better-auth 1.6.16 → 1.6.18

package/dist/plugins/organization/adapter.d.mts

@@ -536,6 +536,28 @@ declare const getOrgAdapter: <O extends OrganizationOptions>(context: AuthContex
     userId: string;
     createdAt: Date;
   }>;
+  /**
+   * Adds a user to a team only when the team is below its member limit,
+   * reading the count and creating the membership in one transaction.
+   * Returns the existing membership unchanged (no capacity charge) when the
+   * user already belongs to the team.
+   *
+   * FIXME(team-cap-race): the count-then-create is not atomic under READ
+   * COMMITTED, so two concurrent adds can both pass the count check and
+   * exceed maximumMembersPerTeam. A durable fix needs a unique constraint on
+   * teamMember(teamId, userId) or serializable isolation. Affects every
+   * caller (acceptInvitation, addMember, addTeamMember).
+   */
+  addTeamMemberWithLimit: (data: {
+    teamId: string;
+    userId: string;
+    maximumMembersPerTeam: number;
+  }) => Promise<{
+    status: "added";
+    member: TeamMember;
+  } | {
+    status: "limitReached";
+  }>;
   removeTeamMember: (data: {
     teamId: string;
     userId: string;
@@ -757,7 +779,13 @@ declare const getOrgAdapter: <O extends OrganizationOptions>(context: AuthContex
   } ? FieldAttributeToObject<Field> : {}) extends infer T ? { [K in keyof T]: T[K] } : never)[]>;
   updateInvitation: (data: {
     invitationId: string;
-    status: "accepted" | "canceled" | "rejected";
+    status: "pending" | "accepted" | "canceled" | "rejected";
+    /**
+     * Only transition when the invitation is currently in this status. The
+     * guarded update is atomic, so a concurrent caller racing the same
+     * transition gets `null` instead of both proceeding.
+     */
+    fromStatus?: "pending";
   }) => Promise<((O["teams"] extends {
     enabled: true;
   } ? {

package/dist/plugins/organization/adapter.mjs

@@ -4,6 +4,23 @@ import { getCurrentAdapter, runWithTransaction } from "@better-auth/core/context
 import { BetterAuthError } from "@better-auth/core/error";
 import { filterOutputFields } from "@better-auth/core/utils/db";
 //#region src/plugins/organization/adapter.ts
+/**
+* Resolves the configured per-team member cap to a concrete number for a given
+* team-add. Returns `undefined` only when no cap is configured. Throws when the
+* cap is a function but no session is available to evaluate it, so a sessionless
+* server-side add fails closed instead of silently bypassing the limit.
+*/
+async function resolveMaximumMembersPerTeam(teams, context) {
+	const maximumMembersPerTeam = teams?.maximumMembersPerTeam;
+	if (maximumMembersPerTeam === void 0) return void 0;
+	if (typeof maximumMembersPerTeam === "number") return maximumMembersPerTeam;
+	if (!context.session) throw new BetterAuthError("`teams.maximumMembersPerTeam` is configured as a function but no session is available to evaluate it. Provide a session-bearing request or configure a numeric limit.");
+	return await maximumMembersPerTeam({
+		teamId: context.teamId,
+		session: context.session,
+		organizationId: context.organizationId
+	});
+}
 const getOrgAdapter = (context, options) => {
 	const baseAdapter = context.adapter;
 	const orgAdditionalFields = options?.schema?.organization?.additionalFields;
@@ -513,6 +530,43 @@ const getOrgAdapter = (context, options) => {
 				}
 			});
 		},
+		addTeamMemberWithLimit: async (data) => {
+			return runWithTransaction(baseAdapter, async () => {
+				const adapter = await getCurrentAdapter(baseAdapter);
+				const existing = await adapter.findOne({
+					model: "teamMember",
+					where: [{
+						field: "teamId",
+						value: data.teamId
+					}, {
+						field: "userId",
+						value: data.userId
+					}]
+				});
+				if (existing) return {
+					status: "added",
+					member: existing
+				};
+				if (await adapter.count({
+					model: "teamMember",
+					where: [{
+						field: "teamId",
+						value: data.teamId
+					}]
+				}) >= data.maximumMembersPerTeam) return { status: "limitReached" };
+				return {
+					status: "added",
+					member: await adapter.create({
+						model: "teamMember",
+						data: {
+							teamId: data.teamId,
+							userId: data.userId,
+							createdAt: /* @__PURE__ */ new Date()
+						}
+					})
+				};
+			});
+		},
 		removeTeamMember: async (data) => {
 			await (await getCurrentAdapter(baseAdapter)).deleteMany({
 				model: "teamMember",
@@ -615,16 +669,22 @@ const getOrgAdapter = (context, options) => {
 			});
 		},
 		updateInvitation: async (data) => {
-			return await (await getCurrentAdapter(baseAdapter)).update({
+			const adapter = await getCurrentAdapter(baseAdapter);
+			const where = [{
+				field: "id",
+				value: data.invitationId
+			}];
+			if (data.fromStatus) where.push({
+				field: "status",
+				value: data.fromStatus
+			});
+			return await adapter.update({
 				model: "invitation",
-				where: [{
-					field: "id",
-					value: data.invitationId
-				}],
+				where,
 				update: { status: data.status }
 			});
 		}
 	};
 };
 //#endregion
-export { getOrgAdapter };
+export { getOrgAdapter, resolveMaximumMembersPerTeam };

package/dist/plugins/organization/routes/crud-invites.mjs

@@ -4,10 +4,11 @@ import { toZodSchema } from "../../../db/to-zod.mjs";
 import { getSessionFromCtx } from "../../../api/routes/session.mjs";
 import { defaultRoles } from "../access/statement.mjs";
 import { ORGANIZATION_ERROR_CODES } from "../error-codes.mjs";
-import { getOrgAdapter } from "../adapter.mjs";
+import { getOrgAdapter, resolveMaximumMembersPerTeam } from "../adapter.mjs";
 import { orgMiddleware, orgSessionMiddleware } from "../call.mjs";
 import { hasPermission } from "../has-permission.mjs";
 import { parseRoles } from "../organization.mjs";
+import { runWithTransaction } from "@better-auth/core/context";
 import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
 import { createAuthEndpoint } from "@better-auth/core/api";
 import * as z from "zod";
@@ -283,44 +284,58 @@ const acceptInvitation = (options) => createAuthEndpoint("/organization/accept-i
 	});
 	const acceptedI = await adapter.updateInvitation({
 		invitationId: ctx.body.invitationId,
-		status: "accepted"
+		status: "accepted",
+		fromStatus: "pending"
 	});
-	if (!acceptedI) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.FAILED_TO_RETRIEVE_INVITATION);
-	if (ctx.context.orgOptions.teams && ctx.context.orgOptions.teams.enabled && "teamId" in acceptedI && acceptedI.teamId) {
-		const teamIds = acceptedI.teamId.split(",");
-		const onlyOne = teamIds.length === 1;
-		for (const teamId of teamIds) {
-			if (!await adapter.findTeamById({
-				teamId,
-				organizationId: invitation.organizationId
-			})) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.TEAM_NOT_FOUND);
-			await adapter.findOrCreateTeamMember({
-				teamId,
-				userId: session.user.id
-			});
-			if (typeof ctx.context.orgOptions.teams.maximumMembersPerTeam !== "undefined") {
-				if (await adapter.countTeamMembers({ teamId }) >= (typeof ctx.context.orgOptions.teams.maximumMembersPerTeam === "function" ? await ctx.context.orgOptions.teams.maximumMembersPerTeam({
+	if (!acceptedI) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.INVITATION_NOT_FOUND);
+	const member = await runWithTransaction(ctx.context.adapter, async () => {
+		if (ctx.context.orgOptions.teams && ctx.context.orgOptions.teams.enabled && "teamId" in acceptedI && acceptedI.teamId) {
+			const teamIds = acceptedI.teamId.split(",");
+			const onlyOne = teamIds.length === 1;
+			for (const teamId of teamIds) {
+				if (!await adapter.findTeamById({
 					teamId,
-					session,
-					organizationId: invitation.organizationId
-				}) : ctx.context.orgOptions.teams.maximumMembersPerTeam)) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.TEAM_MEMBER_LIMIT_REACHED);
+					organizationId: acceptedI.organizationId
+				})) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.TEAM_NOT_FOUND);
+				const maximumMembersPerTeam = await resolveMaximumMembersPerTeam(ctx.context.orgOptions.teams, {
+					teamId,
+					organizationId: acceptedI.organizationId,
+					session
+				});
+				if (maximumMembersPerTeam !== void 0) {
+					if ((await adapter.addTeamMemberWithLimit({
+						teamId,
+						userId: session.user.id,
+						maximumMembersPerTeam
+					})).status === "limitReached") throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.TEAM_MEMBER_LIMIT_REACHED);
+				} else await adapter.findOrCreateTeamMember({
+					teamId,
+					userId: session.user.id
+				});
+			}
+			if (onlyOne) {
+				const teamId = teamIds[0];
+				await setSessionCookie(ctx, {
+					session: await adapter.setActiveTeam(session.session.token, teamId, ctx),
+					user: session.user
+				});
 			}
 		}
-		if (onlyOne) {
-			const teamId = teamIds[0];
-			await setSessionCookie(ctx, {
-				session: await adapter.setActiveTeam(session.session.token, teamId, ctx),
-				user: session.user
-			});
-		}
-	}
-	const member = await adapter.createMember({
-		organizationId: invitation.organizationId,
-		userId: session.user.id,
-		role: invitation.role,
-		createdAt: /* @__PURE__ */ new Date()
+		const createdMember = await adapter.createMember({
+			organizationId: acceptedI.organizationId,
+			userId: session.user.id,
+			role: acceptedI.role,
+			createdAt: /* @__PURE__ */ new Date()
+		});
+		await adapter.setActiveOrganization(session.session.token, acceptedI.organizationId, ctx);
+		return createdMember;
+	}).catch(async (error) => {
+		await adapter.updateInvitation({
+			invitationId: ctx.body.invitationId,
+			status: "pending"
+		});
+		throw error;
 	});
-	await adapter.setActiveOrganization(session.session.token, invitation.organizationId, ctx);
 	if (options?.organizationHooks?.afterAcceptInvitation) await options?.organizationHooks.afterAcceptInvitation({
 		invitation: acceptedI,
 		member,

package/dist/plugins/organization/routes/crud-members.mjs

@@ -1,7 +1,8 @@
 import { toZodSchema } from "../../../db/to-zod.mjs";
 import { getSessionFromCtx, sessionMiddleware } from "../../../api/routes/session.mjs";
+import { defaultRoles } from "../access/statement.mjs";
 import { ORGANIZATION_ERROR_CODES } from "../error-codes.mjs";
-import { getOrgAdapter } from "../adapter.mjs";
+import { getOrgAdapter, resolveMaximumMembersPerTeam } from "../adapter.mjs";
 import { orgMiddleware, orgSessionMiddleware } from "../call.mjs";
 import { hasPermission } from "../has-permission.mjs";
 import { parseRoles } from "../organization.mjs";
@@ -21,7 +22,7 @@ const addMember = (option) => {
 		fields: option?.schema?.member?.additionalFields || {},
 		isClientSide: true
 	});
-	return createAuthEndpoint({
+	return createAuthEndpoint.serverOnly({
 		method: "POST",
 		body: z.object({
 			...baseMemberSchema.shape,
@@ -87,11 +88,22 @@ const addMember = (option) => {
 				...response.data
 			};
 		}
-		const createdMember = await adapter.createMember(memberData);
-		if (teamId) await adapter.findOrCreateTeamMember({
+		const maximumMembersPerTeam = teamId ? await resolveMaximumMembersPerTeam(ctx.context.orgOptions.teams, {
+			teamId,
+			organizationId: orgId,
+			session
+		}) : void 0;
+		if (teamId) if (maximumMembersPerTeam !== void 0) {
+			if ((await adapter.addTeamMemberWithLimit({
+				teamId,
+				userId: user.id,
+				maximumMembersPerTeam
+			})).status === "limitReached") throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.TEAM_MEMBER_LIMIT_REACHED);
+		} else await adapter.findOrCreateTeamMember({
 			userId: user.id,
 			teamId
 		});
+		const createdMember = await adapter.createMember(memberData);
 		if (option?.organizationHooks?.afterAddMember) await option?.organizationHooks.afterAddMember({
 			member: createdMember,
 			user,
@@ -241,7 +253,31 @@ const updateMemberRole = (option) => createAuthEndpoint("/organization/update-me
 	const organizationId = ctx.body.organizationId || session.session.activeOrganizationId;
 	if (!organizationId) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.NO_ACTIVE_ORGANIZATION);
 	const adapter = getOrgAdapter(ctx.context, ctx.context.orgOptions);
-	const roleToSet = Array.isArray(ctx.body.role) ? ctx.body.role : ctx.body.role ? [ctx.body.role] : [];
+	const roleToSet = (Array.isArray(ctx.body.role) ? ctx.body.role : [ctx.body.role]).flatMap((role) => role.split(",")).map((role) => role.trim()).filter(Boolean);
+	if (roleToSet.length === 0) throw APIError.fromStatus("BAD_REQUEST");
+	const validStaticRoles = new Set([...Object.keys(defaultRoles), ...Object.keys(ctx.context.orgOptions.roles || {})]);
+	const unknownRoles = roleToSet.filter((role) => !validStaticRoles.has(role));
+	if (unknownRoles.length > 0) if (ctx.context.orgOptions.dynamicAccessControl?.enabled) {
+		const foundRoleNames = (await ctx.context.adapter.findMany({
+			model: "organizationRole",
+			where: [{
+				field: "organizationId",
+				value: organizationId
+			}, {
+				field: "role",
+				value: unknownRoles,
+				operator: "in"
+			}]
+		})).map((r) => r.role);
+		const stillInvalid = unknownRoles.filter((r) => !foundRoleNames.includes(r));
+		if (stillInvalid.length > 0) throw new APIError("BAD_REQUEST", {
+			code: ORGANIZATION_ERROR_CODES.ROLE_NOT_FOUND.code,
+			message: `${ORGANIZATION_ERROR_CODES.ROLE_NOT_FOUND.code}: ${stillInvalid.join(", ")}`
+		});
+	} else throw new APIError("BAD_REQUEST", {
+		code: ORGANIZATION_ERROR_CODES.ROLE_NOT_FOUND.code,
+		message: `${ORGANIZATION_ERROR_CODES.ROLE_NOT_FOUND.code}: ${unknownRoles.join(", ")}`
+	});
 	const member = await adapter.findMemberByOrgId({
 		userId: session.user.id,
 		organizationId
@@ -280,7 +316,7 @@ const updateMemberRole = (option) => createAuthEndpoint("/organization/update-me
 	const userBeingUpdated = await ctx.context.internalAdapter.findUserById(toBeUpdatedMember.userId);
 	if (!userBeingUpdated) throw APIError.fromStatus("BAD_REQUEST", { message: "User not found" });
 	const previousRole = toBeUpdatedMember.role;
-	const newRole = parseRoles(ctx.body.role);
+	const newRole = parseRoles(roleToSet);
 	if (option?.organizationHooks?.beforeUpdateMemberRole) {
 		const response = await option?.organizationHooks.beforeUpdateMemberRole({
 			member: toBeUpdatedMember,

package/dist/plugins/organization/routes/crud-team.mjs

@@ -2,10 +2,11 @@ import { setSessionCookie } from "../../../cookies/index.mjs";
 import { toZodSchema } from "../../../db/to-zod.mjs";
 import { getSessionFromCtx } from "../../../api/routes/session.mjs";
 import { ORGANIZATION_ERROR_CODES } from "../error-codes.mjs";
-import { getOrgAdapter } from "../adapter.mjs";
+import { getOrgAdapter, resolveMaximumMembersPerTeam } from "../adapter.mjs";
 import { orgMiddleware, orgSessionMiddleware } from "../call.mjs";
 import { hasPermission } from "../has-permission.mjs";
 import { teamSchema } from "../schema.mjs";
+import { getCurrentAdapter, runWithTransaction } from "@better-auth/core/context";
 import { APIError } from "@better-auth/core/error";
 import { createAuthEndpoint } from "@better-auth/core/api";
 import * as z from "zod";
@@ -185,7 +186,25 @@ const removeTeam = (options) => createAuthEndpoint("/organization/remove-team",
 		user: session?.user,
 		organization
 	});
-	await adapter.deleteTeam(team.id);
+	await runWithTransaction(ctx.context.adapter, async () => {
+		await adapter.deleteTeam(team.id);
+		const pendingInvitations = await adapter.findPendingInvitations({ organizationId });
+		const trx = await getCurrentAdapter(ctx.context.adapter);
+		for (const invitation of pendingInvitations) {
+			if (!("teamId" in invitation) || !invitation.teamId) continue;
+			const teamIds = invitation.teamId.split(",");
+			if (!teamIds.includes(team.id)) continue;
+			const remainingTeamIds = teamIds.filter((id) => id !== team.id);
+			await trx.update({
+				model: "invitation",
+				where: [{
+					field: "id",
+					value: invitation.id
+				}],
+				update: { teamId: remainingTeamIds.length > 0 ? remainingTeamIds.join(",") : null }
+			});
+		}
+	});
 	if (options?.organizationHooks?.afterDeleteTeam) await options?.organizationHooks.afterDeleteTeam({
 		team,
 		user: session?.user,
@@ -600,7 +619,21 @@ const addTeamMember = (options) => createAuthEndpoint("/organization/add-team-me
 		});
 		if (response && typeof response === "object" && "data" in response) {}
 	}
-	const teamMember = await adapter.findOrCreateTeamMember({
+	const maximumMembersPerTeam = await resolveMaximumMembersPerTeam(ctx.context.orgOptions.teams, {
+		teamId: ctx.body.teamId,
+		organizationId,
+		session
+	});
+	let teamMember;
+	if (maximumMembersPerTeam !== void 0) {
+		const result = await adapter.addTeamMemberWithLimit({
+			teamId: ctx.body.teamId,
+			userId: ctx.body.userId,
+			maximumMembersPerTeam
+		});
+		if (result.status === "limitReached") throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.TEAM_MEMBER_LIMIT_REACHED);
+		teamMember = result.member;
+	} else teamMember = await adapter.findOrCreateTeamMember({
 		teamId: ctx.body.teamId,
 		userId: ctx.body.userId
 	});

package/dist/plugins/phone-number/routes.mjs

@@ -78,19 +78,19 @@ const signInPhoneNumber = (opts) => createAuthEndpoint("/sign-in/phone-number",
 	}
 	const credentialAccount = (await ctx.context.internalAdapter.findAccountByUserId(user.id)).find((a) => a.providerId === "credential");
 	if (!credentialAccount) {
-		ctx.context.logger.error("Credential account not found", { phoneNumber });
+		ctx.context.logger.warn("Credential account not found");
 		throw APIError.from("UNAUTHORIZED", PHONE_NUMBER_ERROR_CODES.INVALID_PHONE_NUMBER_OR_PASSWORD);
 	}
 	const currentPassword = credentialAccount?.password;
 	if (!currentPassword) {
-		ctx.context.logger.error("Password not found", { phoneNumber });
+		ctx.context.logger.warn("Password not found");
 		throw APIError.from("UNAUTHORIZED", PHONE_NUMBER_ERROR_CODES.UNEXPECTED_ERROR);
 	}
 	if (!await ctx.context.password.verify({
 		hash: currentPassword,
 		password
 	})) {
-		ctx.context.logger.error("Invalid password");
+		ctx.context.logger.warn("Invalid password");
 		throw APIError.from("UNAUTHORIZED", PHONE_NUMBER_ERROR_CODES.INVALID_PHONE_NUMBER_OR_PASSWORD);
 	}
 	const session = await ctx.context.internalAdapter.createSession(user.id, ctx.body.rememberMe === false);
@@ -280,24 +280,7 @@ const verifyPhoneNumber = (opts) => createAuthEndpoint("/phone-number/verify", {
 			code: ctx.body.code
 		}, ctx)) throw APIError.from("BAD_REQUEST", PHONE_NUMBER_ERROR_CODES.INVALID_OTP);
 		if (await ctx.context.internalAdapter.findVerificationValue(ctx.body.phoneNumber)) await ctx.context.internalAdapter.deleteVerificationByIdentifier(ctx.body.phoneNumber);
-	} else {
-		const otp = await ctx.context.internalAdapter.findVerificationValue(ctx.body.phoneNumber);
-		if (!otp || otp.expiresAt < /* @__PURE__ */ new Date()) {
-			if (otp && otp.expiresAt < /* @__PURE__ */ new Date()) throw APIError.from("BAD_REQUEST", PHONE_NUMBER_ERROR_CODES.OTP_EXPIRED);
-			throw APIError.from("BAD_REQUEST", PHONE_NUMBER_ERROR_CODES.OTP_NOT_FOUND);
-		}
-		const [otpValue, attempts] = otp.value.split(":");
-		const allowedAttempts = opts?.allowedAttempts || 3;
-		if (attempts && parseInt(attempts) >= allowedAttempts) {
-			await ctx.context.internalAdapter.deleteVerificationByIdentifier(ctx.body.phoneNumber);
-			throw APIError.from("FORBIDDEN", PHONE_NUMBER_ERROR_CODES.TOO_MANY_ATTEMPTS);
-		}
-		if (otpValue !== ctx.body.code) {
-			await ctx.context.internalAdapter.updateVerificationByIdentifier(ctx.body.phoneNumber, { value: `${otpValue}:${parseInt(attempts || "0") + 1}` });
-			throw APIError.from("BAD_REQUEST", PHONE_NUMBER_ERROR_CODES.INVALID_OTP);
-		}
-		await ctx.context.internalAdapter.deleteVerificationByIdentifier(ctx.body.phoneNumber);
-	}
+	} else await verifyPhoneNumberOTP(ctx, opts, ctx.body.phoneNumber, ctx.body.code);
 	if (ctx.body.updatePhoneNumber) {
 		const session = await getSessionFromCtx(ctx);
 		if (!session) throw APIError.from("UNAUTHORIZED", BASE_ERROR_CODES.USER_NOT_FOUND);
@@ -432,20 +415,7 @@ const resetPasswordPhoneNumber = (opts) => createAuthEndpoint("/phone-number/res
 		} }
 	} }
 }, async (ctx) => {
-	const verification = await ctx.context.internalAdapter.findVerificationValue(`${ctx.body.phoneNumber}-request-password-reset`);
-	if (!verification) throw APIError.from("BAD_REQUEST", PHONE_NUMBER_ERROR_CODES.OTP_NOT_FOUND);
-	if (verification.expiresAt < /* @__PURE__ */ new Date()) throw APIError.from("BAD_REQUEST", PHONE_NUMBER_ERROR_CODES.OTP_EXPIRED);
-	const [otpValue, attempts] = verification.value.split(":");
-	const allowedAttempts = opts?.allowedAttempts || 3;
-	const phoneResetIdentifier = `${ctx.body.phoneNumber}-request-password-reset`;
-	if (attempts && parseInt(attempts) >= allowedAttempts) {
-		await ctx.context.internalAdapter.deleteVerificationByIdentifier(phoneResetIdentifier);
-		throw APIError.from("FORBIDDEN", PHONE_NUMBER_ERROR_CODES.TOO_MANY_ATTEMPTS);
-	}
-	if (ctx.body.otp !== otpValue) {
-		await ctx.context.internalAdapter.updateVerificationByIdentifier(phoneResetIdentifier, { value: `${otpValue}:${parseInt(attempts || "0") + 1}` });
-		throw APIError.from("BAD_REQUEST", PHONE_NUMBER_ERROR_CODES.INVALID_OTP);
-	}
+	await verifyPhoneNumberOTP(ctx, opts, `${ctx.body.phoneNumber}-request-password-reset`, ctx.body.otp);
 	const userRes = await ctx.context.adapter.findOne({
 		model: "user",
 		where: [{
@@ -468,11 +438,46 @@ const resetPasswordPhoneNumber = (opts) => createAuthEndpoint("/phone-number/res
 		password: hashedPassword
 	});
 	else await ctx.context.internalAdapter.updatePassword(user.id, hashedPassword);
-	await ctx.context.internalAdapter.deleteVerificationByIdentifier(phoneResetIdentifier);
 	if (ctx.context.options.emailAndPassword?.onPasswordReset) await ctx.context.options.emailAndPassword.onPasswordReset({ user }, ctx.request);
 	if (ctx.context.options.emailAndPassword?.revokeSessionsOnPasswordReset) await ctx.context.internalAdapter.deleteUserSessions(user.id);
 	return ctx.json({ status: true });
 });
+/**
+* Atomically verifies a phone-number OTP against a stored verification value.
+*
+* Consuming the row is the race gate: the first concurrent caller wins the
+* row, every racer behind it gets `null` and is rejected, so the same code can
+* never satisfy two simultaneous verifications. On a wrong code that is still
+* within the attempt budget, the row is recreated with the same value and
+* expiry and an incremented attempt counter. Once the budget is exhausted the
+* row is not recreated.
+*/
+async function verifyPhoneNumberOTP(ctx, opts, identifier, providedCode) {
+	const existing = await ctx.context.internalAdapter.findVerificationValue(identifier);
+	if (!existing) throw APIError.from("BAD_REQUEST", PHONE_NUMBER_ERROR_CODES.OTP_NOT_FOUND);
+	if (existing.expiresAt < /* @__PURE__ */ new Date()) {
+		await ctx.context.internalAdapter.deleteVerificationByIdentifier(identifier);
+		throw APIError.from("BAD_REQUEST", PHONE_NUMBER_ERROR_CODES.OTP_EXPIRED);
+	}
+	const allowedAttempts = opts?.allowedAttempts || 3;
+	const [, peekedAttempts] = existing.value.split(":");
+	if (peekedAttempts && parseInt(peekedAttempts) >= allowedAttempts) {
+		await ctx.context.internalAdapter.deleteVerificationByIdentifier(identifier);
+		throw APIError.from("FORBIDDEN", PHONE_NUMBER_ERROR_CODES.TOO_MANY_ATTEMPTS);
+	}
+	const consumed = await ctx.context.internalAdapter.consumeVerificationValue(identifier);
+	if (!consumed) throw APIError.from("BAD_REQUEST", PHONE_NUMBER_ERROR_CODES.INVALID_OTP);
+	const [otpValue, attempts] = consumed.value.split(":");
+	if (attempts && parseInt(attempts) >= allowedAttempts) throw APIError.from("FORBIDDEN", PHONE_NUMBER_ERROR_CODES.TOO_MANY_ATTEMPTS);
+	if (otpValue !== providedCode) {
+		await ctx.context.internalAdapter.createVerificationValue({
+			value: `${otpValue}:${parseInt(attempts || "0") + 1}`,
+			identifier,
+			expiresAt: consumed.expiresAt
+		});
+		throw APIError.from("BAD_REQUEST", PHONE_NUMBER_ERROR_CODES.INVALID_OTP);
+	}
+}
 function generateOTP(size) {
 	return generateRandomString(size, "0-9");
 }

package/dist/plugins/siwe/index.mjs

@@ -68,8 +68,8 @@ const siwe = (options) => {
 					status: 400
 				});
 				try {
-					const verification = await ctx.context.internalAdapter.findVerificationValue(`siwe:${walletAddress}:${chainId}`);
-					if (!verification || /* @__PURE__ */ new Date() > verification.expiresAt) throw APIError.fromStatus("UNAUTHORIZED", {
+					const verification = await ctx.context.internalAdapter.consumeVerificationValue(`siwe:${walletAddress}:${chainId}`);
+					if (!verification) throw APIError.fromStatus("UNAUTHORIZED", {
 						message: "Unauthorized: Invalid or expired nonce",
 						status: 401,
 						code: "UNAUTHORIZED_INVALID_OR_EXPIRED_NONCE"
@@ -125,7 +125,6 @@ const siwe = (options) => {
 						message: "Unauthorized: Invalid SIWE signature",
 						status: 401
 					});
-					await ctx.context.internalAdapter.deleteVerificationByIdentifier(`siwe:${walletAddress}:${chainId}`);
 					let user = null;
 					const existingWalletAddress = await ctx.context.adapter.findOne({
 						model: "walletAddress",

package/dist/plugins/two-factor/backup-codes/index.mjs

@@ -249,7 +249,7 @@ const backupCode2fa = (opts) => {
 					backupCodes: backupCodes.backupCodes
 				});
 			}),
-			viewBackupCodes: createAuthEndpoint({
+			viewBackupCodes: createAuthEndpoint.serverOnly({
 				method: "POST",
 				body: viewBackupCodesBodySchema
 			}, async (ctx) => {

package/dist/plugins/two-factor/otp/index.mjs

@@ -158,17 +158,12 @@ const otp2fa = (options) => {
 				} }
 			}, async (ctx) => {
 				const { session, key, valid, invalid } = await verifyTwoFactor(ctx);
-				const toCheckOtp = await ctx.context.internalAdapter.findVerificationValue(`2fa-otp-${key}`);
-				const [otp, counter] = toCheckOtp?.value?.split(":") ?? [];
-				if (!toCheckOtp || toCheckOtp.expiresAt < /* @__PURE__ */ new Date()) {
-					if (toCheckOtp) await ctx.context.internalAdapter.deleteVerificationByIdentifier(`2fa-otp-${key}`);
-					throw APIError.from("BAD_REQUEST", TWO_FACTOR_ERROR_CODES.OTP_HAS_EXPIRED);
-				}
+				const consumed = await ctx.context.internalAdapter.consumeVerificationValue(`2fa-otp-${key}`);
+				if (!consumed) throw APIError.from("BAD_REQUEST", TWO_FACTOR_ERROR_CODES.OTP_HAS_EXPIRED);
+				const [otp, counter] = consumed.value?.split(":") ?? [];
 				const allowedAttempts = options?.allowedAttempts || 5;
-				if (parseInt(counter) >= allowedAttempts) {
-					await ctx.context.internalAdapter.deleteVerificationByIdentifier(`2fa-otp-${key}`);
-					throw APIError.from("BAD_REQUEST", TWO_FACTOR_ERROR_CODES.TOO_MANY_ATTEMPTS_REQUEST_NEW_CODE);
-				}
+				const attempts = parseInt(counter, 10) || 0;
+				if (attempts >= allowedAttempts) throw APIError.from("BAD_REQUEST", TWO_FACTOR_ERROR_CODES.TOO_MANY_ATTEMPTS_REQUEST_NEW_CODE);
 				const [storedValue, inputValue] = await decryptOrHashForComparison(ctx, otp, ctx.body.code);
 				if (constantTimeEqual(new TextEncoder().encode(storedValue), new TextEncoder().encode(inputValue))) {
 					if (!session.user.twoFactorEnabled) {
@@ -186,10 +181,13 @@ const otp2fa = (options) => {
 						});
 					}
 					return valid(ctx);
-				} else {
-					await ctx.context.internalAdapter.updateVerificationByIdentifier(`2fa-otp-${key}`, { value: `${otp}:${(parseInt(counter, 10) || 0) + 1}` });
-					return invalid("INVALID_CODE");
 				}
+				await ctx.context.internalAdapter.createVerificationValue({
+					value: `${otp}:${attempts + 1}`,
+					identifier: `2fa-otp-${key}`,
+					expiresAt: consumed.expiresAt
+				});
+				return invalid("INVALID_CODE");
 			})
 		}
 	};

package/dist/plugins/two-factor/totp/index.mjs

@@ -28,7 +28,7 @@ const totp2fa = (options) => {
 		id: "totp",
 		version: PACKAGE_VERSION,
 		endpoints: {
-			generateTOTP: createAuthEndpoint({
+			generateTOTP: createAuthEndpoint.serverOnly({
 				method: "POST",
 				body: generateTOTPBodySchema,
 				metadata: { openapi: {

package/dist/plugins/two-factor/verify-two-factor.mjs

@@ -23,12 +23,16 @@ async function verifyTwoFactor(ctx) {
 		const dontRememberMe = await ctx.getSignedCookie(ctx.context.authCookies.dontRememberToken.name, ctx.context.secret);
 		return {
 			valid: async (ctx) => {
-				const session = await ctx.context.internalAdapter.createSession(verificationToken.value, !!dontRememberMe);
+				const consumed = await ctx.context.internalAdapter.consumeVerificationValue(signedTwoFactorCookie);
+				if (!consumed || consumed.value !== user.id) {
+					expireCookie(ctx, twoFactorCookie);
+					throw APIError.from("UNAUTHORIZED", TWO_FACTOR_ERROR_CODES.INVALID_TWO_FACTOR_COOKIE);
+				}
+				const session = await ctx.context.internalAdapter.createSession(consumed.value, !!dontRememberMe);
 				if (!session) throw APIError.from("INTERNAL_SERVER_ERROR", {
 					message: "failed to create session",
 					code: "FAILED_TO_CREATE_SESSION"
 				});
-				await ctx.context.internalAdapter.deleteVerificationByIdentifier(signedTwoFactorCookie);
 				await setSessionCookie(ctx, {
 					session,
 					user