better-auth 1.6.16 → 1.6.18

package/dist/plugins/mcp/index.mjs

@@ -302,6 +302,10 @@ const mcp = (options) => {
 						error_description: "refresh token expired",
 						error: "invalid_grant"
 					});
+					if (!token.scopes?.split(" ").includes("offline_access")) throw new APIError("UNAUTHORIZED", {
+						error_description: "refresh token was not issued for the offline_access scope",
+						error: "invalid_grant"
+					});
 					const refreshClient = await ctx.context.adapter.findOne({
 						model: modelName.oauthClient,
 						where: [{
@@ -693,6 +697,10 @@ const mcp = (options) => {
 					}]
 				});
 				if (!accessTokenData) return c.json(null);
+				if (accessTokenData.accessTokenExpiresAt < /* @__PURE__ */ new Date()) {
+					c.headers?.set("WWW-Authenticate", "Bearer");
+					return c.json(null);
+				}
 				return c.json(accessTokenData);
 			})
 		},

package/dist/plugins/multi-session/index.mjs

@@ -55,8 +55,9 @@ const multiSession = (options) => {
 			}, async (ctx) => {
 				const sessionToken = ctx.body.sessionToken;
 				const multiSessionCookieName = `${ctx.context.authCookies.sessionToken.name}_multi-${sessionToken.toLowerCase()}`;
-				if (!await ctx.getSignedCookie(multiSessionCookieName, ctx.context.secret)) throw APIError.from("UNAUTHORIZED", MULTI_SESSION_ERROR_CODES.INVALID_SESSION_TOKEN);
-				const session = await ctx.context.internalAdapter.findSession(sessionToken);
+				const sessionCookie = await ctx.getSignedCookie(multiSessionCookieName, ctx.context.secret);
+				if (!sessionCookie) throw APIError.from("UNAUTHORIZED", MULTI_SESSION_ERROR_CODES.INVALID_SESSION_TOKEN);
+				const session = await ctx.context.internalAdapter.findSession(sessionCookie);
 				if (!session || session.session.expiresAt < /* @__PURE__ */ new Date()) {
 					expireCookie(ctx, {
 						name: multiSessionCookieName,
@@ -88,13 +89,14 @@ const multiSession = (options) => {
 			}, async (ctx) => {
 				const sessionToken = ctx.body.sessionToken;
 				const multiSessionCookieName = `${ctx.context.authCookies.sessionToken.name}_multi-${sessionToken.toLowerCase()}`;
-				if (!await ctx.getSignedCookie(multiSessionCookieName, ctx.context.secret)) throw APIError.from("UNAUTHORIZED", MULTI_SESSION_ERROR_CODES.INVALID_SESSION_TOKEN);
-				await ctx.context.internalAdapter.deleteSession(sessionToken);
+				const sessionCookie = await ctx.getSignedCookie(multiSessionCookieName, ctx.context.secret);
+				if (!sessionCookie) throw APIError.from("UNAUTHORIZED", MULTI_SESSION_ERROR_CODES.INVALID_SESSION_TOKEN);
+				await ctx.context.internalAdapter.deleteSession(sessionCookie);
 				expireCookie(ctx, {
 					name: multiSessionCookieName,
 					attributes: ctx.context.authCookies.sessionToken.attributes
 				});
-				if (!(ctx.context.session?.session.token === sessionToken)) return ctx.json({ status: true });
+				if (!(ctx.context.session?.session.token === sessionCookie)) return ctx.json({ status: true });
 				const cookieHeader = ctx.headers?.get("cookie");
 				if (cookieHeader) {
 					const cookies = Object.fromEntries(parseCookies(cookieHeader));

package/dist/plugins/oauth-popup/client.d.mts

@@ -0,0 +1,82 @@
+import { POPUP_TOKEN_STORAGE_KEY } from "./constants.mjs";
+import { OAUTH_POPUP_ERROR_CODES } from "./error-codes.mjs";
+import { oauthPopup } from "./index.mjs";
+import { BetterAuthClientOptions, ClientStore } from "@better-auth/core";
+import * as _better_auth_core_utils_error_codes0 from "@better-auth/core/utils/error-codes";
+import { BetterFetch, BetterFetchPlugin } from "@better-fetch/fetch";
+
+//#region src/plugins/oauth-popup/client.d.ts
+/** Inputs for `authClient.signIn.popup`; mirror the redirect sign-in. */
+interface SignInPopupOptions {
+  /** Built-in social provider id (e.g. `"google"`). */
+  provider?: string;
+  /** Generic OAuth provider id (registered via `genericOAuth`). */
+  providerId?: string;
+  callbackURL?: string;
+  errorCallbackURL?: string;
+  newUserCallbackURL?: string;
+  requestSignUp?: boolean;
+  scopes?: string[];
+  additionalData?: Record<string, unknown>;
+  /** `window.open` feature string; defaults to a centered 500x600 window. */
+  windowFeatures?: string;
+  /** How long (ms) to wait for the popup to complete. Default 5 minutes. */
+  timeoutMs?: number;
+}
+interface SignInPopupResult {
+  data: {
+    success: boolean;
+  } | null;
+  error: {
+    code: string;
+    message: string;
+    status?: number;
+  } | null;
+}
+/** Reads the stored popup token (browser-only; null otherwise). */
+declare function getStoredPopupToken(): string | null;
+/**
+ * Attaches the popup token as a bearer header when embedded (where the cookie is
+ * partitioned), and clears it once the session ends so it can't be reused.
+ */
+declare const popupBearerFetchPlugin: BetterFetchPlugin;
+interface SignInPopupDeps {
+  $fetch: BetterFetch;
+  options?: BetterAuthClientOptions | undefined;
+  /** Refreshes the reactive session, as the redirect flow's atom listeners do. */
+  notifySessionSignal: () => void;
+}
+/**
+ * Builds `signIn.popup`. Runs the sign-in in the popup's own first-party
+ * context (so the OAuth state cookie lands there), waits for the completion
+ * page to post the session token back, stores it for the bearer fetch plugin,
+ * and refreshes the reactive session.
+ */
+declare function createSignInPopup({
+  $fetch,
+  options,
+  notifySessionSignal
+}: SignInPopupDeps): (opts: SignInPopupOptions) => Promise<SignInPopupResult>;
+/**
+ * Client plugin for popup OAuth sign-in. Adds `authClient.signIn.popup`. Pair
+ * with the server `oauthPopup` and `bearer` plugins.
+ */
+declare const oauthPopupClient: () => {
+  id: "oauth-popup";
+  version: string;
+  $InferServerPlugin: ReturnType<typeof oauthPopup>;
+  $ERROR_CODES: {
+    POPUP_SIGN_IN_FAILED: _better_auth_core_utils_error_codes0.RawError<"POPUP_SIGN_IN_FAILED">;
+    POPUP_BLOCKED: _better_auth_core_utils_error_codes0.RawError<"POPUP_BLOCKED">;
+    POPUP_CLOSED: _better_auth_core_utils_error_codes0.RawError<"POPUP_CLOSED">;
+    POPUP_TIMEOUT: _better_auth_core_utils_error_codes0.RawError<"POPUP_TIMEOUT">;
+  };
+  fetchPlugins: BetterFetchPlugin[];
+  getActions: ($fetch: BetterFetch, $store: ClientStore, options: BetterAuthClientOptions | undefined) => {
+    signIn: {
+      popup: (opts: SignInPopupOptions) => Promise<SignInPopupResult>;
+    };
+  };
+};
+//#endregion
+export { SignInPopupOptions, SignInPopupResult, createSignInPopup, getStoredPopupToken, oauthPopupClient, popupBearerFetchPlugin };

package/dist/plugins/oauth-popup/client.mjs

@@ -0,0 +1,203 @@
+import { getBaseURL } from "../../utils/url.mjs";
+import { PACKAGE_VERSION } from "../../version.mjs";
+import { POPUP_TOKEN_STORAGE_KEY } from "./constants.mjs";
+import { OAUTH_POPUP_ERROR_CODES } from "./error-codes.mjs";
+//#region src/plugins/oauth-popup/client.ts
+const POPUP_NAME = "better-auth-oauth";
+const POPUP_WIDTH = 500;
+const POPUP_HEIGHT = 600;
+const CLOSED_POLL_MS = 500;
+const DEFAULT_TIMEOUT_MS = 300 * 1e3;
+/** True when embedded cross-origin, where the cookie may be partitioned. */
+function isEmbedded() {
+	if (typeof window === "undefined" || window.self === window.top) return false;
+	try {
+		window.top?.location.href;
+		return false;
+	} catch {
+		return true;
+	}
+}
+/** Reads the stored popup token (browser-only; null otherwise). */
+function getStoredPopupToken() {
+	if (typeof window === "undefined") return null;
+	try {
+		return window.localStorage.getItem(POPUP_TOKEN_STORAGE_KEY);
+	} catch {
+		return null;
+	}
+}
+function storePopupToken(token) {
+	try {
+		window.localStorage?.setItem(POPUP_TOKEN_STORAGE_KEY, token);
+	} catch {}
+}
+function clearPopupToken() {
+	try {
+		window.localStorage?.removeItem(POPUP_TOKEN_STORAGE_KEY);
+	} catch {}
+}
+/**
+* Attaches the popup token as a bearer header when embedded (where the cookie is
+* partitioned), and clears it once the session ends so it can't be reused.
+*/
+const popupBearerFetchPlugin = {
+	id: "better-auth-popup-bearer",
+	name: "Popup Bearer",
+	hooks: {
+		onRequest(context) {
+			if (!isEmbedded()) return context;
+			const token = getStoredPopupToken();
+			if (!token) return context;
+			const headers = new Headers(context.headers);
+			if (!headers.has("authorization")) headers.set("authorization", `Bearer ${token}`);
+			return {
+				...context,
+				headers
+			};
+		},
+		onSuccess(context) {
+			const path = new URL(context.request.url).pathname;
+			if (path.endsWith("/sign-out") || path.endsWith("/revoke-session") || path.endsWith("/revoke-sessions") || path.endsWith("/revoke-other-sessions") || path.endsWith("/delete-user")) clearPopupToken();
+		}
+	}
+};
+let activePopup = null;
+function popupError(code, status) {
+	return {
+		data: null,
+		error: {
+			code,
+			message: String(OAUTH_POPUP_ERROR_CODES[code]),
+			...status ? { status } : {}
+		}
+	};
+}
+function centeredFeatures() {
+	return `width=${POPUP_WIDTH},height=${POPUP_HEIGHT},left=${window.screenX + (window.outerWidth - POPUP_WIDTH) / 2},top=${window.screenY + (window.outerHeight - POPUP_HEIGHT) / 2},menubar=no,toolbar=no`;
+}
+function randomNonce() {
+	const bytes = new Uint8Array(16);
+	crypto.getRandomValues(bytes);
+	return Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
+}
+/**
+* Resolves with the token (or relayed error) once the completion page posts
+* back, gating on origin, type, and nonce.
+*/
+function waitForPopupResult(popup, expectedOrigin, nonce, timeoutMs) {
+	return new Promise((resolve) => {
+		let settled = false;
+		const settle = (outcome) => {
+			if (settled) return;
+			settled = true;
+			window.removeEventListener("message", onMessage);
+			clearInterval(closedPoll);
+			clearTimeout(timeout);
+			try {
+				if (!popup.closed) popup.close();
+			} catch {}
+			resolve(outcome);
+		};
+		const onMessage = (event) => {
+			if (event.origin !== expectedOrigin) return;
+			const data = event.data;
+			if (data?.type !== "better-auth:oauth-popup") return;
+			if (data.nonce !== nonce) return;
+			if (data.error) {
+				settle({
+					status: "error",
+					error: data.error
+				});
+				return;
+			}
+			if (typeof data.token !== "string" || !data.token) return;
+			settle({
+				status: "success",
+				token: data.token
+			});
+		};
+		const closedPoll = setInterval(() => {
+			if (popup.closed) settle({ status: "cancelled" });
+		}, CLOSED_POLL_MS);
+		const timeout = setTimeout(() => settle({ status: "timeout" }), timeoutMs);
+		window.addEventListener("message", onMessage);
+	});
+}
+function resolveAuthURL(options) {
+	const configured = getBaseURL(options?.baseURL, options?.basePath) ?? options?.basePath ?? "/api/auth";
+	return new URL(configured, window.location.origin);
+}
+/**
+* Builds `signIn.popup`. Runs the sign-in in the popup's own first-party
+* context (so the OAuth state cookie lands there), waits for the completion
+* page to post the session token back, stores it for the bearer fetch plugin,
+* and refreshes the reactive session.
+*/
+function createSignInPopup({ $fetch, options, notifySessionSignal }) {
+	return async function signInPopup(opts) {
+		if (typeof window === "undefined") return popupError("POPUP_SIGN_IN_FAILED");
+		const { provider, providerId, additionalData, windowFeatures, timeoutMs = DEFAULT_TIMEOUT_MS, callbackURL, errorCallbackURL, newUserCallbackURL, scopes, requestSignUp } = opts;
+		if (!provider && !providerId) return popupError("POPUP_SIGN_IN_FAILED");
+		if (activePopup && !activePopup.closed) {
+			activePopup.focus();
+			return popupError("POPUP_SIGN_IN_FAILED");
+		}
+		const nonce = randomNonce();
+		const authUrl = resolveAuthURL(options);
+		const authOrigin = authUrl.origin;
+		const startUrl = new URL(`${authUrl.href.replace(/\/$/, "")}/oauth-popup/start`);
+		startUrl.searchParams.set("provider", provider ?? providerId);
+		startUrl.searchParams.set("popupOrigin", window.location.origin);
+		startUrl.searchParams.set("popupNonce", nonce);
+		if (callbackURL) startUrl.searchParams.set("callbackURL", callbackURL);
+		if (errorCallbackURL) startUrl.searchParams.set("errorCallbackURL", errorCallbackURL);
+		if (newUserCallbackURL) startUrl.searchParams.set("newUserCallbackURL", newUserCallbackURL);
+		if (scopes?.length) startUrl.searchParams.set("scopes", scopes.join(","));
+		if (requestSignUp) startUrl.searchParams.set("requestSignUp", "true");
+		if (additionalData) startUrl.searchParams.set("additionalData", JSON.stringify(additionalData));
+		const popup = window.open(startUrl.toString(), POPUP_NAME, windowFeatures ?? centeredFeatures());
+		if (!popup) return popupError("POPUP_BLOCKED");
+		activePopup = popup;
+		const outcome = await waitForPopupResult(popup, authOrigin, nonce, timeoutMs);
+		activePopup = null;
+		if (outcome.status === "timeout") return popupError("POPUP_TIMEOUT");
+		if (outcome.status === "cancelled") return popupError("POPUP_CLOSED");
+		if (outcome.status === "error") return {
+			data: null,
+			error: {
+				code: outcome.error.code,
+				message: outcome.error.description || outcome.error.code
+			}
+		};
+		if (isEmbedded()) storePopupToken(outcome.token);
+		else clearPopupToken();
+		const session = await $fetch("/get-session");
+		if (session.error || !session.data) return popupError("POPUP_SIGN_IN_FAILED", session.error?.status);
+		notifySessionSignal();
+		return {
+			data: { success: true },
+			error: null
+		};
+	};
+}
+/**
+* Client plugin for popup OAuth sign-in. Adds `authClient.signIn.popup`. Pair
+* with the server `oauthPopup` and `bearer` plugins.
+*/
+const oauthPopupClient = () => {
+	return {
+		id: "oauth-popup",
+		version: PACKAGE_VERSION,
+		$InferServerPlugin: {},
+		$ERROR_CODES: OAUTH_POPUP_ERROR_CODES,
+		fetchPlugins: [popupBearerFetchPlugin],
+		getActions: ($fetch, $store, options) => ({ signIn: { popup: createSignInPopup({
+			$fetch,
+			options,
+			notifySessionSignal: () => $store.notify("$sessionSignal")
+		}) } })
+	};
+};
+//#endregion
+export { createSignInPopup, getStoredPopupToken, oauthPopupClient, popupBearerFetchPlugin };

package/dist/plugins/oauth-popup/constants.d.mts

@@ -0,0 +1,11 @@
+//#region src/plugins/oauth-popup/constants.d.ts
+/** postMessage `type` the completion page posts to its opener. */
+declare const OAUTH_POPUP_MESSAGE_TYPE = "better-auth:oauth-popup";
+/** DOM id of the inert JSON data block the completion page reads. */
+declare const OAUTH_POPUP_DATA_ELEMENT_ID = "better-auth-oauth-popup";
+/** Signed cookie carrying the opener origin/nonce from sign-in to callback. */
+declare const POPUP_MARKER_COOKIE = "oauth_popup";
+/** localStorage key the popup session token is persisted under. */
+declare const POPUP_TOKEN_STORAGE_KEY = "better-auth.popup_token";
+//#endregion
+export { OAUTH_POPUP_DATA_ELEMENT_ID, OAUTH_POPUP_MESSAGE_TYPE, POPUP_MARKER_COOKIE, POPUP_TOKEN_STORAGE_KEY };

package/dist/plugins/oauth-popup/constants.mjs

@@ -0,0 +1,11 @@
+//#region src/plugins/oauth-popup/constants.ts
+/** postMessage `type` the completion page posts to its opener. */
+const OAUTH_POPUP_MESSAGE_TYPE = "better-auth:oauth-popup";
+/** DOM id of the inert JSON data block the completion page reads. */
+const OAUTH_POPUP_DATA_ELEMENT_ID = "better-auth-oauth-popup";
+/** Signed cookie carrying the opener origin/nonce from sign-in to callback. */
+const POPUP_MARKER_COOKIE = "oauth_popup";
+/** localStorage key the popup session token is persisted under. */
+const POPUP_TOKEN_STORAGE_KEY = "better-auth.popup_token";
+//#endregion
+export { OAUTH_POPUP_DATA_ELEMENT_ID, OAUTH_POPUP_MESSAGE_TYPE, POPUP_MARKER_COOKIE, POPUP_TOKEN_STORAGE_KEY };

package/dist/plugins/oauth-popup/error-codes.d.mts

@@ -0,0 +1,11 @@
+import * as _better_auth_core_utils_error_codes0 from "@better-auth/core/utils/error-codes";
+
+//#region src/plugins/oauth-popup/error-codes.d.ts
+declare const OAUTH_POPUP_ERROR_CODES: {
+  POPUP_SIGN_IN_FAILED: _better_auth_core_utils_error_codes0.RawError<"POPUP_SIGN_IN_FAILED">;
+  POPUP_BLOCKED: _better_auth_core_utils_error_codes0.RawError<"POPUP_BLOCKED">;
+  POPUP_CLOSED: _better_auth_core_utils_error_codes0.RawError<"POPUP_CLOSED">;
+  POPUP_TIMEOUT: _better_auth_core_utils_error_codes0.RawError<"POPUP_TIMEOUT">;
+};
+//#endregion
+export { OAUTH_POPUP_ERROR_CODES };

package/dist/plugins/oauth-popup/error-codes.mjs

@@ -0,0 +1,10 @@
+import { defineErrorCodes } from "@better-auth/core/utils/error-codes";
+//#region src/plugins/oauth-popup/error-codes.ts
+const OAUTH_POPUP_ERROR_CODES = defineErrorCodes({
+	POPUP_SIGN_IN_FAILED: "Popup sign-in failed",
+	POPUP_BLOCKED: "Sign-in popup was blocked by the browser",
+	POPUP_CLOSED: "Sign-in popup was closed before completing",
+	POPUP_TIMEOUT: "Sign-in popup timed out"
+});
+//#endregion
+export { OAUTH_POPUP_ERROR_CODES };

package/dist/plugins/oauth-popup/index.d.mts

@@ -0,0 +1,67 @@
+import { OAUTH_POPUP_DATA_ELEMENT_ID, OAUTH_POPUP_MESSAGE_TYPE, POPUP_MARKER_COOKIE } from "./constants.mjs";
+import { OAUTH_POPUP_ERROR_CODES } from "./error-codes.mjs";
+import { OAuthPopupData, OAuthPopupMessage } from "./types.mjs";
+import * as _better_auth_core0 from "@better-auth/core";
+import * as _better_auth_core_utils_error_codes0 from "@better-auth/core/utils/error-codes";
+import * as better_call0 from "better-call";
+import * as z from "zod";
+
+//#region src/plugins/oauth-popup/index.d.ts
+declare module "@better-auth/core" {
+  interface BetterAuthPluginRegistry<AuthOptions, Options> {
+    "oauth-popup": {
+      creator: typeof oauthPopup;
+    };
+  }
+}
+/**
+ * The completion-page script.
+ */
+declare const OAUTH_POPUP_COMPLETE_SCRIPT: string;
+/**
+ * sha256 of `OAUTH_POPUP_COMPLETE_SCRIPT`, pinned in the completion CSP.
+ */
+declare const OAUTH_POPUP_SCRIPT_CSP_HASH = "sha256-tIo2K8VBC9SnhvdZ+9GsGkQoZm+jm/JcxL+d+i8b8KQ=";
+/**
+ * Server plugin for popup-based OAuth. `signIn.popup` navigates the popup to
+ * `/oauth-popup/start`; on the OAuth callback this plugin swaps the redirect for
+ * a page that posts the session token (or error) back to the opener. Pair with
+ * the `bearer` plugin and `oauthPopupClient`.
+ */
+declare const oauthPopup: () => {
+  id: "oauth-popup";
+  version: string;
+  $ERROR_CODES: {
+    POPUP_SIGN_IN_FAILED: _better_auth_core_utils_error_codes0.RawError<"POPUP_SIGN_IN_FAILED">;
+    POPUP_BLOCKED: _better_auth_core_utils_error_codes0.RawError<"POPUP_BLOCKED">;
+    POPUP_CLOSED: _better_auth_core_utils_error_codes0.RawError<"POPUP_CLOSED">;
+    POPUP_TIMEOUT: _better_auth_core_utils_error_codes0.RawError<"POPUP_TIMEOUT">;
+  };
+  endpoints: {
+    oauthPopupStart: better_call0.StrictEndpoint<"/oauth-popup/start", {
+      method: "GET";
+      query: z.ZodObject<{
+        provider: z.ZodString;
+        popupOrigin: z.ZodString;
+        popupNonce: z.ZodOptional<z.ZodString>;
+        callbackURL: z.ZodOptional<z.ZodString>;
+        errorCallbackURL: z.ZodOptional<z.ZodString>;
+        newUserCallbackURL: z.ZodOptional<z.ZodString>;
+        scopes: z.ZodOptional<z.ZodString>;
+        requestSignUp: z.ZodOptional<z.ZodString>;
+        additionalData: z.ZodOptional<z.ZodString>;
+      }, z.core.$strip>;
+      metadata: {
+        readonly scope: "server";
+      };
+    }, Response>;
+  };
+  hooks: {
+    after: {
+      matcher(context: _better_auth_core0.HookEndpointContext): boolean;
+      handler: (inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<void>;
+    }[];
+  };
+};
+//#endregion
+export { OAUTH_POPUP_COMPLETE_SCRIPT, OAUTH_POPUP_SCRIPT_CSP_HASH, oauthPopup };

package/dist/plugins/oauth-popup/index.mjs

@@ -0,0 +1,227 @@
+import { parseSetCookieHeader, splitSetCookieHeader } from "../../cookies/cookie-utils.mjs";
+import { generateRandomString } from "../../crypto/random.mjs";
+import { expireCookie } from "../../cookies/index.mjs";
+import { getAwaitableValue } from "../../context/helpers.mjs";
+import { setOAuthState } from "../../api/state/oauth.mjs";
+import { generateGenericState } from "../../state.mjs";
+import { HIDE_METADATA } from "../../utils/hide-metadata.mjs";
+import { PACKAGE_VERSION } from "../../version.mjs";
+import { OAUTH_POPUP_DATA_ELEMENT_ID, OAUTH_POPUP_MESSAGE_TYPE, POPUP_MARKER_COOKIE } from "./constants.mjs";
+import { OAUTH_POPUP_ERROR_CODES } from "./error-codes.mjs";
+import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
+import { safeJSONParse } from "@better-auth/core/utils/json";
+import { createAuthEndpoint, createAuthMiddleware } from "@better-auth/core/api";
+import * as z from "zod";
+//#region src/plugins/oauth-popup/index.ts
+let warnedMissingBearer = false;
+/**
+* Escapes `<\/script>` and JS line separators for embedding in a script element.
+*/
+function inlineJSON(value) {
+	return JSON.stringify(value).replace(/[<\u2028\u2029]/g, (c) => `\\u${c.charCodeAt(0).toString(16).padStart(4, "0")}`);
+}
+/**
+* The completion-page script.
+*/
+const OAUTH_POPUP_COMPLETE_SCRIPT = `(function () {
+	var el = document.getElementById(${JSON.stringify(OAUTH_POPUP_DATA_ELEMENT_ID)});
+	if (!el) return;
+	var payload;
+	try {
+		payload = JSON.parse(el.textContent || "");
+	} catch (e) {
+		return;
+	}
+	var target = window.opener || window.parent;
+	if (target && target !== window) {
+		try {
+			target.postMessage(
+				{
+					type: payload.type,
+					nonce: payload.nonce,
+					token: payload.token,
+					redirectTo: payload.redirectTo,
+					error: payload.error,
+				},
+				payload.targetOrigin,
+			);
+		} catch (e) {}
+	}
+	window.close();
+})();
+`;
+/**
+* sha256 of `OAUTH_POPUP_COMPLETE_SCRIPT`, pinned in the completion CSP.
+*/
+const OAUTH_POPUP_SCRIPT_CSP_HASH = "sha256-tIo2K8VBC9SnhvdZ+9GsGkQoZm+jm/JcxL+d+i8b8KQ=";
+/**
+* Renders the page that posts the outcome (token or error) to the opener. The
+* caller must pass a trusted `popupOrigin` — validated at `/oauth-popup/start`
+* and preserved in the signed marker cookie the callback reads.
+*/
+function renderCompletion(c, popupOrigin, message) {
+	if (message.token && !warnedMissingBearer && !c.context.hasPlugin("bearer")) {
+		warnedMissingBearer = true;
+		c.context.logger.warn("OAuth popup hands the session token back via postMessage, but the `bearer` plugin is not registered, so an embedded (cross-site iframe) app cannot authenticate with it. Add bearer() to your auth `plugins`.");
+	}
+	const html = `<!doctype html>
+<html>
+<head><meta charset="utf-8"><title>Completing sign-in</title></head>
+<body>
+<script type="application/json" id="${OAUTH_POPUP_DATA_ELEMENT_ID}">${inlineJSON({
+		type: OAUTH_POPUP_MESSAGE_TYPE,
+		targetOrigin: popupOrigin,
+		...message
+	})}<\/script>
+<script>${OAUTH_POPUP_COMPLETE_SCRIPT}<\/script>
+</body>
+</html>`;
+	return new Response(html, {
+		status: 200,
+		headers: {
+			"content-type": "text/html; charset=utf-8",
+			"content-security-policy": `default-src 'none'; script-src '${OAUTH_POPUP_SCRIPT_CSP_HASH}'; base-uri 'none'`,
+			"cache-control": "no-store",
+			pragma: "no-cache"
+		}
+	});
+}
+/**
+* Starts the OAuth flow for a popup. The popup navigates here (top-level, so it
+* is first-party to the auth origin even when the app is on another origin),
+* the server sets the state + opener-marker cookies in the right partition, then
+* redirects to the provider. The callback then renders the completion page.
+*/
+const oauthPopupStart = createAuthEndpoint("/oauth-popup/start", {
+	method: "GET",
+	query: z.object({
+		provider: z.string(),
+		popupOrigin: z.string(),
+		popupNonce: z.string().optional(),
+		callbackURL: z.string().optional(),
+		errorCallbackURL: z.string().optional(),
+		newUserCallbackURL: z.string().optional(),
+		scopes: z.string().optional(),
+		requestSignUp: z.string().optional(),
+		additionalData: z.string().optional()
+	}),
+	metadata: HIDE_METADATA
+}, async (c) => {
+	const { popupOrigin } = c.query;
+	if (!c.context.isTrustedOrigin(popupOrigin, { allowRelativePaths: false })) {
+		c.context.logger.error(`OAuth popup origin is not a trusted origin. Add ${popupOrigin} to trustedOrigins.`);
+		throw APIError.from("FORBIDDEN", BASE_ERROR_CODES.INVALID_ORIGIN);
+	}
+	const fail = (code, description) => renderCompletion(c, popupOrigin, {
+		nonce: c.query.popupNonce ?? "",
+		error: {
+			code,
+			description
+		}
+	});
+	const validateRedirect = (url, code) => {
+		if (!url || c.context.isTrustedOrigin(url, { allowRelativePaths: true })) return;
+		c.context.logger.error(`Invalid redirect URL: ${url}`);
+		return fail(code, `Untrusted URL: ${url}`);
+	};
+	const invalidRedirect = validateRedirect(c.query.callbackURL, "invalid_callback_url") ?? validateRedirect(c.query.errorCallbackURL, "invalid_error_callback_url") ?? validateRedirect(c.query.newUserCallbackURL, "invalid_new_user_callback_url");
+	if (invalidRedirect) return invalidRedirect;
+	const provider = await getAwaitableValue(c.context.socialProviders, { value: c.query.provider });
+	if (!provider) return fail("provider_not_found", `Unknown provider: ${c.query.provider}`);
+	const callbackURL = c.query.callbackURL || c.context.baseURL;
+	let url;
+	try {
+		const codeVerifier = generateRandomString(128);
+		const stateData = {
+			...c.query.additionalData ? safeJSONParse(c.query.additionalData) ?? {} : {},
+			callbackURL,
+			codeVerifier,
+			errorURL: c.query.errorCallbackURL,
+			newUserURL: c.query.newUserCallbackURL,
+			requestSignUp: c.query.requestSignUp === "true" ? true : void 0,
+			expiresAt: Date.now() + 600 * 1e3
+		};
+		await setOAuthState(stateData);
+		const { state } = await generateGenericState(c, stateData);
+		const marker = c.context.createAuthCookie(POPUP_MARKER_COOKIE, { maxAge: 600 });
+		await c.setSignedCookie(marker.name, JSON.stringify({
+			popupOrigin,
+			popupNonce: c.query.popupNonce ?? ""
+		}), c.context.secret, marker.attributes);
+		url = await provider.createAuthorizationURL({
+			state,
+			codeVerifier,
+			redirectURI: `${c.context.baseURL}/callback/${provider.id}`,
+			scopes: c.query.scopes ? c.query.scopes.split(",") : void 0
+		});
+	} catch (error) {
+		c.context.logger.error("OAuth popup failed to start", error);
+		return fail("popup_sign_in_failed", "Failed to start the OAuth flow.");
+	}
+	throw c.redirect(url.toString());
+});
+/**
+* Server plugin for popup-based OAuth. `signIn.popup` navigates the popup to
+* `/oauth-popup/start`; on the OAuth callback this plugin swaps the redirect for
+* a page that posts the session token (or error) back to the opener. Pair with
+* the `bearer` plugin and `oauthPopupClient`.
+*/
+const oauthPopup = () => {
+	return {
+		id: "oauth-popup",
+		version: PACKAGE_VERSION,
+		$ERROR_CODES: OAUTH_POPUP_ERROR_CODES,
+		endpoints: { oauthPopupStart },
+		hooks: { after: [{
+			matcher(context) {
+				return !!(context.path?.startsWith("/callback/") || context.path?.startsWith("/oauth2/callback/"));
+			},
+			handler: createAuthMiddleware(async (c) => {
+				const redirectTo = c.context.responseHeaders?.get("location");
+				if (!redirectTo) return;
+				const cookie = c.context.createAuthCookie(POPUP_MARKER_COOKIE);
+				const marker = await c.getSignedCookie(cookie.name, c.context.secret);
+				if (!marker) return;
+				expireCookie(c, cookie);
+				let popupOrigin;
+				let popupNonce;
+				try {
+					const parsed = JSON.parse(marker);
+					popupOrigin = parsed.popupOrigin;
+					popupNonce = parsed.popupNonce ?? "";
+				} catch {
+					return;
+				}
+				const setCookies = c.context.responseHeaders?.getSetCookie?.() ?? splitSetCookieHeader(c.context.responseHeaders?.get("set-cookie") ?? "");
+				let token;
+				for (const raw of setCookies) {
+					const value = parseSetCookieHeader(raw).get(c.context.authCookies.sessionToken.name)?.value;
+					if (value !== void 0) {
+						token = value;
+						break;
+					}
+				}
+				let response;
+				if (token) response = renderCompletion(c, popupOrigin, {
+					nonce: popupNonce,
+					token,
+					redirectTo
+				});
+				else {
+					const error = new URL(redirectTo, c.context.baseURL).searchParams.get("error");
+					if (!error) return;
+					response = renderCompletion(c, popupOrigin, {
+						nonce: popupNonce,
+						error: {
+							code: error,
+							description: new URL(redirectTo, c.context.baseURL).searchParams.get("error_description") ?? void 0
+						}
+					});
+				}
+				c.context.returned = response;
+			})
+		}] }
+	};
+};
+//#endregion
+export { OAUTH_POPUP_COMPLETE_SCRIPT, OAUTH_POPUP_SCRIPT_CSP_HASH, oauthPopup };