better-auth 1.6.16 → 1.6.18

package/dist/plugins/oauth-popup/types.d.mts

@@ -0,0 +1,30 @@
+import { OAUTH_POPUP_MESSAGE_TYPE } from "./constants.mjs";
+
+//#region src/plugins/oauth-popup/types.d.ts
+/** OAuth error relayed to the opener when the flow fails. */
+interface OAuthPopupError {
+  code: string;
+  description?: string;
+}
+/**
+ * Message the completion page posts to its opener — success carries the token,
+ * failure carries the error.
+ */
+interface OAuthPopupMessage {
+  type: typeof OAUTH_POPUP_MESSAGE_TYPE;
+  /** Echoes the request nonce so the opener can correlate the handoff. */
+  nonce: string;
+  /** The session token, sent as `Authorization: Bearer <token>` (on success). */
+  token?: string;
+  /** Where the flow would have redirected (callbackURL / newUserURL). */
+  redirectTo?: string;
+  /** The OAuth error (on failure). */
+  error?: OAuthPopupError;
+}
+/** Payload embedded in the completion page's data block. */
+interface OAuthPopupData extends OAuthPopupMessage {
+  /** Exact origin the message is posted to (the trusted popup opener). */
+  targetOrigin: string;
+}
+//#endregion
+export { OAuthPopupData, OAuthPopupMessage };

package/dist/plugins/oauth-proxy/index.mjs

@@ -183,13 +183,13 @@ const oAuthProxy = (opts) => {
 					}
 					if (error) throw redirectOnError(ctx, errorURL, error);
 					if (!code) {
-						ctx.context.logger.error("OAuth callback missing authorization code");
+						ctx.context.logger.warn("OAuth callback missing authorization code");
 						throw redirectOnError(ctx, errorURL, "no_code");
 					}
 					const providerId = ctx.params?.id;
 					const provider = ctx.context.socialProviders.find((p) => p.id === providerId);
 					if (!provider) {
-						ctx.context.logger.error("OAuth provider not found", providerId);
+						ctx.context.logger.warn("OAuth provider not found", { providerId });
 						throw redirectOnError(ctx, errorURL, "oauth_provider_not_found");
 					}
 					let tokens;

package/dist/plugins/oauth-proxy/utils.mjs

@@ -21,10 +21,24 @@ function getVendorBaseURL() {
 	return vercel || netlify || render || aws || google || azure;
 }
 /**
-* Resolve the current URL from various sources
+* Resolve the current URL from various sources.
+*
+* The request URL host can come from an untrusted source (`Host` / forwarded host),
+* and this origin becomes the receiver for the encrypted OAuth profile replay.
+* So a request-derived origin is only honored when it is an explicitly trusted
+* origin; otherwise resolution falls back to the configured platform/base URL,
+* never the raw request host. An explicit `opts.currentURL` and the vendor/base
+* URLs are configured by the developer and trusted as-is.
 */
 function resolveCurrentURL(ctx, opts) {
-	return new URL(opts?.currentURL || ctx.request?.url || getVendorBaseURL() || ctx.context.baseURL);
+	if (opts?.currentURL) return new URL(opts.currentURL);
+	const requestURL = ctx.request?.url;
+	if (requestURL) {
+		const origin = getOrigin(requestURL);
+		if (origin && ctx.context.isTrustedOrigin(origin)) return new URL(requestURL);
+	}
+	const vendorBaseURL = getVendorBaseURL();
+	return new URL(vendorBaseURL && getOrigin(vendorBaseURL) ? vendorBaseURL : ctx.context.baseURL);
 }
 /**
 * Check if the proxy should be skipped for this request

package/dist/plugins/oidc-provider/index.mjs

@@ -1082,6 +1082,16 @@ const oidcProvider = (options) => {
 					});
 				}
 				const session = await getSessionFromCtx(ctx);
+				if (ctx.request && (validatedUserId || session)) {
+					const fetchSite = ctx.request.headers.get("Sec-Fetch-Site");
+					const originHeader = ctx.request.headers.get("origin") || ctx.request.headers.get("referer");
+					const isSameSiteRequest = fetchSite === "same-origin" || fetchSite === "same-site" || fetchSite === "none" || !!originHeader && ctx.context.isTrustedOrigin(originHeader, { allowRelativePaths: false });
+					const hintMatchesSession = !!validatedUserId && validatedUserId === session?.user.id;
+					if (!isSameSiteRequest && !hintMatchesSession) throw new APIError("FORBIDDEN", {
+						error: "invalid_request",
+						error_description: "Logout must be same-site or carry an id_token_hint for the current session"
+					});
+				}
 				if (validatedUserId || session) {
 					const userId = validatedUserId || session?.user.id;
 					if (userId) await ctx.context.adapter.deleteMany({

package/dist/plugins/one-tap/client.mjs

@@ -44,12 +44,15 @@ const oneTapClient = (options) => {
 						return;
 					}
 					async function callback(idToken) {
-						await $fetch("/one-tap/callback", {
+						if ((await $fetch("/one-tap/callback", {
 							method: "POST",
-							body: { idToken },
+							body: {
+								idToken,
+								callbackURL: opts?.callbackURL
+							},
 							...opts?.fetchOptions,
 							...fetchOptions
-						});
+						}))?.error) return;
 						if (!opts?.fetchOptions && !fetchOptions || opts?.callbackURL) {
 							const target = opts?.callbackURL ?? "/";
 							if (isSafeUrlScheme(target)) window.location.href = target;
@@ -80,12 +83,15 @@ const oneTapClient = (options) => {
 					return;
 				}
 				async function callback(idToken) {
-					await $fetch("/one-tap/callback", {
+					if ((await $fetch("/one-tap/callback", {
 						method: "POST",
-						body: { idToken },
+						body: {
+							idToken,
+							callbackURL: opts?.callbackURL
+						},
 						...opts?.fetchOptions,
 						...fetchOptions
-					});
+					}))?.error) return;
 					if (!opts?.fetchOptions && !fetchOptions || opts?.callbackURL) {
 						const target = opts?.callbackURL ?? "/";
 						if (isSafeUrlScheme(target)) window.location.href = target;

package/dist/plugins/one-tap/index.d.mts

@@ -32,6 +32,7 @@ declare const oneTap: (options?: OneTapOptions | undefined) => {
       method: "POST";
       body: z.ZodObject<{
         idToken: z.ZodString;
+        callbackURL: z.ZodOptional<z.ZodString>;
       }, z.core.$strip>;
       metadata: {
         openapi: {

package/dist/plugins/one-tap/index.mjs

@@ -8,7 +8,10 @@ import { createAuthEndpoint } from "@better-auth/core/api";
 import * as z from "zod";
 import { createRemoteJWKSet, jwtVerify } from "jose";
 //#region src/plugins/one-tap/index.ts
-const oneTapCallbackBodySchema = z.object({ idToken: z.string().meta({ description: "Google ID token, which the client obtains from the One Tap API" }) });
+const oneTapCallbackBodySchema = z.object({
+	idToken: z.string().meta({ description: "Google ID token, which the client obtains from the One Tap API" }),
+	callbackURL: z.string().meta({ description: "URL to redirect to after a successful sign-in" }).optional()
+});
 const oneTap = (options) => ({
 	id: "one-tap",
 	version: PACKAGE_VERSION,
@@ -34,13 +37,14 @@ const oneTap = (options) => ({
 		} }
 	}, async (ctx) => {
 		const { idToken } = ctx.body;
+		const googleProvider = typeof ctx.context.options.socialProviders?.google === "function" ? await ctx.context.options.socialProviders?.google() : ctx.context.options.socialProviders?.google;
+		const audience = options?.clientId || googleProvider?.clientId;
+		if (!audience || Array.isArray(audience) && audience.length === 0) throw new APIError("BAD_REQUEST", { message: "Google client ID is required for One Tap. Set it on the oneTap plugin (clientId) or on socialProviders.google." });
 		let payload;
 		try {
-			const JWKS = createRemoteJWKSet(new URL("https://www.googleapis.com/oauth2/v3/certs"));
-			const googleProvider = typeof ctx.context.options.socialProviders?.google === "function" ? await ctx.context.options.socialProviders?.google() : ctx.context.options.socialProviders?.google;
-			const { payload: verifiedPayload } = await jwtVerify(idToken, JWKS, {
+			const { payload: verifiedPayload } = await jwtVerify(idToken, createRemoteJWKSet(new URL("https://www.googleapis.com/oauth2/v3/certs")), {
 				issuer: ["https://accounts.google.com", "accounts.google.com"],
-				audience: options?.clientId || googleProvider?.clientId
+				audience
 			});
 			payload = verifiedPayload;
 		} catch {

package/dist/plugins/one-time-token/index.mjs

@@ -47,10 +47,8 @@ const oneTimeToken = (options) => {
 			}, async (c) => {
 				const { token } = c.body;
 				const storedToken = await storeToken(c, token);
-				const verificationValue = await c.context.internalAdapter.findVerificationValue(`one-time-token:${storedToken}`);
+				const verificationValue = await c.context.internalAdapter.consumeVerificationValue(`one-time-token:${storedToken}`);
 				if (!verificationValue) throw c.error("BAD_REQUEST", { message: "Invalid token" });
-				await c.context.internalAdapter.deleteVerificationByIdentifier(`one-time-token:${storedToken}`);
-				if (verificationValue.expiresAt < /* @__PURE__ */ new Date()) throw c.error("BAD_REQUEST", { message: "Token expired" });
 				const session = await c.context.internalAdapter.findSession(verificationValue.value);
 				if (!session) throw c.error("BAD_REQUEST", { message: "Session not found" });
 				if (!opts?.disableSetSessionCookie) await setSessionCookie(c, session);

package/dist/plugins/open-api/generator.d.mts

@@ -4,63 +4,72 @@ import { OpenAPIParameter, OpenAPISchemaType } from "better-call";
 
 //#region src/plugins/open-api/generator.d.ts
 interface Path {
-  get?: {
-    tags?: string[];
-    operationId?: string;
-    description?: string;
-    security?: [{
-      bearerAuth: string[];
-    }];
-    parameters?: OpenAPIParameter[];
-    responses?: { [key in string]: {
-      description?: string;
-      content: {
-        "application/json": {
-          schema: {
-            type?: OpenAPISchemaType;
-            properties?: Record<string, any>;
-            required?: string[];
-            $ref?: string;
-          };
-        };
-      };
-    } };
-  } | undefined;
-  post?: {
-    tags?: string[];
-    operationId?: string;
-    description?: string;
-    security?: [{
-      bearerAuth: string[];
-    }];
-    parameters?: OpenAPIParameter[];
-    requestBody?: {
-      content: {
-        "application/json": {
-          schema: {
-            type?: OpenAPISchemaType;
-            properties?: Record<string, any>;
-            required?: string[];
-            $ref?: string;
-          };
-        };
-      };
-    };
-    responses?: { [key in string]: {
-      description?: string;
-      content: {
-        "application/json": {
-          schema: {
-            type?: OpenAPISchemaType;
-            properties?: Record<string, any>;
-            required?: string[];
-            $ref?: string;
-          };
-        };
-      };
-    } };
-  } | undefined;
+  get?: OpenAPIOperation | undefined;
+  post?: OpenAPIOperation | undefined;
+  put?: OpenAPIOperation | undefined;
+  patch?: OpenAPIOperation | undefined;
+  delete?: OpenAPIOperation | undefined;
 }
+type OpenAPISchemaPrimitiveType = OpenAPISchemaType | "null";
+type OpenAPISchema = {
+  type?: OpenAPISchemaPrimitiveType | OpenAPISchemaPrimitiveType[];
+  properties?: Record<string, OpenAPISchema>;
+  required?: string[];
+  $ref?: string;
+  description?: string;
+  default?: unknown;
+  readOnly?: boolean;
+  format?: string;
+  deprecated?: boolean;
+  enum?: unknown[];
+  items?: OpenAPISchema;
+  minLength?: number;
+  maxLength?: number;
+  minimum?: number;
+  maximum?: number;
+  additionalProperties?: boolean | OpenAPISchema;
+  propertyNames?: OpenAPISchema;
+  allOf?: OpenAPISchema[];
+  anyOf?: OpenAPISchema[];
+  oneOf?: OpenAPISchema[];
+  const?: unknown;
+  example?: unknown;
+};
+type OpenAPIParameter$1 = Omit<OpenAPIParameter, "schema"> & {
+  schema?: OpenAPISchema;
+};
+type OpenAPIMediaTypeObject = {
+  schema?: OpenAPISchema;
+};
+type OpenAPIResponseContent = {
+  "application/json"?: OpenAPIMediaTypeObject;
+  "text/plain"?: OpenAPIMediaTypeObject;
+  "text/html"?: OpenAPIMediaTypeObject;
+  [contentType: string]: OpenAPIMediaTypeObject | undefined;
+};
+type OpenAPIResponse = {
+  description?: string;
+  content?: OpenAPIResponseContent;
+};
+type OpenAPIRequestBody = {
+  required?: boolean;
+  content: {
+    "application/json": {
+      schema: OpenAPISchema;
+    };
+  };
+};
+type OpenAPIOperation = {
+  tags?: string[];
+  operationId?: string;
+  description?: string;
+  security?: [{
+    bearerAuth: string[];
+  }];
+  parameters?: OpenAPIParameter$1[];
+  requestBody?: OpenAPIRequestBody;
+  responses?: Record<string, OpenAPIResponse>;
+};
 type FieldSchema = {
   type: DBFieldType;
   default?: (DBFieldAttributeConfig["defaultValue"] | "Generated at runtime") | undefined;
@@ -111,4 +120,4 @@ declare function generator(ctx: AuthContext, options: BetterAuthOptions): Promis
   paths: Record<string, Path>;
 }>;
 //#endregion
-export { FieldSchema, OpenAPIModelSchema, Path, generator };
+export { FieldSchema, OpenAPIModelSchema, OpenAPIParameter$1 as OpenAPIParameter, OpenAPISchema, Path, generator };

package/dist/plugins/open-api/generator.mjs

@@ -3,17 +3,17 @@ import { getEndpoints } from "../../api/index.mjs";
 import * as z from "zod";
 import { toPascalCase } from "@better-auth/core/utils/string";
 //#region src/plugins/open-api/generator.ts
-const allowedType = new Set([
+const OPEN_API_SCHEMA_TYPES = new Set([
 	"string",
 	"number",
 	"boolean",
 	"array",
 	"object"
 ]);
-function getTypeFromZodType(zodType) {
-	if (zodType instanceof z.ZodDefault) return getTypeFromZodType(zodType.unwrap());
+function getOpenApiTypeFromZodType(zodType) {
+	if (zodType instanceof z.ZodDefault || zodType instanceof z.ZodPrefault) return getOpenApiTypeFromZodType(unwrapZodSchema(zodType));
 	const type = zodType.type;
-	return allowedType.has(type) ? type : "string";
+	return OPEN_API_SCHEMA_TYPES.has(type) ? type : "string";
 }
 function getFieldSchema(field) {
 	const schema = {
@@ -24,6 +24,48 @@ function getFieldSchema(field) {
 	if (field.input === false) schema.readOnly = true;
 	return schema;
 }
+function asZodSchema(schema) {
+	return schema;
+}
+function unwrapZodSchema(zodType) {
+	return asZodSchema(zodType.unwrap());
+}
+function getZodDef(zodType) {
+	return zodType._def;
+}
+function getZodDescription(zodType) {
+	return zodType.description;
+}
+function withDescription(schema, zodType) {
+	const description = getZodDescription(zodType);
+	return description ? {
+		...schema,
+		description
+	} : schema;
+}
+function addNullType(schema) {
+	if (schema.type) {
+		const type = Array.isArray(schema.type) ? schema.type : [schema.type];
+		const nullableType = Array.from(new Set([...type, "null"]));
+		return {
+			...schema,
+			type: nullableType
+		};
+	}
+	return { anyOf: [schema, { type: "null" }] };
+}
+function getZodStringSchemaConstraints(zodType) {
+	const minLength = zodType.minLength;
+	const maxLength = zodType.maxLength;
+	return {
+		...typeof minLength === "number" ? { minLength } : {},
+		...typeof maxLength === "number" ? { maxLength } : {}
+	};
+}
+function getZodPipeSchema(zodType) {
+	const def = getZodDef(zodType);
+	return def.in instanceof z.ZodTransform && def.out instanceof z.ZodType ? def.out : def.in;
+}
 function getParameters(options) {
 	const parameters = [];
 	if (options.metadata?.openapi?.parameters) {
@@ -31,62 +73,93 @@ function getParameters(options) {
 		return parameters;
 	}
 	if (options.query instanceof z.ZodObject) Object.entries(options.query.shape).forEach(([key, value]) => {
-		if (value instanceof z.ZodType) parameters.push({
-			name: key,
-			in: "query",
-			schema: {
-				...processZodType(value),
-				..."minLength" in value && value.minLength ? { minLength: value.minLength } : {}
-			}
-		});
+		if (value instanceof z.ZodType) {
+			const parameterSchema = toOpenApiSchema(value);
+			parameters.push({
+				name: key,
+				in: "query",
+				schema: parameterSchema
+			});
+		}
 	});
 	return parameters;
 }
+function getRequestBodySchemaInfo(zodType) {
+	return {
+		required: !schemaAcceptsUndefined(zodType),
+		schema: zodType
+	};
+}
+function schemaAcceptsUndefined(zodType) {
+	if (zodType instanceof z.ZodOptional || zodType instanceof z.ZodDefault || zodType instanceof z.ZodPrefault || zodType instanceof z.ZodCatch || zodType instanceof z.ZodUndefined || zodType instanceof z.ZodVoid) return true;
+	if (zodType instanceof z.ZodNonOptional) return false;
+	if (zodType instanceof z.ZodNullable || zodType instanceof z.ZodReadonly) return schemaAcceptsUndefined(unwrapZodSchema(zodType));
+	if (zodType instanceof z.ZodPipe) return schemaAcceptsUndefined(getZodPipeSchema(zodType));
+	if (zodType instanceof z.ZodUnion) return getZodDef(zodType).options.some((option) => schemaAcceptsUndefined(option));
+	if (zodType instanceof z.ZodIntersection) {
+		const def = getZodDef(zodType);
+		return schemaAcceptsUndefined(def.left) && schemaAcceptsUndefined(def.right);
+	}
+	return false;
+}
+function isUndefinedOnlySchema(zodType) {
+	return zodType instanceof z.ZodUndefined || zodType instanceof z.ZodVoid;
+}
+function isMergeableObjectSchema(schema) {
+	const type = schema?.type;
+	return !!schema && (type === "object" || Array.isArray(type) && type.includes("object")) && schema.$ref === void 0 && schema.allOf === void 0 && schema.anyOf === void 0;
+}
+function schemaAllowsNull(schema) {
+	const type = schema?.type;
+	return Array.isArray(type) && type.includes("null");
+}
+function areSchemasEqual(left, right) {
+	return JSON.stringify(left) === JSON.stringify(right);
+}
+function areSchemaMembersCompatible(left, right) {
+	if (left === void 0 || right === void 0) return true;
+	if (typeof left === "boolean" || typeof right === "boolean") return left === right;
+	return areSchemasEqual(left, right);
+}
+function mergeObjectSchemas(left, right, description) {
+	const properties = { ...left.properties || {} };
+	for (const [key, value] of Object.entries(right.properties || {})) {
+		if (properties[key] !== void 0 && !areSchemasEqual(properties[key], value)) return;
+		properties[key] = value;
+	}
+	const required = Array.from(new Set([...left.required || [], ...right.required || []]));
+	const leftAdditionalProperties = left.additionalProperties;
+	const rightAdditionalProperties = right.additionalProperties;
+	if (!areSchemaMembersCompatible(leftAdditionalProperties, rightAdditionalProperties)) return;
+	const leftPropertyNames = left.propertyNames;
+	const rightPropertyNames = right.propertyNames;
+	if (!areSchemaMembersCompatible(leftPropertyNames, rightPropertyNames)) return;
+	const additionalProperties = leftAdditionalProperties ?? rightAdditionalProperties;
+	const propertyNames = leftPropertyNames ?? rightPropertyNames;
+	return {
+		type: schemaAllowsNull(left) && schemaAllowsNull(right) ? ["object", "null"] : "object",
+		...Object.keys(properties).length > 0 ? { properties } : {},
+		...required.length > 0 ? { required } : {},
+		...additionalProperties !== void 0 ? { additionalProperties } : {},
+		...propertyNames !== void 0 ? { propertyNames } : {},
+		...description ?? left.description ?? right.description ? { description: description ?? left.description ?? right.description } : {}
+	};
+}
 function getRequestBody(options) {
 	if (options.metadata?.openapi?.requestBody) return options.metadata.openapi.requestBody;
 	if (!options.body) return void 0;
-	if (options.body instanceof z.ZodObject || options.body instanceof z.ZodOptional) {
-		const shape = options.body.shape;
-		if (!shape) return void 0;
-		const properties = {};
-		const required = [];
-		Object.entries(shape).forEach(([key, value]) => {
-			if (value instanceof z.ZodType) {
-				properties[key] = processZodType(value);
-				if (!(value instanceof z.ZodOptional)) required.push(key);
-			}
-		});
-		return {
-			required: options.body instanceof z.ZodOptional ? false : options.body ? true : false,
-			content: { "application/json": { schema: {
-				type: "object",
-				properties,
-				required
-			} } }
-		};
-	}
+	const requestBodySchemaInfo = getRequestBodySchemaInfo(options.body);
+	const schema = toOpenApiSchema(requestBodySchemaInfo.schema);
+	return {
+		required: requestBodySchemaInfo.required,
+		content: { "application/json": { schema } }
+	};
 }
-function processZodType(zodType) {
-	if (zodType instanceof z.ZodOptional) {
-		const innerSchema = processZodType(zodType.unwrap());
-		if (innerSchema.type) {
-			const type = Array.isArray(innerSchema.type) ? innerSchema.type : [innerSchema.type];
-			return {
-				...innerSchema,
-				type: Array.from(new Set([...type, "null"]))
-			};
-		}
-		return { anyOf: [innerSchema, { type: "null" }] };
-	}
-	if (zodType instanceof z.ZodDefault) {
-		const innerSchema = processZodType(zodType.unwrap());
-		const defaultValueDef = zodType._def.defaultValue;
-		const defaultValue = typeof defaultValueDef === "function" ? defaultValueDef() : defaultValueDef;
-		return {
-			...innerSchema,
-			default: defaultValue
-		};
-	}
+function toOpenApiSchema(zodType) {
+	if (zodType instanceof z.ZodOptional) return toOpenApiSchema(unwrapZodSchema(zodType));
+	if (zodType instanceof z.ZodNullable) return addNullType(toOpenApiSchema(unwrapZodSchema(zodType)));
+	if (zodType instanceof z.ZodDefault || zodType instanceof z.ZodPrefault || zodType instanceof z.ZodNonOptional) return toOpenApiSchema(unwrapZodSchema(zodType));
+	if (zodType instanceof z.ZodAny) return withDescription({}, zodType);
 	if (zodType instanceof z.ZodObject) {
 		const shape = zodType.shape;
 		if (shape) {
@@ -94,22 +167,64 @@ function processZodType(zodType) {
 			const required = [];
 			Object.entries(shape).forEach(([key, value]) => {
 				if (value instanceof z.ZodType) {
-					properties[key] = processZodType(value);
-					if (!(value instanceof z.ZodOptional)) required.push(key);
+					properties[key] = toOpenApiSchema(value);
+					if (!schemaAcceptsUndefined(value)) required.push(key);
 				}
 			});
-			return {
+			return withDescription({
 				type: "object",
 				properties,
-				...required.length > 0 ? { required } : {},
-				description: zodType.description
-			};
+				...required.length > 0 ? { required } : {}
+			}, zodType);
 		}
 	}
-	return {
-		type: getTypeFromZodType(zodType),
-		description: zodType.description
-	};
+	if (zodType instanceof z.ZodRecord) {
+		const def = getZodDef(zodType);
+		return withDescription({
+			type: "object",
+			propertyNames: toOpenApiSchema(def.keyType),
+			additionalProperties: toOpenApiSchema(def.valueType)
+		}, zodType);
+	}
+	if (zodType instanceof z.ZodIntersection) {
+		const def = getZodDef(zodType);
+		const leftSchema = toOpenApiSchema(def.left);
+		const rightSchema = toOpenApiSchema(def.right);
+		if (isMergeableObjectSchema(leftSchema) && isMergeableObjectSchema(rightSchema)) {
+			const mergedSchema = mergeObjectSchemas(leftSchema, rightSchema, getZodDescription(zodType));
+			if (mergedSchema) return mergedSchema;
+		}
+		return withDescription({ allOf: [leftSchema, rightSchema] }, zodType);
+	}
+	if (zodType instanceof z.ZodUnion) {
+		const def = getZodDef(zodType);
+		const schemas = def.options.filter((option) => !isUndefinedOnlySchema(option)).map((option) => toOpenApiSchema(option));
+		if (schemas.length === 0) return withDescription({}, zodType);
+		if (schemas.length === 1) {
+			const schema = schemas[0];
+			if (!schema) return withDescription({}, zodType);
+			return withDescription(schema, zodType);
+		}
+		return withDescription(def.inclusive === false ? { oneOf: schemas } : { anyOf: schemas }, zodType);
+	}
+	if (zodType instanceof z.ZodArray) return withDescription({
+		type: "array",
+		items: toOpenApiSchema(getZodDef(zodType).element)
+	}, zodType);
+	if (zodType instanceof z.ZodLiteral) return withDescription({ enum: Array.from(zodType.values) }, zodType);
+	if (zodType instanceof z.ZodEnum) return withDescription({
+		type: "string",
+		enum: zodType.options
+	}, zodType);
+	if (zodType instanceof z.ZodPipe) return withDescription(toOpenApiSchema(getZodPipeSchema(zodType)), zodType);
+	if (zodType instanceof z.ZodCatch || zodType instanceof z.ZodReadonly) return withDescription(toOpenApiSchema(getZodDef(zodType).innerType), zodType);
+	if (zodType instanceof z.ZodNull) return withDescription({ type: "null" }, zodType);
+	if (zodType instanceof z.ZodUndefined) return withDescription({}, zodType);
+	if (zodType instanceof z.ZodVoid) return withDescription({}, zodType);
+	return withDescription({
+		type: getOpenApiTypeFromZodType(zodType),
+		...zodType instanceof z.ZodString ? getZodStringSchemaConstraints(zodType) : {}
+	}, zodType);
 }
 function getResponse(responses) {
 	return {
@@ -178,12 +293,15 @@ async function generator(ctx, options) {
 	const components = { schemas: { ...Object.entries(tables).reduce((acc, [key, value]) => {
 		const modelName = key.charAt(0).toUpperCase() + key.slice(1);
 		const fields = value.fields;
-		const required = [];
-		const properties = { id: { type: "string" } };
+		const required = new Set(["id"]);
+		const properties = { id: {
+			type: "string",
+			readOnly: true
+		} };
 		Object.entries(fields).forEach(([fieldKey, fieldValue]) => {
 			if (!fieldValue) return;
 			properties[fieldKey] = getFieldSchema(fieldValue);
-			if (fieldValue.required && fieldValue.input !== false) required.push(fieldKey);
+			if (fieldValue.required && fieldValue.returned !== false) required.add(fieldKey);
 		});
 		Object.entries(properties).forEach(([key, prop]) => {
 			const field = value.fields[key];
@@ -192,7 +310,7 @@ async function generator(ctx, options) {
 		acc[modelName] = {
 			type: "object",
 			properties,
-			required
+			required: Array.from(required)
 		};
 		return acc;
 	}, {}) } };

package/dist/plugins/open-api/index.d.mts

@@ -1,4 +1,4 @@
-import { FieldSchema, OpenAPIModelSchema, Path, generator } from "./generator.mjs";
+import { FieldSchema, OpenAPIModelSchema, OpenAPIParameter, OpenAPISchema, Path, generator } from "./generator.mjs";
 import { LiteralString } from "@better-auth/core";
 import * as better_call0 from "better-call";
 
@@ -94,4 +94,4 @@ declare const openAPI: <O extends OpenAPIOptions>(options?: O | undefined) => {
   options: NoInfer<O>;
 };
 //#endregion
-export { type FieldSchema, type OpenAPIModelSchema, OpenAPIOptions, type Path, generator, openAPI };
+export { type FieldSchema, type OpenAPIModelSchema, OpenAPIOptions, OpenAPIParameter, OpenAPISchema, type Path, generator, openAPI };