better-auth 1.6.18 → 1.6.19

package/dist/cookies/session-store.mjs

@@ -1,19 +1,30 @@
 import { symmetricDecodeJWT, symmetricEncodeJWT } from "../crypto/jwt.mjs";
 import { parseCookies } from "./cookie-utils.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
+import { serializeCookie } from "better-call";
 import * as z from "zod";
 //#region src/cookies/session-store.ts
-const ALLOWED_COOKIE_SIZE = 4096;
-const ESTIMATED_EMPTY_COOKIE_SIZE = 200;
-const CHUNK_SIZE = ALLOWED_COOKIE_SIZE - ESTIMATED_EMPTY_COOKIE_SIZE;
 /**
-* Extract the chunk index from a cookie name
+* Per-cookie byte ceiling.
+* Safari's ~4093 floor is the lowest among browsers.
+* Kept a little under it for attributes added after sizing.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc6265#section-6.1
+* @see https://github.com/dotnet/aspnetcore/blob/aa5493528640932601bb82ef3295e4d8ca7e11c5/src/Shared/ChunkingCookieManager/ChunkingCookieManager.cs#L40
+*/
+const MAX_COOKIE_SIZE = 4050;
+/**
+* Max chunks per cookie.
+* A larger value does not belong in a cookie.
 */
-function getChunkIndex(cookieName) {
-	const parts = cookieName.split(".");
-	const lastPart = parts[parts.length - 1];
-	const index = parseInt(lastPart || "0", 10);
-	return isNaN(index) ? 0 : index;
+const MAX_COOKIE_CHUNKS = 100;
+/**
+* Largest value that keeps the serialized cookie within {@link MAX_COOKIE_SIZE},
+* measured with the real `serializeCookie` writer so it stays in sync with the
+* wire. Non-positive when the name and attributes alone overflow.
+*/
+function getMaxCookieValueSize(name, options) {
+	return MAX_COOKIE_SIZE - serializeCookie(name, "", { ...options }).length;
 }
 /**
 * Read all existing chunks from cookies
@@ -25,27 +36,24 @@ function readExistingChunks(cookieName, ctx) {
 	return chunks;
 }
 /**
-* Get the full session data by joining all chunks
-*/
-function joinChunks(chunks) {
-	return Object.keys(chunks).sort((a, b) => {
-		return getChunkIndex(a) - getChunkIndex(b);
-	}).map((key) => chunks[key]).join("");
-}
-/**
 * Split a cookie value into chunks if needed
 */
 function chunkCookie(storeName, cookie, chunks, logger) {
-	const chunkCount = Math.ceil(cookie.value.length / CHUNK_SIZE);
-	if (chunkCount === 1) {
+	const chunkSize = getMaxCookieValueSize(`${cookie.name}.${MAX_COOKIE_CHUNKS - 1}`, cookie.attributes);
+	const chunkCount = chunkSize > 0 ? Math.ceil(cookie.value.length / chunkSize) : Infinity;
+	if (chunkCount <= 1) {
 		chunks[cookie.name] = cookie.value;
 		return [cookie];
 	}
+	if (chunkCount > MAX_COOKIE_CHUNKS) {
+		logger.warn(`${storeName} cookie is too large to store even after chunking, so the cache was skipped. Reduce the cached data or use a database session.`);
+		return [];
+	}
 	const cookies = [];
 	for (let i = 0; i < chunkCount; i++) {
 		const name = `${cookie.name}.${i}`;
-		const start = i * CHUNK_SIZE;
-		const value = cookie.value.substring(start, start + CHUNK_SIZE);
+		const start = i * chunkSize;
+		const value = cookie.value.substring(start, start + chunkSize);
 		cookies.push({
 			...cookie,
 			name,
@@ -54,11 +62,10 @@ function chunkCookie(storeName, cookie, chunks, logger) {
 		chunks[name] = value;
 	}
 	logger.debug(`CHUNKING_${storeName.toUpperCase()}_COOKIE`, {
-		message: `${storeName} cookie exceeds allowed ${ALLOWED_COOKIE_SIZE} bytes.`,
-		emptyCookieSize: ESTIMATED_EMPTY_COOKIE_SIZE,
+		message: `${storeName} cookie exceeds the ${MAX_COOKIE_SIZE} byte limit and was split into ${chunkCount} chunks.`,
 		valueSize: cookie.value.length,
 		chunkCount,
-		chunks: cookies.map((c) => c.value.length + ESTIMATED_EMPTY_COOKIE_SIZE)
+		chunkSizes: cookies.map((c) => c.value.length)
 	});
 	return cookies;
 }
@@ -78,26 +85,22 @@ function getCleanCookies(chunks, cookieOptions) {
 	return cleanedChunks;
 }
 /**
-* Create a session store for handling cookie chunking.
-* When session data exceeds 4KB, it automatically splits it into multiple cookies.
+* Store that splits a cookie into numbered chunks when its serialized form
+* would exceed the per-cookie byte limit, expiring stale chunks as needed.
 *
-* Based on next-auth's SessionStore implementation.
 * @see https://github.com/nextauthjs/next-auth/blob/27b2519b84b8eb9cf053775dea29d577d2aa0098/packages/next-auth/src/core/lib/cookie.ts
 */
 const storeFactory = (storeName) => (cookieName, cookieOptions, ctx) => {
 	const chunks = readExistingChunks(cookieName, ctx);
 	const logger = ctx.context.logger;
+	const expireExistingChunks = () => {
+		const expired = getCleanCookies(chunks, cookieOptions);
+		for (const name in chunks) delete chunks[name];
+		return expired;
+	};
 	return {
-		getValue() {
-			return joinChunks(chunks);
-		},
-		hasChunks() {
-			return Object.keys(chunks).length > 0;
-		},
 		chunk(value, options) {
-			const cleanedChunks = getCleanCookies(chunks, cookieOptions);
-			for (const name in chunks) delete chunks[name];
-			const cookies = cleanedChunks;
+			const cookies = expireExistingChunks();
 			const chunked = chunkCookie(storeName, {
 				name: cookieName,
 				value,
@@ -110,9 +113,7 @@ const storeFactory = (storeName) => (cookieName, cookieOptions, ctx) => {
 			return Object.values(cookies);
 		},
 		clean() {
-			const cleanedChunks = getCleanCookies(chunks, cookieOptions);
-			for (const name in chunks) delete chunks[name];
-			return Object.values(cleanedChunks);
+			return Object.values(expireExistingChunks());
 		},
 		setCookies(cookies) {
 			for (const cookie of cookies) ctx.setCookie(cookie.name, cookie.value, cookie.attributes);
@@ -148,18 +149,8 @@ async function setAccountCookie(c, accountData) {
 		...accountDataCookie.attributes
 	};
 	const data = await symmetricEncodeJWT(accountData, c.context.secretConfig, "better-auth-account", options.maxAge);
-	if (data.length > ALLOWED_COOKIE_SIZE) {
-		const accountStore = createAccountStore(accountDataCookie.name, options, c);
-		const cookies = accountStore.chunk(data, options);
-		accountStore.setCookies(cookies);
-	} else {
-		const accountStore = createAccountStore(accountDataCookie.name, options, c);
-		if (accountStore.hasChunks()) {
-			const cleanCookies = accountStore.clean();
-			accountStore.setCookies(cleanCookies);
-		}
-		c.setCookie(accountDataCookie.name, data, options);
-	}
+	const accountStore = createAccountStore(accountDataCookie.name, options, c);
+	accountStore.setCookies(accountStore.chunk(data, options));
 }
 async function getAccountCookie(c) {
 	const accountCookie = getChunkedCookie(c, c.context.authCookies.accountData.name);

package/dist/package.mjs

@@ -1,4 +1,4 @@
 //#region package.json
-var version = "1.6.18";
+var version = "1.6.19";
 //#endregion
 export { version };

package/dist/plugins/device-authorization/index.d.mts

@@ -104,6 +104,7 @@ declare const deviceAuthorization: (options?: Partial<DeviceAuthorizationOptions
       method: "POST";
       body: z.ZodObject<{
         client_id: z.ZodString;
+        user_id: z.ZodOptional<z.ZodString>;
         scope: z.ZodOptional<z.ZodString>;
       }, z.core.$strip>;
       error: z.ZodObject<{

package/dist/plugins/device-authorization/routes.mjs

@@ -9,6 +9,7 @@ import * as z from "zod";
 const defaultCharset = "ABCDEFGHJKLMNPQRSTUVWXYZ23456789";
 const deviceCodeBodySchema = z.object({
 	client_id: z.string().meta({ description: "The client ID of the application" }),
+	user_id: z.string().meta({ description: "The user ID to which the device code should be pre-bound." }).optional(),
 	scope: z.string().meta({ description: "Space-separated list of scopes" }).optional()
 });
 const deviceCodeErrorSchema = z.object({
@@ -99,7 +100,7 @@ Follow [rfc8628#section-3.2](https://datatracker.ietf.org/doc/html/rfc8628#secti
 			data: {
 				deviceCode,
 				userCode,
-				userId: null,
+				userId: ctx.body.user_id || null,
 				expiresAt,
 				status: "pending",
 				pollingInterval: ms(opts.interval),
@@ -341,7 +342,7 @@ const deviceVerify = createAuthEndpoint("/device", {
 	});
 	const session = await getSessionFromCtx(ctx);
 	if (session?.user?.id && !deviceCodeRecord.userId && deviceCodeRecord.status === "pending") {
-		if (await ctx.context.adapter.update({
+		if (await ctx.context.adapter.incrementOne({
 			model: "deviceCode",
 			where: [
 				{
@@ -358,7 +359,8 @@ const deviceVerify = createAuthEndpoint("/device", {
 					value: null
 				}
 			],
-			update: { userId: session.user.id }
+			increment: {},
+			set: { userId: session.user.id }
 		})) deviceCodeRecord.userId = session.user.id;
 	}
 	return ctx.json({

package/dist/plugins/last-login-method/client.d.mts

@@ -8,6 +8,16 @@ interface LastLoginMethodClientConfig {
    * @default "better-auth.last_used_login_method"
    */
   cookieName?: string | undefined;
+  /**
+   * Domain for the cookie. Required when using cross-subdomain cookies
+   * so the client can properly clear the cookie set by the server.
+   *
+   * Should match the `domain` value in your server's
+   * `crossSubDomainCookies` configuration.
+   *
+   * @example ".example.com"
+   */
+  domain?: string | undefined;
 }
 /**
  * Client-side plugin to retrieve the last used login method

package/dist/plugins/last-login-method/client.mjs

@@ -19,7 +19,10 @@ const lastLoginMethodClient = (config = {}) => {
 					return getCookieValue(cookieName);
 				},
 				clearLastUsedLoginMethod: () => {
-					if (typeof document !== "undefined") document.cookie = `${cookieName}=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/;`;
+					if (typeof document !== "undefined") {
+						const domainPart = config.domain ? ` domain=${config.domain};` : "";
+						document.cookie = `${cookieName}=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/;${domainPart}`;
+					}
 				},
 				isLastUsedLoginMethod: (method) => {
 					return getCookieValue(cookieName) === method;

package/dist/plugins/oauth-popup/index.mjs

@@ -3,7 +3,7 @@ import { generateRandomString } from "../../crypto/random.mjs";
 import { expireCookie } from "../../cookies/index.mjs";
 import { getAwaitableValue } from "../../context/helpers.mjs";
 import { setOAuthState } from "../../api/state/oauth.mjs";
-import { generateGenericState } from "../../state.mjs";
+import { INTERNAL_STATE_KEYS, generateGenericState } from "../../state.mjs";
 import { HIDE_METADATA } from "../../utils/hide-metadata.mjs";
 import { PACKAGE_VERSION } from "../../version.mjs";
 import { OAUTH_POPUP_DATA_ELEMENT_ID, OAUTH_POPUP_MESSAGE_TYPE, POPUP_MARKER_COOKIE } from "./constants.mjs";
@@ -132,8 +132,9 @@ const oauthPopupStart = createAuthEndpoint("/oauth-popup/start", {
 	let url;
 	try {
 		const codeVerifier = generateRandomString(128);
+		const parsedAdditionalData = c.query.additionalData ? safeJSONParse(c.query.additionalData) ?? {} : {};
 		const stateData = {
-			...c.query.additionalData ? safeJSONParse(c.query.additionalData) ?? {} : {},
+			...Object.fromEntries(Object.entries(parsedAdditionalData).filter(([key]) => !INTERNAL_STATE_KEYS.has(key))),
 			callbackURL,
 			codeVerifier,
 			errorURL: c.query.errorCallbackURL,

package/dist/plugins/open-api/generator.d.mts

@@ -72,7 +72,7 @@ type OpenAPIOperation = {
 };
 type FieldSchema = {
   type: DBFieldType;
-  default?: (DBFieldAttributeConfig["defaultValue"] | "Generated at runtime") | undefined;
+  default?: DBFieldAttributeConfig["defaultValue"] | undefined;
   readOnly?: boolean | undefined;
   format?: string;
 };

package/dist/plugins/open-api/generator.mjs

@@ -1,7 +1,6 @@
 import { db_exports } from "../../db/index.mjs";
 import { getEndpoints } from "../../api/index.mjs";
 import * as z from "zod";
-import { toPascalCase } from "@better-auth/core/utils/string";
 //#region src/plugins/open-api/generator.ts
 const OPEN_API_SCHEMA_TYPES = new Set([
 	"string",
@@ -20,7 +19,9 @@ function getFieldSchema(field) {
 		type: field.type === "date" ? "string" : field.type,
 		...field.type === "date" && { format: "date-time" }
 	};
-	if (field.defaultValue !== void 0) schema.default = typeof field.defaultValue === "function" ? "Generated at runtime" : field.defaultValue;
+	if (field.defaultValue !== void 0) {
+		if (typeof field.defaultValue !== "function") schema.default = field.defaultValue;
+	}
 	if (field.input === false) schema.readOnly = true;
 	return schema;
 }
@@ -68,11 +69,8 @@ function getZodPipeSchema(zodType) {
 }
 function getParameters(options) {
 	const parameters = [];
-	if (options.metadata?.openapi?.parameters) {
-		parameters.push(...options.metadata.openapi.parameters);
-		return parameters;
-	}
-	if (options.query instanceof z.ZodObject) Object.entries(options.query.shape).forEach(([key, value]) => {
+	if (options.metadata?.openapi?.parameters) parameters.push(...options.metadata.openapi.parameters);
+	if (!options.metadata?.openapi?.parameters && options.query instanceof z.ZodObject) Object.entries(options.query.shape).forEach(([key, value]) => {
 		if (value instanceof z.ZodType) {
 			const parameterSchema = toOpenApiSchema(value);
 			parameters.push({
@@ -84,6 +82,15 @@ function getParameters(options) {
 	});
 	return parameters;
 }
+function getPathParameters(path, parameters) {
+	const existingParameters = new Set(parameters.map((parameter) => `${parameter.in}:${parameter.name}`));
+	return path.split("/").filter((part) => part.startsWith(":")).map((part) => part.slice(1)).filter((name) => !existingParameters.has(`path:${name}`)).map((name) => ({
+		name,
+		in: "path",
+		required: true,
+		schema: { type: "string" }
+	}));
+}
 function getRequestBodySchemaInfo(zodType) {
 	return {
 		required: !schemaAcceptsUndefined(zodType),
@@ -278,6 +285,29 @@ function getResponse(responses) {
 function toOpenApiPath(path) {
 	return path.split("/").map((part) => part.startsWith(":") ? `{${part.slice(1)}}` : part).join("/");
 }
+function getOperationId(operationId, method, usedOperationIds) {
+	if (!operationId) return;
+	if (!usedOperationIds.has(operationId)) {
+		usedOperationIds.add(operationId);
+		return operationId;
+	}
+	const normalizedMethod = method.toUpperCase();
+	const methodSuffix = normalizedMethod.charAt(0) + normalizedMethod.slice(1).toLowerCase();
+	let candidate = `${operationId}${methodSuffix}`;
+	let duplicateIndex = 2;
+	while (usedOperationIds.has(candidate)) {
+		candidate = `${operationId}${methodSuffix}${duplicateIndex}`;
+		duplicateIndex += 1;
+	}
+	usedOperationIds.add(candidate);
+	return candidate;
+}
+function cloneOpenAPIValue(value) {
+	if (Array.isArray(value)) return value.map((item) => cloneOpenAPIValue(item));
+	if (value instanceof Date) return new Date(value);
+	if (value && typeof value === "object") return Object.fromEntries(Object.entries(value).map(([key, entry]) => [key, cloneOpenAPIValue(entry)]));
+	return value;
+}
 async function generator(ctx, options) {
 	const baseEndpoints = getEndpoints(ctx, {
 		...options,
@@ -315,31 +345,24 @@ async function generator(ctx, options) {
 		return acc;
 	}, {}) } };
 	const paths = {};
-	const seenOperationIds = /* @__PURE__ */ new Set();
-	const uniqueOperationId = (operationId, method) => {
-		if (!operationId) return void 0;
-		const base = seenOperationIds.has(operationId) ? `${operationId}${toPascalCase(method)}` : operationId;
-		let result = base;
-		let n = 2;
-		while (seenOperationIds.has(result)) result = `${base}${n++}`;
-		seenOperationIds.add(result);
-		return result;
-	};
+	const usedOperationIds = /* @__PURE__ */ new Set();
 	Object.entries(baseEndpoints.api).forEach(([_, value]) => {
 		if (!value.path || ctx.options.disabledPaths?.includes(value.path)) return;
 		const options = value.options;
 		if (options.metadata?.SERVER_ONLY) return;
 		const path = toOpenApiPath(value.path);
+		const operationParameters = getParameters(options);
+		const parameters = [...operationParameters, ...getPathParameters(value.path, operationParameters)];
 		const methods = Array.isArray(options.method) ? options.method : [options.method];
 		for (const method of methods.filter((m) => m === "GET" || m === "DELETE")) paths[path] = {
 			...paths[path],
 			[method.toLowerCase()]: {
 				tags: ["Default", ...options.metadata?.openapi?.tags || []],
 				description: options.metadata?.openapi?.description,
-				operationId: uniqueOperationId(options.metadata?.openapi?.operationId, method),
+				operationId: getOperationId(options.metadata?.openapi?.operationId, method, usedOperationIds),
 				security: [{ bearerAuth: [] }],
-				parameters: getParameters(options),
-				responses: getResponse(options.metadata?.openapi?.responses)
+				parameters: cloneOpenAPIValue(parameters),
+				responses: cloneOpenAPIValue(getResponse(options.metadata?.openapi?.responses))
 			}
 		};
 		for (const method of methods.filter((m) => m === "POST" || m === "PATCH" || m === "PUT")) {
@@ -349,14 +372,14 @@ async function generator(ctx, options) {
 				[method.toLowerCase()]: {
 					tags: ["Default", ...options.metadata?.openapi?.tags || []],
 					description: options.metadata?.openapi?.description,
-					operationId: uniqueOperationId(options.metadata?.openapi?.operationId, method),
+					operationId: getOperationId(options.metadata?.openapi?.operationId, method, usedOperationIds),
 					security: [{ bearerAuth: [] }],
-					parameters: getParameters(options),
-					...body ? { requestBody: body } : { requestBody: { content: { "application/json": { schema: {
+					parameters: cloneOpenAPIValue(parameters),
+					...body ? { requestBody: cloneOpenAPIValue(body) } : { requestBody: { content: { "application/json": { schema: {
 						type: "object",
 						properties: {}
 					} } } } },
-					responses: getResponse(options.metadata?.openapi?.responses)
+					responses: cloneOpenAPIValue(getResponse(options.metadata?.openapi?.responses))
 				}
 			};
 		}
@@ -376,16 +399,18 @@ async function generator(ctx, options) {
 			const options = value.options;
 			if (options.metadata?.SERVER_ONLY) return;
 			const path = toOpenApiPath(value.path);
+			const operationParameters = getParameters(options);
+			const parameters = [...operationParameters, ...getPathParameters(value.path, operationParameters)];
 			const methods = Array.isArray(options.method) ? options.method : [options.method];
 			for (const method of methods.filter((m) => m === "GET" || m === "DELETE")) paths[path] = {
 				...paths[path],
 				[method.toLowerCase()]: {
 					tags: options.metadata?.openapi?.tags || [plugin.id.charAt(0).toUpperCase() + plugin.id.slice(1)],
 					description: options.metadata?.openapi?.description,
-					operationId: uniqueOperationId(options.metadata?.openapi?.operationId, method),
+					operationId: getOperationId(options.metadata?.openapi?.operationId, method, usedOperationIds),
 					security: [{ bearerAuth: [] }],
-					parameters: getParameters(options),
-					responses: getResponse(options.metadata?.openapi?.responses)
+					parameters: cloneOpenAPIValue(parameters),
+					responses: cloneOpenAPIValue(getResponse(options.metadata?.openapi?.responses))
 				}
 			};
 			for (const method of methods.filter((m) => m === "POST" || m === "PATCH" || m === "PUT")) paths[path] = {
@@ -393,11 +418,11 @@ async function generator(ctx, options) {
 				[method.toLowerCase()]: {
 					tags: options.metadata?.openapi?.tags || [plugin.id.charAt(0).toUpperCase() + plugin.id.slice(1)],
 					description: options.metadata?.openapi?.description,
-					operationId: uniqueOperationId(options.metadata?.openapi?.operationId, method),
+					operationId: getOperationId(options.metadata?.openapi?.operationId, method, usedOperationIds),
 					security: [{ bearerAuth: [] }],
-					parameters: getParameters(options),
-					requestBody: getRequestBody(options),
-					responses: getResponse(options.metadata?.openapi?.responses)
+					parameters: cloneOpenAPIValue(parameters),
+					requestBody: cloneOpenAPIValue(getRequestBody(options)),
+					responses: cloneOpenAPIValue(getResponse(options.metadata?.openapi?.responses))
 				}
 			};
 		});

package/dist/plugins/organization/adapter.mjs

@@ -678,10 +678,11 @@ const getOrgAdapter = (context, options) => {
 				field: "status",
 				value: data.fromStatus
 			});
-			return await adapter.update({
+			return await adapter.incrementOne({
 				model: "invitation",
 				where,
-				update: { status: data.status }
+				increment: {},
+				set: { status: data.status }
 			});
 		}
 	};

package/dist/plugins/organization/routes/crud-access-control.mjs

@@ -564,7 +564,7 @@ const updateOrgRole = (options) => {
 			...updateData,
 			...updateData.permission ? { permission: JSON.stringify(updateData.permission) } : {}
 		};
-		await ctx.context.adapter.update({
+		await ctx.context.adapter.updateMany({
 			model: "organizationRole",
 			where: [{
 				field: "organizationId",

package/dist/plugins/two-factor/backup-codes/index.mjs

@@ -177,16 +177,17 @@ const backupCode2fa = (opts) => {
 				}, ctx.context.secretConfig, opts);
 				if (!validate.status || !validate.updated) throw APIError.from("UNAUTHORIZED", TWO_FACTOR_ERROR_CODES.INVALID_BACKUP_CODE);
 				const updatedBackupCodes = await encodeBackupCodes(validate.updated, ctx.context.secretConfig, opts);
-				if (!await ctx.context.adapter.update({
+				if (!await ctx.context.adapter.incrementOne({
 					model: twoFactorTable,
-					update: { backupCodes: updatedBackupCodes },
 					where: [{
 						field: "id",
 						value: twoFactor.id
 					}, {
 						field: "backupCodes",
 						value: twoFactor.backupCodes
-					}]
+					}],
+					increment: {},
+					set: { backupCodes: updatedBackupCodes }
 				})) throw APIError.fromStatus("CONFLICT", { message: "Failed to verify backup code. Please try again." });
 				if (!ctx.body.disableSession) return valid(ctx);
 				return ctx.json({

package/dist/state.mjs

@@ -17,6 +17,7 @@ const stateDataSchema = z.looseObject({
 	}).optional(),
 	requestSignUp: z.boolean().optional()
 });
+const INTERNAL_STATE_KEYS = new Set(Object.keys(stateDataSchema.shape));
 var StateError = class extends BetterAuthError {
 	code;
 	details;
@@ -130,4 +131,4 @@ async function parseGenericState(c, state, settings) {
 	return parsedData;
 }
 //#endregion
-export { StateError, generateGenericState, parseGenericState };
+export { INTERNAL_STATE_KEYS, StateError, generateGenericState, parseGenericState };