better-auth 1.6.3 → 1.7.0-beta.1

package/dist/plugins/last-login-method/index.mjs

@@ -8,7 +8,7 @@ const lastLoginMethod = (userConfig) => {
 	const defaultResolveMethod = (ctx) => {
 		const path = ctx.path;
 		if (!path) return null;
-		if (path.startsWith("/callback/") || path.startsWith("/oauth2/callback/")) return ctx.params?.id || ctx.params?.providerId || path.split("/").pop();
+		if (path.startsWith("/callback/")) return ctx.params?.id || path.split("/").pop();
 		if (path === "/sign-in/email" || path === "/sign-up/email") return "email";
 		if (path.includes("siwe")) return "siwe";
 		if (path.includes("/passkey/verify-authentication")) return "passkey";

package/dist/plugins/oauth-proxy/index.mjs

@@ -111,7 +111,7 @@ const oAuthProxy = (opts) => {
 		hooks: {
 			before: [{
 				matcher(context) {
-					return !!(context.path?.startsWith("/sign-in/social") || context.path?.startsWith("/sign-in/oauth2"));
+					return !!context.path?.startsWith("/sign-in/social");
 				},
 				handler: createAuthMiddleware(async (ctx) => {
 					if (checkSkipProxy(ctx, opts)) return;
@@ -237,7 +237,7 @@ const oAuthProxy = (opts) => {
 			}],
 			after: [{
 				matcher(context) {
-					return !!(context.path?.startsWith("/sign-in/social") || context.path?.startsWith("/sign-in/oauth2"));
+					return !!context.path?.startsWith("/sign-in/social");
 				},
 				handler: createAuthMiddleware(async (ctx) => {
 					if (checkSkipProxy(ctx, opts)) return;

package/dist/plugins/two-factor/client.d.mts

@@ -58,8 +58,10 @@ declare const twoFactorClient: (options?: {
   }[];
   $ERROR_CODES: {
     OTP_NOT_ENABLED: _better_auth_core_utils_error_codes0.RawError<"OTP_NOT_ENABLED">;
+    OTP_NOT_CONFIGURED: _better_auth_core_utils_error_codes0.RawError<"OTP_NOT_CONFIGURED">;
     OTP_HAS_EXPIRED: _better_auth_core_utils_error_codes0.RawError<"OTP_HAS_EXPIRED">;
     TOTP_NOT_ENABLED: _better_auth_core_utils_error_codes0.RawError<"TOTP_NOT_ENABLED">;
+    TOTP_NOT_CONFIGURED: _better_auth_core_utils_error_codes0.RawError<"TOTP_NOT_CONFIGURED">;
     TWO_FACTOR_NOT_ENABLED: _better_auth_core_utils_error_codes0.RawError<"TWO_FACTOR_NOT_ENABLED">;
     BACKUP_CODES_NOT_ENABLED: _better_auth_core_utils_error_codes0.RawError<"BACKUP_CODES_NOT_ENABLED">;
     INVALID_BACKUP_CODE: _better_auth_core_utils_error_codes0.RawError<"INVALID_BACKUP_CODE">;

package/dist/plugins/two-factor/error-code.d.mts

@@ -3,8 +3,10 @@ import * as _better_auth_core_utils_error_codes0 from "@better-auth/core/utils/e
 //#region src/plugins/two-factor/error-code.d.ts
 declare const TWO_FACTOR_ERROR_CODES: {
   OTP_NOT_ENABLED: _better_auth_core_utils_error_codes0.RawError<"OTP_NOT_ENABLED">;
+  OTP_NOT_CONFIGURED: _better_auth_core_utils_error_codes0.RawError<"OTP_NOT_CONFIGURED">;
   OTP_HAS_EXPIRED: _better_auth_core_utils_error_codes0.RawError<"OTP_HAS_EXPIRED">;
   TOTP_NOT_ENABLED: _better_auth_core_utils_error_codes0.RawError<"TOTP_NOT_ENABLED">;
+  TOTP_NOT_CONFIGURED: _better_auth_core_utils_error_codes0.RawError<"TOTP_NOT_CONFIGURED">;
   TWO_FACTOR_NOT_ENABLED: _better_auth_core_utils_error_codes0.RawError<"TWO_FACTOR_NOT_ENABLED">;
   BACKUP_CODES_NOT_ENABLED: _better_auth_core_utils_error_codes0.RawError<"BACKUP_CODES_NOT_ENABLED">;
   INVALID_BACKUP_CODE: _better_auth_core_utils_error_codes0.RawError<"INVALID_BACKUP_CODE">;

package/dist/plugins/two-factor/error-code.mjs

@@ -2,8 +2,10 @@ import { defineErrorCodes } from "@better-auth/core/utils/error-codes";
 //#region src/plugins/two-factor/error-code.ts
 const TWO_FACTOR_ERROR_CODES = defineErrorCodes({
 	OTP_NOT_ENABLED: "OTP not enabled",
+	OTP_NOT_CONFIGURED: "OTP is not available",
 	OTP_HAS_EXPIRED: "OTP has expired",
 	TOTP_NOT_ENABLED: "TOTP not enabled",
+	TOTP_NOT_CONFIGURED: "TOTP is not available",
 	TWO_FACTOR_NOT_ENABLED: "Two factor isn't enabled",
 	BACKUP_CODES_NOT_ENABLED: "Backup codes aren't enabled",
 	INVALID_BACKUP_CODE: "Invalid backup code",

package/dist/plugins/two-factor/index.d.mts

@@ -40,9 +40,17 @@ declare const twoFactor: <O extends TwoFactorOptions>(options?: O) => {
       method: "POST";
       body: z.ZodObject<{
         password: z.ZodOptional<z.ZodString>;
+        method: z.ZodDefault<z.ZodEnum<{
+          otp: "otp";
+          totp: "totp";
+        }>>;
         issuer: z.ZodOptional<z.ZodString>;
       }, z.core.$strip> | z.ZodObject<{
         password: z.ZodString;
+        method: z.ZodDefault<z.ZodEnum<{
+          otp: "otp";
+          totp: "totp";
+        }>>;
         issuer: z.ZodOptional<z.ZodString>;
       }, z.core.$strip>;
       use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
@@ -80,6 +88,11 @@ declare const twoFactor: <O extends TwoFactorOptions>(options?: O) => {
                   schema: {
                     type: "object";
                     properties: {
+                      method: {
+                        type: string;
+                        enum: string[];
+                        description: string;
+                      };
                       totpURI: {
                         type: string;
                         description: string;
@@ -92,6 +105,7 @@ declare const twoFactor: <O extends TwoFactorOptions>(options?: O) => {
                         description: string;
                       };
                     };
+                    required: string[];
                   };
                 };
               };
@@ -100,6 +114,9 @@ declare const twoFactor: <O extends TwoFactorOptions>(options?: O) => {
         };
       };
     }, {
+      method: "otp";
+    } | {
+      method: "totp";
       totpURI: string;
       backupCodes: string[];
     }>;
@@ -672,8 +689,10 @@ declare const twoFactor: <O extends TwoFactorOptions>(options?: O) => {
   }[];
   $ERROR_CODES: {
     OTP_NOT_ENABLED: _better_auth_core_utils_error_codes0.RawError<"OTP_NOT_ENABLED">;
+    OTP_NOT_CONFIGURED: _better_auth_core_utils_error_codes0.RawError<"OTP_NOT_CONFIGURED">;
     OTP_HAS_EXPIRED: _better_auth_core_utils_error_codes0.RawError<"OTP_HAS_EXPIRED">;
     TOTP_NOT_ENABLED: _better_auth_core_utils_error_codes0.RawError<"TOTP_NOT_ENABLED">;
+    TOTP_NOT_CONFIGURED: _better_auth_core_utils_error_codes0.RawError<"TOTP_NOT_CONFIGURED">;
     TWO_FACTOR_NOT_ENABLED: _better_auth_core_utils_error_codes0.RawError<"TWO_FACTOR_NOT_ENABLED">;
     BACKUP_CODES_NOT_ENABLED: _better_auth_core_utils_error_codes0.RawError<"BACKUP_CODES_NOT_ENABLED">;
     INVALID_BACKUP_CODE: _better_auth_core_utils_error_codes0.RawError<"INVALID_BACKUP_CODE">;

package/dist/plugins/two-factor/index.mjs

@@ -36,12 +36,16 @@ const twoFactor = (options) => {
 	});
 	const otp = otp2fa(options?.otpOptions);
 	const passwordSchema = z.string().meta({ description: "User password" });
+	const methodField = z.enum(["otp", "totp"]).default("totp").meta({ description: "The 2FA method to enable. 'totp' generates an authenticator app secret (requires verification). 'otp' enables email/SMS-based codes immediately." });
+	const issuerField = z.string().meta({ description: "Custom issuer for the TOTP URI" }).optional();
 	const enableTwoFactorBodySchema = allowPasswordless ? z.object({
 		password: passwordSchema.optional(),
-		issuer: z.string().meta({ description: "Custom issuer for the TOTP URI" }).optional()
+		method: methodField,
+		issuer: issuerField
 	}) : z.object({
 		password: passwordSchema,
-		issuer: z.string().meta({ description: "Custom issuer for the TOTP URI" }).optional()
+		method: methodField,
+		issuer: issuerField
 	});
 	const disableTwoFactorBodySchema = allowPasswordless ? z.object({ password: passwordSchema.optional() }) : z.object({ password: passwordSchema });
 	return {
@@ -57,28 +61,34 @@ const twoFactor = (options) => {
 				use: [sessionMiddleware],
 				metadata: { openapi: {
 					summary: "Enable two factor authentication",
-					description: "Use this endpoint to enable two factor authentication. This will generate a TOTP URI and backup codes. Once the user verifies the TOTP URI, the two factor authentication will be enabled.",
+					description: "Enable two factor authentication. Pass method 'totp' (default) to set up an authenticator app (returns TOTP URI and backup codes), or 'otp' to enable email/SMS-based codes immediately.",
 					responses: { 200: {
 						description: "Successful response",
 						content: { "application/json": { schema: {
 							type: "object",
 							properties: {
+								method: {
+									type: "string",
+									enum: ["otp", "totp"],
+									description: "The 2FA method that was enabled."
+								},
 								totpURI: {
 									type: "string",
-									description: "TOTP URI"
+									description: "TOTP URI for authenticator app setup. Only present when method is 'totp'."
 								},
 								backupCodes: {
 									type: "array",
 									items: { type: "string" },
-									description: "Backup codes"
+									description: "Recovery backup codes. Only present when method is 'totp'."
 								}
-							}
+							},
+							required: ["method"]
 						} } }
 					} }
 				} }
 			}, async (ctx) => {
 				const user = ctx.context.session.user;
-				const { password, issuer } = ctx.body;
+				const { password, issuer, method } = ctx.body;
 				if (await shouldRequirePassword(ctx, user.id, allowPasswordless)) {
 					if (!password) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.INVALID_PASSWORD);
 					if (!await validatePassword(ctx, {
@@ -86,23 +96,18 @@ const twoFactor = (options) => {
 						userId: user.id
 					})) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.INVALID_PASSWORD);
 				}
-				const secret = generateRandomString(32);
-				const encryptedSecret = await symmetricEncrypt({
-					key: ctx.context.secretConfig,
-					data: secret
-				});
-				const backupCodes = await generateBackupCodes(ctx.context.secretConfig, backupCodeOptions);
-				if (options?.skipVerificationOnEnable) {
+				if (method === "otp" && !options?.otpOptions?.sendOTP) throw APIError.from("BAD_REQUEST", TWO_FACTOR_ERROR_CODES.OTP_NOT_CONFIGURED);
+				if (method === "totp" && options?.totpOptions?.disable) throw APIError.from("BAD_REQUEST", TWO_FACTOR_ERROR_CODES.TOTP_NOT_CONFIGURED);
+				if (method === "otp") {
 					const updatedUser = await ctx.context.internalAdapter.updateUser(user.id, { twoFactorEnabled: true });
-					/**
-					* Update the session cookie with the new user data
-					*/
 					await setSessionCookie(ctx, {
 						session: await ctx.context.internalAdapter.createSession(updatedUser.id, false, ctx.context.session.session),
 						user: updatedUser
 					});
 					await ctx.context.internalAdapter.deleteSession(ctx.context.session.session.token);
+					return ctx.json({ method: "otp" });
 				}
+				const backupCodes = await generateBackupCodes(ctx.context.secretConfig, backupCodeOptions);
 				const existingTwoFactor = await ctx.context.adapter.findOne({
 					model: opts.twoFactorTable,
 					where: [{
@@ -110,20 +115,37 @@ const twoFactor = (options) => {
 						value: user.id
 					}]
 				});
-				await ctx.context.adapter.deleteMany({
+				const secret = generateRandomString(32);
+				const encryptedSecret = await symmetricEncrypt({
+					key: ctx.context.secretConfig,
+					data: secret
+				});
+				if (options?.skipVerificationOnEnable) {
+					const updatedUser = await ctx.context.internalAdapter.updateUser(user.id, { twoFactorEnabled: true });
+					await setSessionCookie(ctx, {
+						session: await ctx.context.internalAdapter.createSession(updatedUser.id, false, ctx.context.session.session),
+						user: updatedUser
+					});
+					await ctx.context.internalAdapter.deleteSession(ctx.context.session.session.token);
+				}
+				const totpData = {
+					secret: encryptedSecret,
+					backupCodes: backupCodes.encryptedBackupCodes,
+					verified: existingTwoFactor != null && existingTwoFactor.verified === true || !!options?.skipVerificationOnEnable
+				};
+				if (existingTwoFactor) await ctx.context.adapter.update({
 					model: opts.twoFactorTable,
+					update: totpData,
 					where: [{
-						field: "userId",
-						value: user.id
+						field: "id",
+						value: existingTwoFactor.id
 					}]
 				});
-				await ctx.context.adapter.create({
+				else await ctx.context.adapter.create({
 					model: opts.twoFactorTable,
 					data: {
-						secret: encryptedSecret,
-						backupCodes: backupCodes.encryptedBackupCodes,
-						userId: user.id,
-						verified: existingTwoFactor != null && existingTwoFactor.verified !== false || !!options?.skipVerificationOnEnable
+						...totpData,
+						userId: user.id
 					}
 				});
 				const totpURI = createOTP(secret, {
@@ -131,6 +153,7 @@ const twoFactor = (options) => {
 					period: options?.totpOptions?.period
 				}).url(issuer || options?.issuer || ctx.context.appName, user.email);
 				return ctx.json({
+					method: "totp",
 					totpURI,
 					backupCodes: backupCodes.backupCodes
 				});

package/dist/test-utils/test-instance.d.mts

@@ -228,6 +228,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
         error_description: zod.ZodOptional<zod.ZodString>;
         state: zod.ZodOptional<zod.ZodString>;
         user: zod.ZodOptional<zod.ZodString>;
+        iss: zod.ZodOptional<zod.ZodString>;
       }, zod_v4_core0.$strip>>;
       query: zod.ZodOptional<zod.ZodObject<{
         code: zod.ZodOptional<zod.ZodString>;
@@ -236,6 +237,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
         error_description: zod.ZodOptional<zod.ZodString>;
         state: zod.ZodOptional<zod.ZodString>;
         user: zod.ZodOptional<zod.ZodString>;
+        iss: zod.ZodOptional<zod.ZodString>;
       }, zod_v4_core0.$strip>>;
       metadata: {
         allowedMediaTypes: string[];
@@ -2231,6 +2233,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
         error_description: zod.ZodOptional<zod.ZodString>;
         state: zod.ZodOptional<zod.ZodString>;
         user: zod.ZodOptional<zod.ZodString>;
+        iss: zod.ZodOptional<zod.ZodString>;
       }, zod_v4_core0.$strip>>;
       query: zod.ZodOptional<zod.ZodObject<{
         code: zod.ZodOptional<zod.ZodString>;
@@ -2239,6 +2242,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
         error_description: zod.ZodOptional<zod.ZodString>;
         state: zod.ZodOptional<zod.ZodString>;
         user: zod.ZodOptional<zod.ZodString>;
+        iss: zod.ZodOptional<zod.ZodString>;
       }, zod_v4_core0.$strip>>;
       metadata: {
         allowedMediaTypes: string[];
@@ -4237,6 +4241,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
             error_description: zod.ZodOptional<zod.ZodString>;
             state: zod.ZodOptional<zod.ZodString>;
             user: zod.ZodOptional<zod.ZodString>;
+            iss: zod.ZodOptional<zod.ZodString>;
           }, zod_v4_core0.$strip>>;
           query: zod.ZodOptional<zod.ZodObject<{
             code: zod.ZodOptional<zod.ZodString>;
@@ -4245,6 +4250,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
             error_description: zod.ZodOptional<zod.ZodString>;
             state: zod.ZodOptional<zod.ZodString>;
             user: zod.ZodOptional<zod.ZodString>;
+            iss: zod.ZodOptional<zod.ZodString>;
           }, zod_v4_core0.$strip>>;
           metadata: {
             allowedMediaTypes: string[];
@@ -6240,6 +6246,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
             error_description: zod.ZodOptional<zod.ZodString>;
             state: zod.ZodOptional<zod.ZodString>;
             user: zod.ZodOptional<zod.ZodString>;
+            iss: zod.ZodOptional<zod.ZodString>;
           }, zod_v4_core0.$strip>>;
           query: zod.ZodOptional<zod.ZodObject<{
             code: zod.ZodOptional<zod.ZodString>;
@@ -6248,6 +6255,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
             error_description: zod.ZodOptional<zod.ZodString>;
             state: zod.ZodOptional<zod.ZodString>;
             user: zod.ZodOptional<zod.ZodString>;
+            iss: zod.ZodOptional<zod.ZodString>;
           }, zod_v4_core0.$strip>>;
           metadata: {
             allowedMediaTypes: string[];
@@ -8317,6 +8325,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
             error_description: zod.ZodOptional<zod.ZodString>;
             state: zod.ZodOptional<zod.ZodString>;
             user: zod.ZodOptional<zod.ZodString>;
+            iss: zod.ZodOptional<zod.ZodString>;
           }, zod_v4_core0.$strip>>;
           query: zod.ZodOptional<zod.ZodObject<{
             code: zod.ZodOptional<zod.ZodString>;
@@ -8325,6 +8334,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
             error_description: zod.ZodOptional<zod.ZodString>;
             state: zod.ZodOptional<zod.ZodString>;
             user: zod.ZodOptional<zod.ZodString>;
+            iss: zod.ZodOptional<zod.ZodString>;
           }, zod_v4_core0.$strip>>;
           metadata: {
             allowedMediaTypes: string[];
@@ -10320,6 +10330,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
             error_description: zod.ZodOptional<zod.ZodString>;
             state: zod.ZodOptional<zod.ZodString>;
             user: zod.ZodOptional<zod.ZodString>;
+            iss: zod.ZodOptional<zod.ZodString>;
           }, zod_v4_core0.$strip>>;
           query: zod.ZodOptional<zod.ZodObject<{
             code: zod.ZodOptional<zod.ZodString>;
@@ -10328,6 +10339,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
             error_description: zod.ZodOptional<zod.ZodString>;
             state: zod.ZodOptional<zod.ZodString>;
             user: zod.ZodOptional<zod.ZodString>;
+            iss: zod.ZodOptional<zod.ZodString>;
           }, zod_v4_core0.$strip>>;
           metadata: {
             allowedMediaTypes: string[];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "better-auth",
-  "version": "1.6.3",
+  "version": "1.7.0-beta.1",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "license": "MIT",
@@ -489,13 +489,13 @@
     "kysely": "^0.28.14",
     "nanostores": "^1.1.1",
     "zod": "^4.3.6",
-    "@better-auth/core": "1.6.3",
-    "@better-auth/drizzle-adapter": "1.6.3",
-    "@better-auth/kysely-adapter": "1.6.3",
-    "@better-auth/memory-adapter": "1.6.3",
-    "@better-auth/mongo-adapter": "1.6.3",
-    "@better-auth/prisma-adapter": "1.6.3",
-    "@better-auth/telemetry": "1.6.3"
+    "@better-auth/core": "1.7.0-beta.1",
+    "@better-auth/drizzle-adapter": "1.7.0-beta.1",
+    "@better-auth/kysely-adapter": "1.7.0-beta.1",
+    "@better-auth/memory-adapter": "1.7.0-beta.1",
+    "@better-auth/mongo-adapter": "1.7.0-beta.1",
+    "@better-auth/prisma-adapter": "1.7.0-beta.1",
+    "@better-auth/telemetry": "1.7.0-beta.1"
   },
   "devDependencies": {
     "@lynx-js/react": "^0.116.3",