better-auth 1.6.6 → 1.6.8

package/dist/api/routes/account.mjs

@@ -1,6 +1,7 @@
 import { parseAccountOutput } from "../../db/schema.mjs";
 import { getAccountCookie, setAccountCookie } from "../../cookies/session-store.mjs";
 import { getAwaitableValue } from "../../context/helpers.mjs";
+import { missingEmailLogMessage } from "../../oauth2/errors.mjs";
 import { generateState } from "../../oauth2/state.mjs";
 import { decryptOAuthToken, setTokenUtil } from "../../oauth2/utils.mjs";
 import { freshSessionMiddleware, getSessionFromCtx, sessionMiddleware } from "./session.mjs";
@@ -133,7 +134,7 @@ const linkSocialAccount = createAuthEndpoint("/link-social", {
 		}
 		const linkingUserId = String(linkingUserInfo.user.id);
 		if (!linkingUserInfo.user.email) {
-			c.context.logger.error("User email not found", { provider: c.body.provider });
+			c.context.logger.error(missingEmailLogMessage(c.body.provider, { source: "id_token" }), { provider: c.body.provider });
 			throw APIError.from("UNAUTHORIZED", BASE_ERROR_CODES.USER_EMAIL_NOT_FOUND);
 		}
 		if ((await c.context.internalAdapter.findAccounts(session.user.id)).find((a) => a.providerId === provider.id && a.accountId === linkingUserId)) return c.json({

package/dist/api/routes/callback.mjs

@@ -1,5 +1,6 @@
 import { setSessionCookie } from "../../cookies/index.mjs";
 import { getAwaitableValue } from "../../context/helpers.mjs";
+import { missingEmailLogMessage } from "../../oauth2/errors.mjs";
 import { parseState } from "../../oauth2/state.mjs";
 import { setTokenUtil } from "../../oauth2/utils.mjs";
 import { handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
@@ -134,7 +135,7 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 		throw c.redirect(toRedirectTo);
 	}
 	if (!userInfo.email) {
-		c.context.logger.error("Provider did not return email. This could be due to misconfiguration in the provider settings.");
+		c.context.logger.error(missingEmailLogMessage(provider.id));
 		return redirectOnError("email_not_found");
 	}
 	const accountData = {

package/dist/api/routes/sign-in.mjs

@@ -2,6 +2,7 @@ import { formCsrfMiddleware } from "../middlewares/origin-check.mjs";
 import { parseUserOutput } from "../../db/schema.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
 import { getAwaitableValue } from "../../context/helpers.mjs";
+import { missingEmailLogMessage } from "../../oauth2/errors.mjs";
 import { generateState } from "../../oauth2/state.mjs";
 import { handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
 import { createEmailVerificationToken } from "./email-verification.mjs";
@@ -100,7 +101,7 @@ const signInSocial = () => createAuthEndpoint("/sign-in/social", {
 			throw APIError.from("UNAUTHORIZED", BASE_ERROR_CODES.FAILED_TO_GET_USER_INFO);
 		}
 		if (!userInfo.user.email) {
-			c.context.logger.error("User email not found", { provider: c.body.provider });
+			c.context.logger.error(missingEmailLogMessage(c.body.provider, { source: "id_token" }), { provider: c.body.provider });
 			throw APIError.from("UNAUTHORIZED", BASE_ERROR_CODES.USER_EMAIL_NOT_FOUND);
 		}
 		const data = await handleOAuthUserInfo(c, {

package/dist/api/to-auth-endpoints.mjs

@@ -98,16 +98,43 @@ function toAuthEndpoints(endpoints, ctx) {
 						[ATTR_HTTP_ROUTE]: route,
 						[ATTR_OPERATION_ID]: operationId
 					}, () => endpoint(internalContext))).catch((e) => {
-						if (isAPIError(e))
- /**
-						* API Errors from response are caught
-						* and returned to hooks
-						*/
-						return {
-							response: e,
-							status: e.statusCode,
-							headers: e.headers ? new Headers(e.headers) : null
-						};
+						if (isAPIError(e)) {
+							/**
+							* API Errors from response are caught
+							* and returned to hooks.
+							*
+							* Headers come from two sources that must both
+							* survive:
+							* - `kAPIErrorHeaderSymbol`: ctx.responseHeaders
+							*   accumulated via c.setCookie / c.setHeader
+							*   before the throw.
+							* - `e.headers`: explicit headers on the APIError
+							*   (e.g. `location` from c.redirect).
+							*
+							* Start from the accumulated ctx headers, then
+							* apply e.headers on top — appending `set-cookie`
+							* and setting others — so explicit APIError
+							* headers override while cookies accumulate.
+							*/
+							const ctxHeaders = e[kAPIErrorHeaderSymbol];
+							const errHeaders = e.headers ? new Headers(e.headers) : null;
+							let headers = null;
+							if (ctxHeaders || errHeaders) {
+								headers = new Headers();
+								ctxHeaders?.forEach((value, key) => {
+									headers.append(key, value);
+								});
+								errHeaders?.forEach((value, key) => {
+									if (key.toLowerCase() === "set-cookie") headers.append(key, value);
+									else headers.set(key, value);
+								});
+							}
+							return {
+								response: e,
+								status: e.statusCode,
+								headers
+							};
+						}
 						throw e;
 					});
 					if (result && result instanceof Response) return result;
@@ -116,7 +143,26 @@ function toAuthEndpoints(endpoints, ctx) {
 					const after = await runAfterHooks(internalContext, afterHooks, endpoint, operationId);
 					if (after.response) result.response = after.response;
 					if (isAPIError(result.response) && shouldPublishLog(authContext.logger.level, "debug")) result.response.stack = result.response.errorStack;
-					if (isAPIError(result.response) && !shouldReturnResponse) throw result.response;
+					if (isAPIError(result.response) && !shouldReturnResponse) {
+						/**
+						* Non-response path: we re-throw the raw APIError
+						* to callers of `auth.api.*`. `result.headers`
+						* holds the merged ctx + explicit headers (see
+						* catch block above) — rewrite
+						* `kAPIErrorHeaderSymbol` with the merged set so
+						* downstream pipelines (e.g. better-call's
+						* response builder, or an outer hook catch) see
+						* the same headers we'd have written on the
+						* response.
+						*/
+						if (result.headers) Object.defineProperty(result.response, kAPIErrorHeaderSymbol, {
+							enumerable: false,
+							configurable: true,
+							writable: false,
+							value: result.headers
+						});
+						throw result.response;
+					}
 					return shouldReturnResponse ? toResponse(result.response, {
 						headers: result.headers,
 						status: result.status

package/dist/oauth2/errors.mjs

@@ -0,0 +1,12 @@
+//#region src/oauth2/errors.ts
+const HANDLING_DOCS_URL = "https://www.better-auth.com/docs/concepts/oauth#handling-providers-without-email";
+/**
+* Build the logger message shown when an OAuth provider does not return an
+* email address. Kept in one place so every rejection site points users at
+* the same workaround docs.
+*/
+function missingEmailLogMessage(providerId, options) {
+	return `${options?.source === "generic" ? `Generic OAuth provider "${providerId}"` : `Provider "${providerId}"`} did not return an email${options?.source === "id_token" ? " in the id token" : ""}. Either request the provider's email scope, or synthesize one via \`mapProfileToUser\`. See ${HANDLING_DOCS_URL}`;
+}
+//#endregion
+export { missingEmailLogMessage };

package/dist/oauth2/state.mjs

@@ -29,7 +29,7 @@ async function generateState(c, link, additionalData) {
 	}
 }
 async function parseState(c) {
-	const state = c.query.state || c.body.state;
+	const state = c.query.state || c.body?.state;
 	const errorURL = c.context.options.onAPIError?.errorURL || `${c.context.baseURL}/error`;
 	let parsedData;
 	try {

package/dist/package.mjs

@@ -1,4 +1,4 @@
 //#region package.json
-var version = "1.6.6";
+var version = "1.6.8";
 //#endregion
 export { version };

package/dist/plugins/generic-oauth/routes.mjs

@@ -1,4 +1,5 @@
 import { setSessionCookie } from "../../cookies/index.mjs";
+import { missingEmailLogMessage } from "../../oauth2/errors.mjs";
 import { generateState, parseState } from "../../oauth2/state.mjs";
 import { setTokenUtil } from "../../oauth2/utils.mjs";
 import { sessionMiddleware } from "../../api/routes/session.mjs";
@@ -209,7 +210,7 @@ const oAuth2Callback = (options) => createAuthEndpoint("/oauth2/callback/:provid
 		const mapUser = providerConfig.mapProfileToUser ? await providerConfig.mapProfileToUser(userInfo) : userInfo;
 		const email = mapUser.email ? mapUser.email.toLowerCase() : userInfo.email?.toLowerCase();
 		if (!email) {
-			ctx.context.logger.error("Unable to get user info", userInfo);
+			ctx.context.logger.error(missingEmailLogMessage(providerConfig.providerId, { source: "generic" }), userInfo);
 			throw redirectOnError("email_is_missing");
 		}
 		const id = mapUser.id ? String(mapUser.id) : String(userInfo.id);

package/dist/plugins/organization/adapter.d.mts

@@ -396,7 +396,7 @@ declare const getOrgAdapter: <O extends OrganizationOptions>(context: AuthContex
     } ? FieldAttributeToObject<RemoveFieldsWithReturnedFalse<Field>> : {}) extends infer T_3 ? { [K_3 in keyof T_3]: T_3[K_3] } : never)[] | undefined;
   }) | null>;
   listOrganizations: (userId: string) => Promise<InferOrganization<O>[]>;
-  createTeam: (data: Omit<TeamInput, "id">) => Promise<{
+  createTeam: (data: TeamInput) => Promise<{
     id: string;
     name: string;
     organizationId: string;

package/dist/plugins/organization/adapter.mjs

@@ -357,7 +357,8 @@ const getOrgAdapter = (context, options) => {
 		createTeam: async (data) => {
 			return await (await getCurrentAdapter(baseAdapter)).create({
 				model: "team",
-				data
+				data,
+				forceAllowId: true
 			});
 		},
 		findTeamById: async ({ teamId, organizationId, includeTeamMembers }) => {
@@ -553,7 +554,8 @@ const getOrgAdapter = (context, options) => {
 					inviterId: user.id,
 					...invitation,
 					teamId: invitation.teamIds.length > 0 ? invitation.teamIds.join(",") : null
-				}
+				},
+				forceAllowId: true
 			});
 		},
 		findInvitationById: async (id) => {

package/dist/plugins/organization/schema.d.mts

@@ -294,7 +294,7 @@ type InvitationInput = z.input<typeof invitationSchema>;
 type MemberInput = z.input<typeof memberSchema>;
 type TeamMemberInput = z.input<typeof teamMemberSchema>;
 type OrganizationInput = z.input<typeof organizationSchema>;
-type TeamInput = z.infer<typeof teamSchema>;
+type TeamInput = z.input<typeof teamSchema>;
 type OrganizationRole = z.infer<typeof organizationRoleSchema>;
 declare const defaultRolesSchema: z.ZodUnion<readonly [z.ZodEnum<{
   admin: "admin";

package/dist/plugins/phone-number/routes.mjs

@@ -312,6 +312,11 @@ const verifyPhoneNumber = (opts) => createAuthEndpoint("/phone-number/verify", {
 			[opts.phoneNumber]: ctx.body.phoneNumber,
 			[opts.phoneNumberVerified]: true
 		});
+		if (!user) throw APIError.from("INTERNAL_SERVER_ERROR", BASE_ERROR_CODES.FAILED_TO_UPDATE_USER);
+		await opts?.callbackOnVerification?.({
+			phoneNumber: ctx.body.phoneNumber,
+			user
+		}, ctx);
 		return ctx.json({
 			status: true,
 			token: session.session.token,

package/dist/utils/is-api-error.d.mts

@@ -1,6 +1,2 @@
-import { APIError } from "@better-auth/core/error";
-
-//#region src/utils/is-api-error.d.ts
-declare function isAPIError(error: unknown): error is APIError;
-//#endregion
+import { isAPIError } from "@better-auth/core/utils/is-api-error";
 export { isAPIError };

package/dist/utils/is-api-error.mjs

@@ -1,8 +1,2 @@
-import { APIError } from "@better-auth/core/error";
-import { APIError as APIError$1 } from "better-call";
-//#region src/utils/is-api-error.ts
-function isAPIError(error) {
-	return error instanceof APIError$1 || error instanceof APIError || error?.name === "APIError";
-}
-//#endregion
+import { isAPIError } from "@better-auth/core/utils/is-api-error";
 export { isAPIError };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "better-auth",
-  "version": "1.6.6",
+  "version": "1.6.8",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "license": "MIT",
@@ -489,13 +489,13 @@
     "kysely": "^0.28.14",
     "nanostores": "^1.1.1",
     "zod": "^4.3.6",
-    "@better-auth/core": "1.6.6",
-    "@better-auth/drizzle-adapter": "1.6.6",
-    "@better-auth/kysely-adapter": "1.6.6",
-    "@better-auth/memory-adapter": "1.6.6",
-    "@better-auth/mongo-adapter": "1.6.6",
-    "@better-auth/prisma-adapter": "1.6.6",
-    "@better-auth/telemetry": "1.6.6"
+    "@better-auth/core": "1.6.8",
+    "@better-auth/drizzle-adapter": "1.6.8",
+    "@better-auth/kysely-adapter": "1.6.8",
+    "@better-auth/memory-adapter": "1.6.8",
+    "@better-auth/mongo-adapter": "1.6.8",
+    "@better-auth/prisma-adapter": "1.6.8",
+    "@better-auth/telemetry": "1.6.8"
   },
   "devDependencies": {
     "@lynx-js/react": "^0.116.3",