better-auth 1.6.6 → 1.6.7

package/dist/api/to-auth-endpoints.mjs

@@ -98,16 +98,43 @@ function toAuthEndpoints(endpoints, ctx) {
 						[ATTR_HTTP_ROUTE]: route,
 						[ATTR_OPERATION_ID]: operationId
 					}, () => endpoint(internalContext))).catch((e) => {
-						if (isAPIError(e))
- /**
-						* API Errors from response are caught
-						* and returned to hooks
-						*/
-						return {
-							response: e,
-							status: e.statusCode,
-							headers: e.headers ? new Headers(e.headers) : null
-						};
+						if (isAPIError(e)) {
+							/**
+							* API Errors from response are caught
+							* and returned to hooks.
+							*
+							* Headers come from two sources that must both
+							* survive:
+							* - `kAPIErrorHeaderSymbol`: ctx.responseHeaders
+							*   accumulated via c.setCookie / c.setHeader
+							*   before the throw.
+							* - `e.headers`: explicit headers on the APIError
+							*   (e.g. `location` from c.redirect).
+							*
+							* Start from the accumulated ctx headers, then
+							* apply e.headers on top — appending `set-cookie`
+							* and setting others — so explicit APIError
+							* headers override while cookies accumulate.
+							*/
+							const ctxHeaders = e[kAPIErrorHeaderSymbol];
+							const errHeaders = e.headers ? new Headers(e.headers) : null;
+							let headers = null;
+							if (ctxHeaders || errHeaders) {
+								headers = new Headers();
+								ctxHeaders?.forEach((value, key) => {
+									headers.append(key, value);
+								});
+								errHeaders?.forEach((value, key) => {
+									if (key.toLowerCase() === "set-cookie") headers.append(key, value);
+									else headers.set(key, value);
+								});
+							}
+							return {
+								response: e,
+								status: e.statusCode,
+								headers
+							};
+						}
 						throw e;
 					});
 					if (result && result instanceof Response) return result;
@@ -116,7 +143,26 @@ function toAuthEndpoints(endpoints, ctx) {
 					const after = await runAfterHooks(internalContext, afterHooks, endpoint, operationId);
 					if (after.response) result.response = after.response;
 					if (isAPIError(result.response) && shouldPublishLog(authContext.logger.level, "debug")) result.response.stack = result.response.errorStack;
-					if (isAPIError(result.response) && !shouldReturnResponse) throw result.response;
+					if (isAPIError(result.response) && !shouldReturnResponse) {
+						/**
+						* Non-response path: we re-throw the raw APIError
+						* to callers of `auth.api.*`. `result.headers`
+						* holds the merged ctx + explicit headers (see
+						* catch block above) — rewrite
+						* `kAPIErrorHeaderSymbol` with the merged set so
+						* downstream pipelines (e.g. better-call's
+						* response builder, or an outer hook catch) see
+						* the same headers we'd have written on the
+						* response.
+						*/
+						if (result.headers) Object.defineProperty(result.response, kAPIErrorHeaderSymbol, {
+							enumerable: false,
+							configurable: true,
+							writable: false,
+							value: result.headers
+						});
+						throw result.response;
+					}
 					return shouldReturnResponse ? toResponse(result.response, {
 						headers: result.headers,
 						status: result.status

package/dist/oauth2/state.mjs

@@ -29,7 +29,7 @@ async function generateState(c, link, additionalData) {
 	}
 }
 async function parseState(c) {
-	const state = c.query.state || c.body.state;
+	const state = c.query.state || c.body?.state;
 	const errorURL = c.context.options.onAPIError?.errorURL || `${c.context.baseURL}/error`;
 	let parsedData;
 	try {

package/dist/package.mjs

@@ -1,4 +1,4 @@
 //#region package.json
-var version = "1.6.6";
+var version = "1.6.7";
 //#endregion
 export { version };

package/dist/plugins/phone-number/routes.mjs

@@ -312,6 +312,11 @@ const verifyPhoneNumber = (opts) => createAuthEndpoint("/phone-number/verify", {
 			[opts.phoneNumber]: ctx.body.phoneNumber,
 			[opts.phoneNumberVerified]: true
 		});
+		if (!user) throw APIError.from("INTERNAL_SERVER_ERROR", BASE_ERROR_CODES.FAILED_TO_UPDATE_USER);
+		await opts?.callbackOnVerification?.({
+			phoneNumber: ctx.body.phoneNumber,
+			user
+		}, ctx);
 		return ctx.json({
 			status: true,
 			token: session.session.token,

package/dist/utils/is-api-error.d.mts

@@ -1,6 +1,2 @@
-import { APIError } from "@better-auth/core/error";
-
-//#region src/utils/is-api-error.d.ts
-declare function isAPIError(error: unknown): error is APIError;
-//#endregion
+import { isAPIError } from "@better-auth/core/utils/is-api-error";
 export { isAPIError };

package/dist/utils/is-api-error.mjs

@@ -1,8 +1,2 @@
-import { APIError } from "@better-auth/core/error";
-import { APIError as APIError$1 } from "better-call";
-//#region src/utils/is-api-error.ts
-function isAPIError(error) {
-	return error instanceof APIError$1 || error instanceof APIError || error?.name === "APIError";
-}
-//#endregion
+import { isAPIError } from "@better-auth/core/utils/is-api-error";
 export { isAPIError };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "better-auth",
-  "version": "1.6.6",
+  "version": "1.6.7",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "license": "MIT",
@@ -489,13 +489,13 @@
     "kysely": "^0.28.14",
     "nanostores": "^1.1.1",
     "zod": "^4.3.6",
-    "@better-auth/core": "1.6.6",
-    "@better-auth/drizzle-adapter": "1.6.6",
-    "@better-auth/kysely-adapter": "1.6.6",
-    "@better-auth/memory-adapter": "1.6.6",
-    "@better-auth/mongo-adapter": "1.6.6",
-    "@better-auth/prisma-adapter": "1.6.6",
-    "@better-auth/telemetry": "1.6.6"
+    "@better-auth/core": "1.6.7",
+    "@better-auth/drizzle-adapter": "1.6.7",
+    "@better-auth/kysely-adapter": "1.6.7",
+    "@better-auth/memory-adapter": "1.6.7",
+    "@better-auth/mongo-adapter": "1.6.7",
+    "@better-auth/prisma-adapter": "1.6.7",
+    "@better-auth/telemetry": "1.6.7"
   },
   "devDependencies": {
     "@lynx-js/react": "^0.116.3",