../utils.mjs";
 import { betterFetch } from "@better-fetch/fetch";
@@ -6,6 +7,7 @@ import { betterFetch } from "@better-fetch/fetch";
 const captchaFox = async ({ siteVerifyURL, captchaResponse, secretKey, siteKey, remoteIP }) => {
 	const response = await betterFetch(siteVerifyURL, {
 		method: "POST",
+		timeout: CAPTCHA_VERIFY_TIMEOUT_MS,
 		headers: { "Content-Type": "application/x-www-form-urlencoded" },
 		body: encodeToURLParams({
 			secret: secretKey,

package/dist/plugins/captcha/verify-handlers/cloudflare-turnstile.mjs

@@ -1,10 +1,12 @@
 import { middlewareResponse } from "../../../utils/middleware-response.mjs";
+import { CAPTCHA_VERIFY_TIMEOUT_MS } from "../constants.mjs";
 import { EXTERNAL_ERROR_CODES, INTERNAL_ERROR_CODES } from "../error-codes.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/plugins/captcha/verify-handlers/cloudflare-turnstile.ts
-const cloudflareTurnstile = async ({ siteVerifyURL, captchaResponse, secretKey, remoteIP }) => {
+const cloudflareTurnstile = async ({ siteVerifyURL, captchaResponse, secretKey, remoteIP, expectedAction, allowedHostnames }) => {
 	const response = await betterFetch(siteVerifyURL, {
 		method: "POST",
+		timeout: CAPTCHA_VERIFY_TIMEOUT_MS,
 		headers: { "Content-Type": "application/json" },
 		body: JSON.stringify({
 			secret: secretKey,
@@ -13,11 +15,14 @@ const cloudflareTurnstile = async ({ siteVerifyURL, captchaResponse, secretKey,
 		})
 	});
 	if (!response.data || response.error) throw new Error(INTERNAL_ERROR_CODES.SERVICE_UNAVAILABLE.message);
-	if (!response.data.success) return middlewareResponse({
+	const verificationFailed = () => middlewareResponse({
 		message: EXTERNAL_ERROR_CODES.VERIFICATION_FAILED.message,
 		code: EXTERNAL_ERROR_CODES.VERIFICATION_FAILED.code,
 		status: 403
 	});
+	if (!response.data.success) return verificationFailed();
+	if (expectedAction && response.data.action !== expectedAction) return verificationFailed();
+	if (allowedHostnames && allowedHostnames.length > 0 && !(response.data.hostname && allowedHostnames.includes(response.data.hostname))) return verificationFailed();
 };
 //#endregion
 export { cloudflareTurnstile };

package/dist/plugins/captcha/verify-handlers/google-recaptcha.mjs

@@ -1,4 +1,5 @@
 import { middlewareResponse } from "../../../utils/middleware-response.mjs";
+import { CAPTCHA_VERIFY_TIMEOUT_MS } from "../constants.mjs";
 import { EXTERNAL_ERROR_CODES, INTERNAL_ERROR_CODES } from "../error-codes.mjs";
 import { encodeToURLParams } from "../utils.mjs";
 import { betterFetch } from "@better-fetch/fetch";
@@ -6,9 +7,10 @@ import { betterFetch } from "@better-fetch/fetch";
 const isV3 = (response) => {
 	return "score" in response && typeof response.score === "number";
 };
-const googleRecaptcha = async ({ siteVerifyURL, captchaResponse, secretKey, minScore = .5, remoteIP }) => {
+const googleRecaptcha = async ({ siteVerifyURL, captchaResponse, secretKey, minScore = .5, remoteIP, expectedAction, allowedHostnames }) => {
 	const response = await betterFetch(siteVerifyURL, {
 		method: "POST",
+		timeout: CAPTCHA_VERIFY_TIMEOUT_MS,
 		headers: { "Content-Type": "application/x-www-form-urlencoded" },
 		body: encodeToURLParams({
 			secret: secretKey,
@@ -17,11 +19,14 @@ const googleRecaptcha = async ({ siteVerifyURL, captchaResponse, secretKey, minS
 		})
 	});
 	if (!response.data || response.error) throw new Error(INTERNAL_ERROR_CODES.SERVICE_UNAVAILABLE.message);
-	if (!response.data.success || isV3(response.data) && response.data.score < minScore) return middlewareResponse({
+	const verificationFailed = () => middlewareResponse({
 		message: EXTERNAL_ERROR_CODES.VERIFICATION_FAILED.message,
 		code: EXTERNAL_ERROR_CODES.VERIFICATION_FAILED.code,
 		status: 403
 	});
+	if (!response.data.success || isV3(response.data) && response.data.score < minScore) return verificationFailed();
+	if (expectedAction && response.data.action !== expectedAction) return verificationFailed();
+	if (allowedHostnames && allowedHostnames.length > 0 && !allowedHostnames.includes(response.data.hostname)) return verificationFailed();
 };
 //#endregion
 export { googleRecaptcha };

package/dist/plugins/captcha/verify-handlers/h-captcha.mjs

@@ -1,4 +1,5 @@
 import { middlewareResponse } from "../../../utils/middleware-response.mjs";
+import { CAPTCHA_VERIFY_TIMEOUT_MS } from "../constants.mjs";
 import { EXTERNAL_ERROR_CODES, INTERNAL_ERROR_CODES } from "../error-codes.mjs";
 import { encodeToURLParams } from "../utils.mjs";
 import { betterFetch } from "@better-fetch/fetch";
@@ -6,6 +7,7 @@ import { betterFetch } from "@better-fetch/fetch";
 const hCaptcha = async ({ siteVerifyURL, captchaResponse, secretKey, siteKey, remoteIP }) => {
 	const response = await betterFetch(siteVerifyURL, {
 		method: "POST",
+		timeout: CAPTCHA_VERIFY_TIMEOUT_MS,
 		headers: { "Content-Type": "application/x-www-form-urlencoded" },
 		body: encodeToURLParams({
 			secret: secretKey,

package/dist/plugins/device-authorization/routes.mjs

@@ -243,7 +243,21 @@ Follow [rfc8628#section-3.4](https://datatracker.ietf.org/doc/html/rfc8628#secti
 		});
 	}
 	if (deviceCodeRecord.status === "approved" && deviceCodeRecord.userId) {
-		const user = await ctx.context.internalAdapter.findUserById(deviceCodeRecord.userId);
+		const claimedDeviceCode = await ctx.context.adapter.consumeOne({
+			model: "deviceCode",
+			where: [{
+				field: "deviceCode",
+				value: device_code
+			}, {
+				field: "status",
+				value: "approved"
+			}]
+		});
+		if (!claimedDeviceCode?.userId) throw new APIError("BAD_REQUEST", {
+			error: "invalid_grant",
+			error_description: DEVICE_AUTHORIZATION_ERROR_CODES.INVALID_DEVICE_CODE.message
+		});
+		const user = await ctx.context.internalAdapter.findUserById(claimedDeviceCode.userId);
 		if (!user) throw new APIError("INTERNAL_SERVER_ERROR", {
 			error: "server_error",
 			error_description: DEVICE_AUTHORIZATION_ERROR_CODES.USER_NOT_FOUND.message
@@ -261,18 +275,11 @@ Follow [rfc8628#section-3.4](https://datatracker.ietf.org/doc/html/rfc8628#secti
 			user,
 			session
 		}), Math.floor((new Date(session.expiresAt).getTime() - Date.now()) / 1e3));
-		await ctx.context.adapter.delete({
-			model: "deviceCode",
-			where: [{
-				field: "id",
-				value: deviceCodeRecord.id
-			}]
-		});
 		return ctx.json({
 			access_token: session.token,
 			token_type: "Bearer",
 			expires_in: Math.floor((new Date(session.expiresAt).getTime() - Date.now()) / 1e3),
-			scope: deviceCodeRecord.scope || ""
+			scope: claimedDeviceCode.scope || ""
 		}, { headers: {
 			"Cache-Control": "no-store",
 			Pragma: "no-cache"

package/dist/plugins/email-otp/routes.mjs

@@ -115,7 +115,7 @@ const createVerificationOTPBodySchema = z.object({
 		description: "Type of the OTP"
 	})
 });
-const createVerificationOTP = (opts) => createAuthEndpoint({
+const createVerificationOTP = (opts) => createAuthEndpoint.serverOnly({
 	method: "POST",
 	body: createVerificationOTPBodySchema,
 	metadata: { openapi: {
@@ -159,7 +159,7 @@ const getVerificationOTPBodySchema = z.object({
 *
 * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/email-otp#api-method-email-otp-get-verification-otp)
 */
-const getVerificationOTP = (opts) => createAuthEndpoint({
+const getVerificationOTP = (opts) => createAuthEndpoint.serverOnly({
 	method: "GET",
 	query: getVerificationOTPBodySchema,
 	metadata: { openapi: {
@@ -636,24 +636,7 @@ const requestEmailChangeEmailOTP = (opts) => createAuthEndpoint("/email-otp/requ
 	}
 	if (opts.changeEmail?.verifyCurrentEmail) {
 		if (!ctx.body.otp) throw APIError$1.fromStatus("BAD_REQUEST", { message: "OTP is required to verify current email" });
-		const currentEmailVerificationValue = await ctx.context.internalAdapter.findVerificationValue(toOTPIdentifier("email-verification", email));
-		if (!currentEmailVerificationValue) throw APIError$1.from("BAD_REQUEST", EMAIL_OTP_ERROR_CODES.INVALID_OTP);
-		const currentEmailIdentifier = toOTPIdentifier("email-verification", email);
-		if (currentEmailVerificationValue.expiresAt < /* @__PURE__ */ new Date()) {
-			await ctx.context.internalAdapter.deleteVerificationByIdentifier(currentEmailIdentifier);
-			throw APIError$1.from("BAD_REQUEST", EMAIL_OTP_ERROR_CODES.OTP_EXPIRED);
-		}
-		const [otpValue, attempts] = splitAtLastColon(currentEmailVerificationValue.value);
-		const allowedAttempts = opts?.allowedAttempts || 3;
-		if (attempts && parseInt(attempts) >= allowedAttempts) {
-			await ctx.context.internalAdapter.deleteVerificationByIdentifier(currentEmailIdentifier);
-			throw APIError$1.from("FORBIDDEN", EMAIL_OTP_ERROR_CODES.TOO_MANY_ATTEMPTS);
-		}
-		if (!await verifyStoredOTP(ctx, opts, otpValue, ctx.body.otp)) {
-			await ctx.context.internalAdapter.updateVerificationByIdentifier(currentEmailIdentifier, { value: `${otpValue}:${parseInt(attempts || "0") + 1}` });
-			throw APIError$1.from("BAD_REQUEST", EMAIL_OTP_ERROR_CODES.INVALID_OTP);
-		}
-		await ctx.context.internalAdapter.deleteVerificationByIdentifier(currentEmailIdentifier);
+		await atomicVerifyOTP(ctx, opts, toOTPIdentifier("email-verification", email), ctx.body.otp);
 	} else if (ctx.body.otp) ctx.context.logger.warn("OTP provided but not required for verifying current email. If you want to require OTP verification for current email, please set the changeEmail.verifyCurrentEmail option to true in the configuration");
 	const otp = opts.generateOTP({
 		email: newEmail,
@@ -723,24 +706,7 @@ const changeEmailEmailOTP = (opts) => createAuthEndpoint("/email-otp/change-emai
 		ctx.context.logger.error("Email is the same");
 		throw APIError$1.fromStatus("BAD_REQUEST", { message: "Email is the same" });
 	}
-	const verificationValue = await ctx.context.internalAdapter.findVerificationValue(toOTPIdentifier("change-email", `${email}-${newEmail}`));
-	if (!verificationValue) throw APIError$1.from("BAD_REQUEST", EMAIL_OTP_ERROR_CODES.INVALID_OTP);
-	const changeEmailIdentifier = toOTPIdentifier("change-email", `${email}-${newEmail}`);
-	if (verificationValue.expiresAt < /* @__PURE__ */ new Date()) {
-		await ctx.context.internalAdapter.deleteVerificationByIdentifier(changeEmailIdentifier);
-		throw APIError$1.from("BAD_REQUEST", EMAIL_OTP_ERROR_CODES.OTP_EXPIRED);
-	}
-	const [otpValue, attempts] = splitAtLastColon(verificationValue.value);
-	const allowedAttempts = opts?.allowedAttempts || 3;
-	if (attempts && parseInt(attempts) >= allowedAttempts) {
-		await ctx.context.internalAdapter.deleteVerificationByIdentifier(changeEmailIdentifier);
-		throw APIError$1.from("FORBIDDEN", EMAIL_OTP_ERROR_CODES.TOO_MANY_ATTEMPTS);
-	}
-	if (!await verifyStoredOTP(ctx, opts, otpValue, ctx.body.otp)) {
-		await ctx.context.internalAdapter.updateVerificationByIdentifier(changeEmailIdentifier, { value: `${otpValue}:${parseInt(attempts || "0") + 1}` });
-		throw APIError$1.from("BAD_REQUEST", EMAIL_OTP_ERROR_CODES.INVALID_OTP);
-	}
-	await ctx.context.internalAdapter.deleteVerificationByIdentifier(changeEmailIdentifier);
+	await atomicVerifyOTP(ctx, opts, toOTPIdentifier("change-email", `${email}-${newEmail}`), ctx.body.otp);
 	const currentUser = await ctx.context.internalAdapter.findUserByEmail(email);
 	if (!currentUser)
  /**
@@ -770,29 +736,33 @@ const changeEmailEmailOTP = (opts) => createAuthEndpoint("/email-otp/change-emai
 });
 const defaultOTPGenerator = (options) => generateRandomString(options.otpLength ?? 6, "0-9");
 /**
-* Atomically verifies OTP with race condition protection.
-* Deletes token before verification to prevent concurrent reuse.
-* Re-creates token with incremented attempts on failure.
+* Verifies a single-use OTP with race-condition protection.
+*
+* The atomic consume is the single gate: only the first concurrent caller
+* receives the record, every later racer receives `null` and is rejected, so
+* a correct OTP can only ever be accepted once. When the submitted code is
+* wrong the record is recreated with the same value and expiry and an
+* incremented attempt count so the next try can still find it; the budget is
+* enforced before verification, and a record whose attempts are exhausted is
+* left consumed (no recreate), locking the identifier out.
 */
 async function atomicVerifyOTP(ctx, opts, identifier, providedOTP) {
-	const verificationValue = await ctx.context.internalAdapter.findVerificationValue(identifier);
-	if (!verificationValue) throw APIError$1.from("BAD_REQUEST", EMAIL_OTP_ERROR_CODES.INVALID_OTP);
-	if (verificationValue.expiresAt < /* @__PURE__ */ new Date()) {
+	const existing = await ctx.context.internalAdapter.findVerificationValue(identifier);
+	if (existing && existing.expiresAt < /* @__PURE__ */ new Date()) {
 		await ctx.context.internalAdapter.deleteVerificationByIdentifier(identifier);
 		throw APIError$1.from("BAD_REQUEST", EMAIL_OTP_ERROR_CODES.OTP_EXPIRED);
 	}
-	const [otpValue, attempts] = splitAtLastColon(verificationValue.value);
+	const consumed = await ctx.context.internalAdapter.consumeVerificationValue(identifier);
+	if (!consumed) throw APIError$1.from("BAD_REQUEST", EMAIL_OTP_ERROR_CODES.INVALID_OTP);
+	const [otpValue, attempts] = splitAtLastColon(consumed.value);
 	const allowedAttempts = opts?.allowedAttempts || 3;
-	if (attempts && parseInt(attempts) >= allowedAttempts) {
-		await ctx.context.internalAdapter.deleteVerificationByIdentifier(identifier);
-		throw APIError$1.from("FORBIDDEN", EMAIL_OTP_ERROR_CODES.TOO_MANY_ATTEMPTS);
-	}
-	await ctx.context.internalAdapter.deleteVerificationByIdentifier(identifier);
+	const usedAttempts = parseInt(attempts || "0");
+	if (usedAttempts >= allowedAttempts) throw APIError$1.from("FORBIDDEN", EMAIL_OTP_ERROR_CODES.TOO_MANY_ATTEMPTS);
 	if (!await verifyStoredOTP(ctx, opts, otpValue, providedOTP)) {
 		await ctx.context.internalAdapter.createVerificationValue({
-			value: `${otpValue}:${parseInt(attempts || "0") + 1}`,
+			value: `${otpValue}:${usedAttempts + 1}`,
 			identifier,
-			expiresAt: verificationValue.expiresAt
+			expiresAt: consumed.expiresAt
 		});
 		throw APIError$1.from("BAD_REQUEST", EMAIL_OTP_ERROR_CODES.INVALID_OTP);
 	}

package/dist/plugins/generic-oauth/index.mjs

@@ -14,6 +14,9 @@ import { APIError } from "@better-auth/core/error";
 import { applyDefaultAccessTokenExpiry, createAuthorizationURL, refreshAccessToken, validateAuthorizationCode } from "@better-auth/core/oauth2";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/plugins/generic-oauth/index.ts
+function isNonEmptyOAuthId(id) {
+	return id !== void 0 && id !== null && id !== "";
+}
 /**
 * A generic OAuth plugin that can be used to add OAuth support to any provider
 */
@@ -114,14 +117,16 @@ const genericOAuth = (options) => {
 						const userInfo = c.getUserInfo ? await c.getUserInfo(tokens) : await getUserInfo(tokens, finalUserInfoUrl);
 						if (!userInfo) return null;
 						const userMap = await c.mapProfileToUser?.(userInfo);
+						const rawId = isNonEmptyOAuthId(userMap?.id) ? userMap.id : isNonEmptyOAuthId(userInfo.id) ? userInfo.id : isNonEmptyOAuthId(userInfo.sub) ? userInfo.sub : void 0;
+						if (rawId === void 0) return null;
 						return {
 							user: {
-								id: userInfo?.id,
 								email: userInfo?.email,
 								emailVerified: userInfo?.emailVerified,
 								image: userInfo?.image,
 								name: userInfo?.name,
-								...userMap
+								...userMap,
+								id: String(rawId)
 							},
 							data: userInfo
 						};

package/dist/plugins/generic-oauth/routes.mjs

@@ -15,6 +15,9 @@ import * as z from "zod";
 import { decodeJwt } from "jose";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/plugins/generic-oauth/routes.ts
+function isNonEmptyOAuthId(id) {
+	return id !== void 0 && id !== null && id !== "";
+}
 const signInWithOAuth2BodySchema = z.object({
 	providerId: z.string().meta({ description: "The provider ID for the OAuth provider" }),
 	callbackURL: z.string().meta({ description: "The URL to redirect to after sign in" }).optional(),
@@ -209,8 +212,8 @@ const oAuth2Callback = (options) => createAuthEndpoint("/oauth2/callback/:provid
 			ctx.context.logger.error(missingEmailLogMessage(providerConfig.providerId, { source: "generic" }), userInfo);
 			redirectOnError(ctx, resolvedErrorURL, "email_is_missing");
 		}
-		const rawId = mapUser.id !== void 0 && mapUser.id !== null && mapUser.id !== "" ? mapUser.id : userInfo.id;
-		const id = rawId !== void 0 && rawId !== null ? String(rawId) : "";
+		const rawId = isNonEmptyOAuthId(mapUser.id) ? mapUser.id : isNonEmptyOAuthId(userInfo.id) ? userInfo.id : isNonEmptyOAuthId(userInfo.sub) ? userInfo.sub : void 0;
+		const id = rawId !== void 0 ? String(rawId) : "";
 		if (!id) {
 			ctx.context.logger.error("Provider did not return an account id (e.g. `sub`). Unable to sign in.", userInfo);
 			redirectOnError(ctx, resolvedErrorURL, "id_is_missing");
@@ -399,19 +402,20 @@ async function getUserInfo(tokens, finalUserInfoUrl) {
 		}
 	}
 	if (!finalUserInfoUrl) return null;
-	const userInfo = await betterFetch(finalUserInfoUrl, {
+	const profile = (await betterFetch(finalUserInfoUrl, {
 		method: "GET",
 		headers: { Authorization: `Bearer ${tokens.accessToken}` }
-	});
-	const subjectId = userInfo.data?.sub ?? userInfo.data?.id;
-	if (subjectId === void 0 || subjectId === null || subjectId === "") return null;
+	})).data;
+	if (!profile) return null;
+	const { id: profileId, ...profileFields } = profile;
+	const subjectId = isNonEmptyOAuthId(profileId) ? profileId : isNonEmptyOAuthId(profile.sub) ? profile.sub : void 0;
 	return {
-		id: subjectId,
-		emailVerified: userInfo.data?.email_verified ?? false,
-		email: userInfo.data?.email,
-		image: userInfo.data?.picture,
-		name: userInfo.data?.name,
-		...userInfo.data
+		...profileFields,
+		...subjectId !== void 0 ? { id: subjectId } : {},
+		email: profile?.email,
+		emailVerified: profile?.email_verified ?? false,
+		image: profile?.picture,
+		name: profile?.name
 	};
 }
 //#endregion

package/dist/plugins/haveibeenpwned/index.d.mts

@@ -17,7 +17,7 @@ interface HaveIBeenPwnedOptions {
   /**
    * Paths to check for password
    *
-   * @default ["/sign-up/email", "/change-password", "/reset-password"]
+   * @default ["/sign-up/email", "/change-password", "/reset-password", "/email-otp/reset-password", "/phone-number/reset-password", "/admin/create-user", "/admin/set-user-password"]
    */
   paths?: string[];
   /**

package/dist/plugins/haveibeenpwned/index.mjs

@@ -31,7 +31,11 @@ const haveIBeenPwned = (options) => {
 	const paths = options?.paths || [
 		"/sign-up/email",
 		"/change-password",
-		"/reset-password"
+		"/reset-password",
+		"/email-otp/reset-password",
+		"/phone-number/reset-password",
+		"/admin/create-user",
+		"/admin/set-user-password"
 	];
 	return {
 		id: "have-i-been-pwned",

package/dist/plugins/index.d.mts

@@ -41,10 +41,14 @@ import { getClient, getMetadata, oidcProvider } from "./oidc-provider/index.mjs"
 import { getMCPProtectedResourceMetadata, getMCPProviderMetadata, mcp, oAuthDiscoveryMetadata, oAuthProtectedResourceMetadata, withMcpAuth } from "./mcp/index.mjs";
 import { MULTI_SESSION_ERROR_CODES } from "./multi-session/error-codes.mjs";
 import { MultiSessionConfig, multiSession } from "./multi-session/index.mjs";
+import { OAUTH_POPUP_DATA_ELEMENT_ID, OAUTH_POPUP_MESSAGE_TYPE, POPUP_MARKER_COOKIE } from "./oauth-popup/constants.mjs";
+import { OAUTH_POPUP_ERROR_CODES } from "./oauth-popup/error-codes.mjs";
+import { OAuthPopupData, OAuthPopupMessage } from "./oauth-popup/types.mjs";
+import { OAUTH_POPUP_COMPLETE_SCRIPT, OAUTH_POPUP_SCRIPT_CSP_HASH, oauthPopup } from "./oauth-popup/index.mjs";
 import { OAuthProxyOptions, oAuthProxy } from "./oauth-proxy/index.mjs";
 import { OneTapOptions, oneTap } from "./one-tap/index.mjs";
 import { OneTimeTokenOptions, oneTimeToken } from "./one-time-token/index.mjs";
-import { FieldSchema, OpenAPIModelSchema, Path, generator } from "./open-api/generator.mjs";
+import { FieldSchema, OpenAPIModelSchema, OpenAPIParameter, OpenAPISchema, Path, generator } from "./open-api/generator.mjs";
 import { OpenAPIOptions, openAPI } from "./open-api/index.mjs";
 import { PhoneNumberOptions, UserWithPhoneNumber } from "./phone-number/types.mjs";
 import { phoneNumber } from "./phone-number/index.mjs";
@@ -62,4 +66,4 @@ import { USERNAME_ERROR_CODES } from "./username/error-codes.mjs";
 import { UsernameOptions, username } from "./username/index.mjs";
 import { hasPermission } from "./organization/has-permission.mjs";
 import { DefaultOrganizationPlugin, DynamicAccessControlEndpoints, OrganizationCreator, OrganizationEndpoints, OrganizationPlugin, TeamEndpoints, organization, parseRoles } from "./organization/organization.mjs";
-export { AccessControl, AdminOptions, AnonymousOptions, AnonymousSession, ArrayElement, Auth0Options, AuthorizationQuery, AuthorizeResponse, BackupCodeOptions, BaseCaptchaOptions, BaseOAuthProviderOptions, BearerOptions, CaptchaFoxOptions, CaptchaOptions, Client, CloudflareTurnstileOptions, CodeVerificationValue, CustomSessionPluginOptions, DefaultOrganizationPlugin, DeviceAuthorizationOptions, DynamicAccessControlEndpoints, MULTI_SESSION_ERROR_CODES as ERROR_CODES, EmailOTPOptions, ExactRoleStatements, FieldSchema, GenericOAuthConfig, GenericOAuthOptions, GoogleRecaptchaOptions, GumroadOptions, HCaptchaOptions, HIDE_METADATA, HaveIBeenPwnedOptions, HubSpotOptions, InferAdminRolesFromOption, InferInvitation, InferMember, InferOptionSchema, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginContext, InferPluginErrorCodes, InferPluginIDs, InferTeam, Invitation, InvitationInput, InvitationStatus, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, KeycloakOptions, LastLoginMethodOptions, LineOptions, LoginResult, MagicLinkOptions, Member, MemberInput, MicrosoftEntraIdOptions, MultiSessionConfig, OAuthAccessToken, OAuthProxyOptions, OIDCMetadata, OIDCOptions, OTPOptions, OktaOptions, OneTapOptions, OneTimeTokenOptions, OpenAPIModelSchema, OpenAPIOptions, Organization, OrganizationCreator, OrganizationEndpoints, OrganizationInput, OrganizationOptions, OrganizationPlugin, OrganizationRole, OrganizationSchema, Path, PatreonOptions, PhoneNumberOptions, Provider, Role, RoleAuthorizeRequest, RoleInput, RoleStatements, SIWEPluginOptions, SessionWithImpersonatedBy, SlackOptions, Statements, SubArray, Subset, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamEndpoints, TeamInput, TeamMember, TeamMemberInput, TestCookie, TestHelpers, TestUtilsOptions, TimeString, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UserWithAnonymous, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, UsernameOptions, admin, anonymous, auth0, backupCode2fa, bearer, captcha, createAccessControl, createJwk, customSession, defaultRolesSchema, deviceAuthorization, deviceAuthorizationOptionsSchema, emailOTP, encodeBackupCodes, generateBackupCodes, generateExportedKeyPair, generator, genericOAuth, getBackupCodes, getClient, getJwtToken, getMCPProtectedResourceMetadata, getMCPProviderMetadata, getMetadata, getOrgAdapter, gumroad, hasPermission, haveIBeenPwned, hubspot, invitationSchema, invitationStatus, jwt, keycloak, lastLoginMethod, line, magicLink, mcp, memberSchema, microsoftEntraId, ms, multiSession, oAuthDiscoveryMetadata, oAuthProtectedResourceMetadata, oAuthProxy, oidcProvider, okta, oneTap, oneTimeToken, openAPI, organization, organizationRoleSchema, organizationSchema, otp2fa, parseRoles, patreon, phoneNumber, role, roleSchema, sec, signJWT, siwe, slack, teamMemberSchema, teamSchema, testUtils, toExpJWT, totp2fa, twoFactor, twoFactorClient, username, verifyBackupCode, verifyJWT, withMcpAuth };
+export { AccessControl, AdminOptions, AnonymousOptions, AnonymousSession, ArrayElement, Auth0Options, AuthorizationQuery, AuthorizeResponse, BackupCodeOptions, BaseCaptchaOptions, BaseOAuthProviderOptions, BearerOptions, CaptchaFoxOptions, CaptchaOptions, Client, CloudflareTurnstileOptions, CodeVerificationValue, CustomSessionPluginOptions, DefaultOrganizationPlugin, DeviceAuthorizationOptions, DynamicAccessControlEndpoints, MULTI_SESSION_ERROR_CODES as ERROR_CODES, EmailOTPOptions, ExactRoleStatements, FieldSchema, GenericOAuthConfig, GenericOAuthOptions, GoogleRecaptchaOptions, GumroadOptions, HCaptchaOptions, HIDE_METADATA, HaveIBeenPwnedOptions, HubSpotOptions, InferAdminRolesFromOption, InferInvitation, InferMember, InferOptionSchema, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginContext, InferPluginErrorCodes, InferPluginIDs, InferTeam, Invitation, InvitationInput, InvitationStatus, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, KeycloakOptions, LastLoginMethodOptions, LineOptions, LoginResult, MagicLinkOptions, Member, MemberInput, MicrosoftEntraIdOptions, MultiSessionConfig, OAUTH_POPUP_COMPLETE_SCRIPT, OAUTH_POPUP_DATA_ELEMENT_ID, OAUTH_POPUP_ERROR_CODES, OAUTH_POPUP_MESSAGE_TYPE, OAUTH_POPUP_SCRIPT_CSP_HASH, OAuthAccessToken, OAuthPopupData, OAuthPopupMessage, OAuthProxyOptions, OIDCMetadata, OIDCOptions, OTPOptions, OktaOptions, OneTapOptions, OneTimeTokenOptions, OpenAPIModelSchema, OpenAPIOptions, OpenAPIParameter, OpenAPISchema, Organization, OrganizationCreator, OrganizationEndpoints, OrganizationInput, OrganizationOptions, OrganizationPlugin, OrganizationRole, OrganizationSchema, POPUP_MARKER_COOKIE, Path, PatreonOptions, PhoneNumberOptions, Provider, Role, RoleAuthorizeRequest, RoleInput, RoleStatements, SIWEPluginOptions, SessionWithImpersonatedBy, SlackOptions, Statements, SubArray, Subset, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamEndpoints, TeamInput, TeamMember, TeamMemberInput, TestCookie, TestHelpers, TestUtilsOptions, TimeString, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UserWithAnonymous, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, UsernameOptions, admin, anonymous, auth0, backupCode2fa, bearer, captcha, createAccessControl, createJwk, customSession, defaultRolesSchema, deviceAuthorization, deviceAuthorizationOptionsSchema, emailOTP, encodeBackupCodes, generateBackupCodes, generateExportedKeyPair, generator, genericOAuth, getBackupCodes, getClient, getJwtToken, getMCPProtectedResourceMetadata, getMCPProviderMetadata, getMetadata, getOrgAdapter, gumroad, hasPermission, haveIBeenPwned, hubspot, invitationSchema, invitationStatus, jwt, keycloak, lastLoginMethod, line, magicLink, mcp, memberSchema, microsoftEntraId, ms, multiSession, oAuthDiscoveryMetadata, oAuthProtectedResourceMetadata, oAuthProxy, oauthPopup, oidcProvider, okta, oneTap, oneTimeToken, openAPI, organization, organizationRoleSchema, organizationSchema, otp2fa, parseRoles, patreon, phoneNumber, role, roleSchema, sec, signJWT, siwe, slack, teamMemberSchema, teamSchema, testUtils, toExpJWT, totp2fa, twoFactor, twoFactorClient, username, verifyBackupCode, verifyJWT, withMcpAuth };

package/dist/plugins/index.mjs

@@ -1,6 +1,8 @@
 import { HIDE_METADATA } from "../utils/hide-metadata.mjs";
 import { createAccessControl, role } from "./access/access.mjs";
 import { MULTI_SESSION_ERROR_CODES } from "./multi-session/error-codes.mjs";
+import { OAUTH_POPUP_DATA_ELEMENT_ID, OAUTH_POPUP_MESSAGE_TYPE, POPUP_MARKER_COOKIE } from "./oauth-popup/constants.mjs";
+import { OAUTH_POPUP_ERROR_CODES } from "./oauth-popup/error-codes.mjs";
 import { TWO_FACTOR_ERROR_CODES } from "./two-factor/error-code.mjs";
 import { twoFactorClient } from "./two-factor/client.mjs";
 import { USERNAME_ERROR_CODES } from "./username/error-codes.mjs";
@@ -31,6 +33,7 @@ import { magicLink } from "./magic-link/index.mjs";
 import { getClient, getMetadata, oidcProvider } from "./oidc-provider/index.mjs";
 import { getMCPProtectedResourceMetadata, getMCPProviderMetadata, mcp, oAuthDiscoveryMetadata, oAuthProtectedResourceMetadata, withMcpAuth } from "./mcp/index.mjs";
 import { multiSession } from "./multi-session/index.mjs";
+import { OAUTH_POPUP_COMPLETE_SCRIPT, OAUTH_POPUP_SCRIPT_CSP_HASH, oauthPopup } from "./oauth-popup/index.mjs";
 import { oAuthProxy } from "./oauth-proxy/index.mjs";
 import { oneTap } from "./one-tap/index.mjs";
 import { oneTimeToken } from "./one-time-token/index.mjs";
@@ -43,4 +46,4 @@ import { siwe } from "./siwe/index.mjs";
 import { testUtils } from "./test-utils/index.mjs";
 import { twoFactor } from "./two-factor/index.mjs";
 import { username } from "./username/index.mjs";
-export { MULTI_SESSION_ERROR_CODES as ERROR_CODES, HIDE_METADATA, TWO_FACTOR_ERROR_CODES, USERNAME_ERROR_CODES, admin, anonymous, auth0, bearer, captcha, createAccessControl, createJwk, customSession, deviceAuthorization, deviceAuthorizationOptionsSchema, emailOTP, generateExportedKeyPair, genericOAuth, getClient, getJwtToken, getMCPProtectedResourceMetadata, getMCPProviderMetadata, getMetadata, getOrgAdapter, gumroad, hasPermission, haveIBeenPwned, hubspot, jwt, keycloak, lastLoginMethod, line, magicLink, mcp, microsoftEntraId, multiSession, oAuthDiscoveryMetadata, oAuthProtectedResourceMetadata, oAuthProxy, oidcProvider, okta, oneTap, oneTimeToken, openAPI, organization, parseRoles, patreon, phoneNumber, role, signJWT, siwe, slack, testUtils, toExpJWT, twoFactor, twoFactorClient, username, verifyJWT, withMcpAuth };
+export { MULTI_SESSION_ERROR_CODES as ERROR_CODES, HIDE_METADATA, OAUTH_POPUP_COMPLETE_SCRIPT, OAUTH_POPUP_DATA_ELEMENT_ID, OAUTH_POPUP_ERROR_CODES, OAUTH_POPUP_MESSAGE_TYPE, OAUTH_POPUP_SCRIPT_CSP_HASH, POPUP_MARKER_COOKIE, TWO_FACTOR_ERROR_CODES, USERNAME_ERROR_CODES, admin, anonymous, auth0, bearer, captcha, createAccessControl, createJwk, customSession, deviceAuthorization, deviceAuthorizationOptionsSchema, emailOTP, generateExportedKeyPair, genericOAuth, getClient, getJwtToken, getMCPProtectedResourceMetadata, getMCPProviderMetadata, getMetadata, getOrgAdapter, gumroad, hasPermission, haveIBeenPwned, hubspot, jwt, keycloak, lastLoginMethod, line, magicLink, mcp, microsoftEntraId, multiSession, oAuthDiscoveryMetadata, oAuthProtectedResourceMetadata, oAuthProxy, oauthPopup, oidcProvider, okta, oneTap, oneTimeToken, openAPI, organization, parseRoles, patreon, phoneNumber, role, signJWT, siwe, slack, testUtils, toExpJWT, twoFactor, twoFactorClient, username, verifyJWT, withMcpAuth };

package/dist/plugins/jwt/index.mjs

@@ -144,7 +144,7 @@ const jwt = (options) => {
 				const jwt = await getJwtToken(ctx, options);
 				return ctx.json({ token: jwt });
 			}),
-			signJWT: createAuthEndpoint({
+			signJWT: createAuthEndpoint.serverOnly({
 				method: "POST",
 				metadata: { $Infer: { body: {} } },
 				body: signJWTBodySchema
@@ -158,7 +158,7 @@ const jwt = (options) => {
 				});
 				return c.json({ token: jwt });
 			}),
-			verifyJWT: createAuthEndpoint({
+			verifyJWT: createAuthEndpoint.serverOnly({
 				method: "POST",
 				metadata: { $Infer: {
 					body: {},

package/dist/plugins/mcp/client/index.mjs

@@ -65,6 +65,7 @@ function createMcpAuthClient(options) {
 			if (!response.ok) return null;
 			const data = await response.json();
 			if (!data || !data.userId) return null;
+			if (data.accessTokenExpiresAt && new Date(data.accessTokenExpiresAt).getTime() < Date.now()) return null;
 			return data;
 		} catch {
 			return null;