better-auth 1.6.5 → 1.6.6

package/dist/context/helpers.mjs

@@ -5,6 +5,7 @@ import { createInternalAdapter } from "../db/internal-adapter.mjs";
 import { env } from "@better-auth/core/env";
 import { BetterAuthError } from "@better-auth/core/error";
 import { defu } from "defu";
+import { isLoopbackHost } from "@better-auth/core/utils/host";
 //#region src/context/helpers.ts
 async function runPluginInit(context) {
 	let options = context.options;
@@ -62,7 +63,7 @@ async function getTrustedOrigins(options, request) {
 		const allowedHosts = options.baseURL.allowedHosts;
 		for (const host of allowedHosts) if (!host.includes("://")) {
 			trustedOrigins.push(`https://${host}`);
-			if (host.includes("localhost") || host.includes("127.0.0.1")) trustedOrigins.push(`http://${host}`);
+			if (isLoopbackHost(host)) trustedOrigins.push(`http://${host}`);
 		} else trustedOrigins.push(host);
 		if (options.baseURL.fallback) try {
 			trustedOrigins.push(new URL(options.baseURL.fallback).origin);

package/dist/cookies/cookie-utils.d.mts

@@ -7,9 +7,20 @@ interface CookieAttributes {
   path?: string | undefined;
   secure?: boolean | undefined;
   httponly?: boolean | undefined;
+  partitioned?: boolean | undefined;
   samesite?: ("strict" | "lax" | "none") | undefined;
   [key: string]: any;
 }
+interface ParsedCookieOptions {
+  maxAge?: number | undefined;
+  expires?: Date | undefined;
+  domain?: string | undefined;
+  path?: string | undefined;
+  secure?: boolean | undefined;
+  httpOnly?: boolean | undefined;
+  partitioned?: boolean | undefined;
+  sameSite?: CookieAttributes["samesite"];
+}
 declare const SECURE_COOKIE_PREFIX = "__Secure-";
 declare const HOST_COOKIE_PREFIX = "__Host-";
 /**
@@ -21,8 +32,9 @@ declare function stripSecureCookiePrefix(cookieName: string): string;
  */
 declare function splitSetCookieHeader(setCookie: string): string[];
 declare function parseSetCookieHeader(setCookie: string): Map<string, CookieAttributes>;
+declare function toCookieOptions(attributes: CookieAttributes): ParsedCookieOptions;
 declare function setCookieToHeader(headers: Headers): (context: {
   response: Response;
 }) => void;
 //#endregion
-export { CookieAttributes, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix };
+export { CookieAttributes, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };

package/dist/cookies/cookie-utils.mjs

@@ -78,6 +78,9 @@ function parseSetCookieHeader(setCookie) {
 				case "samesite":
 					attrObj.samesite = attrValue ? attrValue.trim().toLowerCase() : void 0;
 					break;
+				case "partitioned":
+					attrObj.partitioned = true;
+					break;
 				default:
 					attrObj[normalizedAttrName] = attrValue ? attrValue.trim() : true;
 					break;
@@ -87,6 +90,18 @@ function parseSetCookieHeader(setCookie) {
 	});
 	return cookies;
 }
+function toCookieOptions(attributes) {
+	return {
+		maxAge: attributes["max-age"],
+		expires: attributes.expires,
+		domain: attributes.domain,
+		path: attributes.path,
+		secure: attributes.secure,
+		httpOnly: attributes.httponly,
+		sameSite: attributes.samesite,
+		partitioned: attributes.partitioned
+	};
+}
 function setCookieToHeader(headers) {
 	return (context) => {
 		const setCookieHeader = context.response.headers.get("set-cookie");
@@ -104,4 +119,4 @@ function setCookieToHeader(headers) {
 	};
 }
 //#endregion
-export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix };
+export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };

package/dist/cookies/index.d.mts

@@ -1,5 +1,5 @@
 import { Session, User } from "../types/models.mjs";
-import { CookieAttributes, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix } from "./cookie-utils.mjs";
+import { CookieAttributes, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions } from "./cookie-utils.mjs";
 import { createSessionStore, getAccountCookie, getChunkedCookie } from "./session-store.mjs";
 import { BetterAuthCookie, BetterAuthCookies, BetterAuthOptions, GenericEndpointContext } from "@better-auth/core";
 import * as better_call0 from "better-call";
@@ -116,4 +116,4 @@ declare const getCookieCache: <S extends {
   version?: string | ((session: Session & Record<string, any>, user: User & Record<string, any>) => string) | ((session: Session & Record<string, any>, user: User & Record<string, any>) => Promise<string>);
 } | undefined) => Promise<S | null>;
 //#endregion
-export { CookieAttributes, EligibleCookies, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix };
+export { CookieAttributes, EligibleCookies, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };

package/dist/cookies/index.mjs

@@ -4,7 +4,7 @@ import { parseUserOutput } from "../db/schema.mjs";
 import { getDate } from "../utils/date.mjs";
 import { isPromise } from "../utils/is-promise.mjs";
 import { sec } from "../utils/time.mjs";
-import { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix } from "./cookie-utils.mjs";
+import { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions } from "./cookie-utils.mjs";
 import { createAccountStore, createSessionStore, getAccountCookie, getChunkedCookie, setAccountCookie } from "./session-store.mjs";
 import { env, isProduction } from "@better-auth/core/env";
 import { BetterAuthError } from "@better-auth/core/error";
@@ -258,4 +258,4 @@ const getCookieCache = async (request, config) => {
 	return null;
 };
 //#endregion
-export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix };
+export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };

package/dist/integrations/next-js.mjs

@@ -1,4 +1,4 @@
-import { parseSetCookieHeader } from "../cookies/cookie-utils.mjs";
+import { parseSetCookieHeader, toCookieOptions } from "../cookies/cookie-utils.mjs";
 import { setShouldSkipSessionRefresh } from "../api/state/should-session-refresh.mjs";
 import { PACKAGE_VERSION } from "../version.mjs";
 import { createAuthMiddleware } from "@better-auth/core/api";
@@ -70,16 +70,8 @@ const nextCookies = () => {
 						}
 						parsed.forEach((value, key) => {
 							if (!key) return;
-							const opts = {
-								sameSite: value.samesite,
-								secure: value.secure,
-								maxAge: value["max-age"],
-								httpOnly: value.httponly,
-								domain: value.domain,
-								path: value.path
-							};
 							try {
-								cookieHelper.set(key, value.value, opts);
+								cookieHelper.set(key, value.value, toCookieOptions(value));
 							} catch {}
 						});
 						return;

package/dist/integrations/svelte-kit.mjs

@@ -1,4 +1,4 @@
-import { parseSetCookieHeader } from "../cookies/cookie-utils.mjs";
+import { parseSetCookieHeader, toCookieOptions } from "../cookies/cookie-utils.mjs";
 import { PACKAGE_VERSION } from "../version.mjs";
 import { createAuthMiddleware } from "@better-auth/core/api";
 //#region src/integrations/svelte-kit.ts
@@ -36,15 +36,10 @@ const sveltekitCookies = (getRequestEvent) => {
 					const event = getRequestEvent();
 					if (!event) return;
 					const parsed = parseSetCookieHeader(setCookies);
-					for (const [name, { value, ...ops }] of parsed) try {
-						event.cookies.set(name, value, {
-							sameSite: ops.samesite,
-							path: ops.path || "/",
-							expires: ops.expires,
-							secure: ops.secure,
-							httpOnly: ops.httponly,
-							domain: ops.domain,
-							maxAge: ops["max-age"]
+					for (const [name, attributes] of parsed) try {
+						event.cookies.set(name, attributes.value, {
+							...toCookieOptions(attributes),
+							path: attributes.path || "/"
 						});
 					} catch {}
 				}

package/dist/integrations/tanstack-start-solid.mjs

@@ -1,4 +1,4 @@
-import { parseSetCookieHeader } from "../cookies/cookie-utils.mjs";
+import { parseSetCookieHeader, toCookieOptions } from "../cookies/cookie-utils.mjs";
 import { PACKAGE_VERSION } from "../version.mjs";
 import { createAuthMiddleware } from "@better-auth/core/api";
 //#region src/integrations/tanstack-start-solid.ts
@@ -37,16 +37,8 @@ const tanstackStartCookies = () => {
 					const { setCookie } = await import("@tanstack/solid-start/server");
 					parsed.forEach((value, key) => {
 						if (!key) return;
-						const opts = {
-							sameSite: value.samesite,
-							secure: value.secure,
-							maxAge: value["max-age"],
-							httpOnly: value.httponly,
-							domain: value.domain,
-							path: value.path
-						};
 						try {
-							setCookie(key, value.value, opts);
+							setCookie(key, value.value, toCookieOptions(value));
 						} catch {}
 					});
 					return;

package/dist/integrations/tanstack-start.mjs

@@ -1,4 +1,4 @@
-import { parseSetCookieHeader } from "../cookies/cookie-utils.mjs";
+import { parseSetCookieHeader, toCookieOptions } from "../cookies/cookie-utils.mjs";
 import { PACKAGE_VERSION } from "../version.mjs";
 import { createAuthMiddleware } from "@better-auth/core/api";
 //#region src/integrations/tanstack-start.ts
@@ -37,16 +37,8 @@ const tanstackStartCookies = () => {
 					const { setCookie } = await import("@tanstack/react-start/server");
 					parsed.forEach((value, key) => {
 						if (!key) return;
-						const opts = {
-							sameSite: value.samesite,
-							secure: value.secure,
-							maxAge: value["max-age"],
-							httpOnly: value.httponly,
-							domain: value.domain,
-							path: value.path
-						};
 						try {
-							setCookie(key, value.value, opts);
+							setCookie(key, value.value, toCookieOptions(value));
 						} catch {}
 					});
 					return;

package/dist/package.mjs

@@ -1,4 +1,4 @@
 //#region package.json
-var version = "1.6.5";
+var version = "1.6.6";
 //#endregion
 export { version };

package/dist/plugins/custom-session/index.d.mts

@@ -2,7 +2,8 @@ import * as _better_auth_core0 from "@better-auth/core";
 import { BetterAuthOptions, GenericEndpointContext } from "@better-auth/core";
 import { Session, User } from "@better-auth/core/db";
 import * as better_call0 from "better-call";
-import * as z from "zod";
+import * as zod from "zod";
+import * as zod_v4_core0 from "zod/v4/core";
 
 //#region src/plugins/custom-session/index.d.ts
 declare module "@better-auth/core" {
@@ -34,10 +35,10 @@ declare const customSession: <Returns extends Record<string, any>, O extends Bet
   endpoints: {
     getSession: better_call0.StrictEndpoint<"/get-session", {
       method: "GET";
-      query: z.ZodOptional<z.ZodObject<{
-        disableCookieCache: z.ZodOptional<z.ZodUnion<[z.ZodBoolean, z.ZodPipe<z.ZodString, z.ZodTransform<boolean, string>>]>>;
-        disableRefresh: z.ZodOptional<z.ZodBoolean>;
-      }, z.core.$strip>>;
+      query: zod.ZodOptional<zod.ZodObject<{
+        disableCookieCache: zod.ZodOptional<zod.ZodCoercedBoolean<unknown>>;
+        disableRefresh: zod.ZodOptional<zod.ZodCoercedBoolean<unknown>>;
+      }, zod_v4_core0.$strip>>;
       metadata: {
         CUSTOM_SESSION: boolean;
         openapi: {

package/dist/plugins/custom-session/index.mjs

@@ -1,14 +1,10 @@
-import { parseSetCookieHeader } from "../../cookies/cookie-utils.mjs";
+import { parseSetCookieHeader, toCookieOptions } from "../../cookies/cookie-utils.mjs";
+import { getSessionQuerySchema } from "../../cookies/session-store.mjs";
 import { getSession } from "../../api/routes/session.mjs";
 import { PACKAGE_VERSION } from "../../version.mjs";
 import { getEndpointResponse } from "../../utils/plugin-helper.mjs";
 import { createAuthEndpoint, createAuthMiddleware } from "@better-auth/core/api";
-import * as z from "zod";
 //#region src/plugins/custom-session/index.ts
-const getSessionQuerySchema = z.optional(z.object({
-	disableCookieCache: z.boolean().meta({ description: "Disable cookie cache and fetch session from database" }).or(z.string().transform((v) => v === "true")).optional(),
-	disableRefresh: z.boolean().meta({ description: "Disable session refresh. Useful for checking session status, without updating the session" }).optional()
-}));
 const customSession = (fn, options, pluginOptions) => {
 	return {
 		id: "custom-session",
@@ -53,15 +49,7 @@ const customSession = (fn, options, pluginOptions) => {
 			if (!session?.response) return ctx.json(null);
 			const fnResult = await fn(session.response, ctx);
 			for (const cookieStr of session.headers.getSetCookie()) parseSetCookieHeader(cookieStr).forEach((attrs, name) => {
-				ctx.setCookie(name, attrs.value, {
-					maxAge: attrs["max-age"],
-					expires: attrs.expires,
-					domain: attrs.domain,
-					path: attrs.path,
-					secure: attrs.secure,
-					httpOnly: attrs.httponly,
-					sameSite: attrs.samesite
-				});
+				ctx.setCookie(name, attrs.value, toCookieOptions(attrs));
 			});
 			session.headers.delete("set-cookie");
 			session.headers.forEach((value, key) => {

package/dist/plugins/organization/organization.d.mts

@@ -1,6 +1,6 @@
 import { AccessControl, ArrayElement, Statements } from "../access/types.mjs";
 import { OrganizationOptions } from "./types.mjs";
-import { InferInvitation, InferMember, InferOrganization, InferTeam, OrganizationSchema, Team, TeamMember } from "./schema.mjs";
+import { InferInvitation, InferMember, InferOrganization, InferTeam, OrganizationSchema, TeamMember } from "./schema.mjs";
 import { ORGANIZATION_ERROR_CODES } from "./error-codes.mjs";
 import { createOrgRole, deleteOrgRole, getOrgRole, listOrgRoles, updateOrgRole } from "./routes/crud-access-control.mjs";
 import { acceptInvitation, cancelInvitation, createInvitation, getInvitation, listInvitations, listUserInvitations, rejectInvitation } from "./routes/crud-invites.mjs";
@@ -30,7 +30,7 @@ type DefaultOrganizationPlugin<Options extends OrganizationOptions> = {
     Member: InferMember<Options>;
     Team: Options["teams"] extends {
       enabled: true;
-    } ? Team : never;
+    } ? InferTeam<Options> : never;
     TeamMember: Options["teams"] extends {
       enabled: true;
     } ? TeamMember : never;
@@ -249,7 +249,7 @@ type OrganizationPlugin<O extends OrganizationOptions> = {
     Member: InferMember<O>;
     Team: O["teams"] extends {
       enabled: true;
-    } ? Team : never;
+    } ? InferTeam<O> : never;
     TeamMember: O["teams"] extends {
       enabled: true;
     } ? TeamMember : never;
@@ -300,7 +300,7 @@ declare function organization<O extends OrganizationOptions & {
     Member: InferMember<O>;
     Team: O["teams"] extends {
       enabled: true;
-    } ? Team : never;
+    } ? InferTeam<O> : never;
     TeamMember: O["teams"] extends {
       enabled: true;
     } ? TeamMember : never;
@@ -336,7 +336,7 @@ declare function organization<O extends OrganizationOptions & {
     Member: InferMember<O>;
     Team: O["teams"] extends {
       enabled: true;
-    } ? Team : never;
+    } ? InferTeam<O> : never;
     TeamMember: O["teams"] extends {
       enabled: true;
     } ? TeamMember : never;
@@ -372,7 +372,7 @@ declare function organization<O extends OrganizationOptions & {
     Member: InferMember<O>;
     Team: O["teams"] extends {
       enabled: true;
-    } ? Team : never;
+    } ? InferTeam<O> : never;
     TeamMember: O["teams"] extends {
       enabled: true;
     } ? TeamMember : never;

package/dist/plugins/phone-number/index.d.mts

@@ -16,6 +16,36 @@ declare module "@better-auth/core" {
 declare const phoneNumber: (options?: PhoneNumberOptions | undefined) => {
   id: "phone-number";
   version: string;
+  init(): {
+    options: {
+      databaseHooks: {
+        user: {
+          update: {
+            before(data: Partial<{
+              id: string;
+              createdAt: Date;
+              updatedAt: Date;
+              email: string;
+              emailVerified: boolean;
+              name: string;
+              image?: string | null | undefined;
+            }> & Record<string, unknown>): Promise<{
+              data: {
+                [x: string]: unknown;
+                id?: string | undefined;
+                createdAt?: Date | undefined;
+                updatedAt?: Date | undefined;
+                email?: string | undefined;
+                emailVerified?: boolean | undefined;
+                name?: string | undefined;
+                image?: string | null | undefined;
+              };
+            } | undefined>;
+          };
+        };
+      };
+    };
+  };
   hooks: {
     before: {
       matcher: (ctx: _better_auth_core0.HookEndpointContext) => boolean;

package/dist/plugins/phone-number/index.mjs

@@ -19,8 +19,16 @@ const phoneNumber = (options) => {
 	return {
 		id: "phone-number",
 		version: PACKAGE_VERSION,
+		init() {
+			return { options: { databaseHooks: { user: { update: { async before(data) {
+				if (opts.phoneNumber in data && data[opts.phoneNumber] === null) return { data: {
+					...data,
+					[opts.phoneNumberVerified]: false
+				} };
+			} } } } } };
+		},
 		hooks: { before: [{
-			matcher: (ctx) => ctx.path === "/update-user" && "phoneNumber" in ctx.body,
+			matcher: (ctx) => ctx.path === "/update-user" && "phoneNumber" in ctx.body && ctx.body.phoneNumber !== null,
 			handler: createAuthMiddleware(async (_ctx) => {
 				throw APIError.from("BAD_REQUEST", PHONE_NUMBER_ERROR_CODES.PHONE_NUMBER_CANNOT_BE_UPDATED);
 			})

package/dist/utils/url.mjs

@@ -2,6 +2,21 @@ import { wildcardMatch } from "./wildcard.mjs";
 import { env } from "@better-auth/core/env";
 import { BetterAuthError } from "@better-auth/core/error";
 //#region src/utils/url.ts
+/**
+* Minimal loopback check for dev scheme inference only. Reachable from
+* `client/config.ts` via `getBaseURL`, so we MUST NOT import the full
+* `@better-auth/core/utils/host` classifier here: its `utils/ip` dependency
+* on zod would leak into the client bundle (see `e2e/smoke/test/vite.spec.ts`).
+*
+* Server-side SSRF/loopback checks (oauth redirect matching, trusted-origin
+* resolution, electron fetch gate) continue to use the authoritative
+* `isLoopbackHost` from `@better-auth/core/utils/host`. This helper's only
+* job is picking `http` vs `https` for dev ergonomics.
+*/
+function isLoopbackForDevScheme(host) {
+	const hostname = host.replace(/:\d+$/, "").replace(/^\[|\]$/g, "").toLowerCase();
+	return hostname === "localhost" || hostname.endsWith(".localhost") || hostname === "::1" || hostname.startsWith("127.");
+}
 function checkHasPath(url) {
 	try {
 		return (new URL(url).pathname.replace(/\/+$/, "") || "/") !== "/";
@@ -146,13 +161,9 @@ function getProtocolFromSource(source, configProtocol, trustedProxyHeaders) {
 		if (url.protocol === "http:" || url.protocol === "https:") return url.protocol.slice(0, -1);
 	} catch {}
 	const host = getHostFromSource(source, trustedProxyHeaders);
-	if (host && isLoopbackHost(host)) return "http";
+	if (host && isLoopbackForDevScheme(host)) return "http";
 	return "https";
 }
-function isLoopbackHost(host) {
-	const h = host.toLowerCase();
-	return h === "localhost" || h.startsWith("localhost:") || h === "127.0.0.1" || h.startsWith("127.0.0.1:") || h === "[::1]" || h.startsWith("[::1]:") || h === "0.0.0.0" || h.startsWith("0.0.0.0:");
-}
 /**
 * Matches a hostname against a host pattern.
 * Supports wildcard patterns like `*.vercel.app` or `preview-*.myapp.com`.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "better-auth",
-  "version": "1.6.5",
+  "version": "1.6.6",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "license": "MIT",
@@ -489,13 +489,13 @@
     "kysely": "^0.28.14",
     "nanostores": "^1.1.1",
     "zod": "^4.3.6",
-    "@better-auth/core": "1.6.5",
-    "@better-auth/drizzle-adapter": "1.6.5",
-    "@better-auth/kysely-adapter": "1.6.5",
-    "@better-auth/memory-adapter": "1.6.5",
-    "@better-auth/mongo-adapter": "1.6.5",
-    "@better-auth/prisma-adapter": "1.6.5",
-    "@better-auth/telemetry": "1.6.5"
+    "@better-auth/core": "1.6.6",
+    "@better-auth/drizzle-adapter": "1.6.6",
+    "@better-auth/kysely-adapter": "1.6.6",
+    "@better-auth/memory-adapter": "1.6.6",
+    "@better-auth/mongo-adapter": "1.6.6",
+    "@better-auth/prisma-adapter": "1.6.6",
+    "@better-auth/telemetry": "1.6.6"
   },
   "devDependencies": {
     "@lynx-js/react": "^0.116.3",