better-auth 1.6.8 → 1.6.10

package/README.md

@@ -1,32 +1,31 @@
-<p align="center">
+<div align="center">
   <picture>
-    <source media="(prefers-color-scheme: dark)" srcset="https://github.com/better-auth/better-auth/blob/main/banner-dark.png?raw=true" />
-    <source media="(prefers-color-scheme: light)" srcset="https://github.com/better-auth/better-auth/blob/main/banner.png?raw=true" />
-    <img alt="Better Auth Logo" src="https://github.com/better-auth/better-auth/blob/main/banner.png?raw=true" />
+    <source srcset="https://github.com/better-auth/better-auth/blob/main/banner-dark.png?raw=true" media="(prefers-color-scheme: dark)"/>
+    <source srcset="https://github.com/better-auth/better-auth/blob/main/banner-light.png?raw=true" media="(prefers-color-scheme: light)"/>
+    <img src="https://github.com/better-auth/better-auth/blob/main/banner-light.png?raw=true" alt="Better Auth Logo"/>
   </picture>
 
-  <h1 align="center">
-    Better Auth
-  </h1>
+  [![npm](https://img.shields.io/npm/dm/better-auth?style=flat&colorA=000000&colorB=000000)](https://npm.chart.dev/better-auth?primary=neutral&gray=neutral&theme=dark)
+  [![npm version](https://img.shields.io/npm/v/better-auth.svg?style=flat&colorA=000000&colorB=000000)](https://www.npmjs.com/package/better-auth)
+  [![GitHub stars](https://img.shields.io/github/stars/better-auth/better-auth?style=flat&colorA=000000&colorB=000000)](https://github.com/better-auth/better-auth/stargazers)
 
-  <p align="center">
-    The most comprehensive authentication framework for TypeScript
-    <br />
-    <a href="https://better-auth.com"><strong>Learn more »</strong></a>
-    <br />
-    <br />
+  <p>
     <a href="https://discord.gg/better-auth">Discord</a>
     ·
     <a href="https://better-auth.com">Website</a>
     ·
     <a href="https://github.com/better-auth/better-auth/issues">Issues</a>
   </p>
-</p>
+</div>
+
+## Better Auth
+
+Better Auth is a framework-agnostic authentication (and authorization) framework for TypeScript. It provides a comprehensive set of features out of the box and includes a plugin ecosystem that simplifies adding advanced functionalities with minimal code in a short amount of time. Whether you need 2FA, multi-tenant support, or other complex features, it lets you focus on building your actual application instead of reinventing the wheel.
 
 ## Getting Started
 
 ```bash
-pnpm install better-auth
+npm i better-auth
 ```
 
 Read the [Installation Guide](https://better-auth.com/docs/installation) to

package/dist/api/index.d.mts

@@ -178,7 +178,6 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
                       };
                       redirect: {
                         type: string;
-                        enum: boolean[];
                       };
                     };
                     required: string[];
@@ -2167,7 +2166,6 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
                       };
                       redirect: {
                         type: string;
-                        enum: boolean[];
                       };
                     };
                     required: string[];

package/dist/api/routes/callback.mjs

@@ -91,10 +91,11 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 		...tokens,
 		user: parsedUserData ?? void 0
 	}).then((res) => res?.user);
-	if (!userInfo) {
+	if (!userInfo || userInfo.id === void 0 || userInfo.id === null) {
 		c.context.logger.error("Unable to get user info");
 		return redirectOnError("unable_to_get_user_info");
 	}
+	const providerAccountId = String(userInfo.id);
 	if (!callbackURL) {
 		c.context.logger.error("No callback URL found");
 		throw redirectOnError("no_callback_url");
@@ -105,7 +106,7 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 			return redirectOnError("unable_to_link_account");
 		}
 		if (userInfo.email?.toLowerCase() !== link.email.toLowerCase() && c.context.options.account?.accountLinking?.allowDifferentEmails !== true) return redirectOnError("email_doesn't_match");
-		const existingAccount = await c.context.internalAdapter.findAccountByProviderId(String(userInfo.id), provider.id);
+		const existingAccount = await c.context.internalAdapter.findAccountByProviderId(providerAccountId, provider.id);
 		if (existingAccount) {
 			if (existingAccount.userId.toString() !== link.userId.toString()) return redirectOnError("account_already_linked_to_different_user");
 			const updateData = Object.fromEntries(Object.entries({
@@ -120,7 +121,7 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 		} else if (!await c.context.internalAdapter.createAccount({
 			userId: link.userId,
 			providerId: provider.id,
-			accountId: String(userInfo.id),
+			accountId: providerAccountId,
 			...tokens,
 			accessToken: await setTokenUtil(tokens.accessToken, c.context),
 			refreshToken: await setTokenUtil(tokens.refreshToken, c.context),
@@ -140,14 +141,14 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 	}
 	const accountData = {
 		providerId: provider.id,
-		accountId: String(userInfo.id),
+		accountId: providerAccountId,
 		...tokens,
 		scope: tokens.scopes?.join(",")
 	};
 	const result = await handleOAuthUserInfo(c, {
 		userInfo: {
 			...userInfo,
-			id: String(userInfo.id),
+			id: providerAccountId,
 			email: userInfo.email,
 			name: userInfo.name || ""
 		},

package/dist/api/routes/email-verification.mjs

@@ -12,7 +12,7 @@ import { JWTExpired } from "jose/errors";
 async function createEmailVerificationToken(secret, email, updateTo, expiresIn = 3600, extraPayload) {
 	return await signJWT({
 		email: email.toLowerCase(),
-		updateTo,
+		updateTo: updateTo?.toLowerCase(),
 		...extraPayload
 	}, secret, expiresIn);
 }
@@ -101,7 +101,7 @@ const sendVerificationEmail = createAuthEndpoint("/send-verification-email", {
 		await sendVerificationEmailFn(ctx, user.user);
 		return ctx.json({ status: true });
 	}
-	if (session?.user.email !== email) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.EMAIL_MISMATCH);
+	if (session?.user.email.toLowerCase() !== email.toLowerCase()) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.EMAIL_MISMATCH);
 	if (session?.user.emailVerified) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.EMAIL_ALREADY_VERIFIED);
 	await sendVerificationEmailFn(ctx, session.user);
 	return ctx.json({ status: true });

package/dist/api/routes/error.mjs

@@ -282,7 +282,7 @@ ${custom?.disableBackgroundGrid ? "" : `
               text-wrap: pretty;
             "
           >
-            ${!description ? `We encountered an unexpected error. Please try again or return to the home page. If you're a developer, you can find more information about the error <a href='https://better-auth.com/docs/reference/errors/${encodeURIComponent(code)}' target='_blank' rel="noopener noreferrer" style='color: var(--foreground); text-decoration: underline;'>here</a>.` : description}
+            ${!description ? `We encountered an unexpected error. Please try again or return to the home page. If you're a developer, you can find <a href='https://better-auth.com/docs/reference/errors/${encodeURIComponent(code)}' target='_blank' rel="noopener noreferrer" style='color: var(--foreground); text-decoration: underline;'>more information about the error</a>.` : description}
           </p>
         </div>
 

package/dist/api/routes/sign-in.d.mts

@@ -91,7 +91,6 @@ declare const signInSocial: <O extends BetterAuthOptions>() => better_call0.Stri
                   };
                   redirect: {
                     type: string;
-                    enum: boolean[];
                   };
                 };
                 required: string[];

package/dist/api/routes/sign-in.mjs

@@ -49,10 +49,10 @@ const signInSocial = () => createAuthEndpoint("/sign-in/social", {
 			description: "Sign in with a social provider",
 			operationId: "socialSignIn",
 			responses: { "200": {
-				description: "Success - Returns either session details or redirect URL",
+				description: "Success - Returns session details (idToken branch) or an authorize URL (redirect branch)",
 				content: { "application/json": { schema: {
 					type: "object",
-					description: "Session response when idToken is provided",
+					description: "Returns session details when idToken is provided, or an authorize URL otherwise",
 					properties: {
 						token: { type: "string" },
 						user: {
@@ -60,16 +60,9 @@ const signInSocial = () => createAuthEndpoint("/sign-in/social", {
 							$ref: "#/components/schemas/User"
 						},
 						url: { type: "string" },
-						redirect: {
-							type: "boolean",
-							enum: [false]
-						}
+						redirect: { type: "boolean" }
 					},
-					required: [
-						"redirect",
-						"token",
-						"user"
-					]
+					required: ["redirect"]
 				} } }
 			} }
 		}

package/dist/api/routes/sign-up.mjs

@@ -157,7 +157,7 @@ const signUpEmail = () => createAuthEndpoint("/sign-up/email", {
 			ctx.context.logger.error("Password is too long");
 			throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.PASSWORD_TOO_LONG);
 		}
-		const shouldReturnGenericDuplicateResponse = ctx.context.options.emailAndPassword.requireEmailVerification;
+		const shouldReturnGenericDuplicateResponse = ctx.context.options.emailAndPassword.requireEmailVerification || ctx.context.options.emailAndPassword.autoSignIn === false;
 		const shouldSkipAutoSignIn = ctx.context.options.emailAndPassword.autoSignIn === false || shouldReturnGenericDuplicateResponse;
 		const additionalUserFields = parseUserInput(ctx.context.options, rest, "create");
 		const normalizedEmail = email.toLowerCase();

package/dist/api/to-auth-endpoints.mjs

@@ -117,7 +117,13 @@ function toAuthEndpoints(endpoints, ctx) {
 							* headers override while cookies accumulate.
 							*/
 							const ctxHeaders = e[kAPIErrorHeaderSymbol];
-							const errHeaders = e.headers ? new Headers(e.headers) : null;
+							/**
+							* `c.redirect()` (and similar APIError throws) reuse
+							* `ctx.responseHeaders` as `e.headers`, so when both sources
+							* reference the same Headers, iterating both duplicates every
+							* `set-cookie`. Skip the `errHeaders` copy in that case.
+							*/
+							const errHeaders = e.headers && e.headers !== ctxHeaders ? new Headers(e.headers) : null;
 							let headers = null;
 							if (ctxHeaders || errHeaders) {
 								headers = new Headers();

package/dist/client/plugins/index.d.mts

@@ -1,3 +1,4 @@
+import { FieldAttributeToObject, RemoveFieldsWithReturnedFalse } from "../../db/field.mjs";
 import { ExtractPluginField, HasRequiredKeys, InferPluginFieldFromTuple, IsAny, OverrideMerge, Prettify, PrettifyDeep, RequiredKeysOf, StripEmptyObjects, UnionToIntersection } from "../../types/helper.mjs";
 import { InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferTeam, Invitation, InvitationInput, InvitationStatus, Member, MemberInput, Organization, OrganizationInput, OrganizationRole, OrganizationSchema, Team, TeamInput, TeamMember, TeamMemberInput, defaultRolesSchema, invitationSchema, invitationStatus, memberSchema, organizationRoleSchema, organizationSchema, roleSchema, teamMemberSchema, teamSchema } from "../../plugins/organization/schema.mjs";
 import { AdminOptions, InferAdminRolesFromOption, SessionWithImpersonatedBy, UserWithRole } from "../../plugins/admin/types.mjs";
@@ -52,4 +53,4 @@ import { phoneNumberClient } from "../../plugins/phone-number/client.mjs";
 import { siweClient } from "../../plugins/siwe/client.mjs";
 import { usernameClient } from "../../plugins/username/client.mjs";
 import { InferServerPlugin } from "./infer-plugin.mjs";
-export { ADMIN_ERROR_CODES, ANONYMOUS_ERROR_CODES, AdminOptions, AnonymousOptions, AnonymousSession, Auth0Options, AuthorizationQuery, BackupCodeOptions, BaseOAuthProviderOptions, Client, CodeVerificationValue, EMAIL_OTP_ERROR_CODES, ExtractPluginField, GENERIC_OAUTH_ERROR_CODES, GenericOAuthConfig, GenericOAuthOptions, GoogleOneTapActionOptions, GoogleOneTapOptions, GsiButtonConfiguration, GumroadOptions, HasRequiredKeys, HubSpotOptions, InferAdminRolesFromOption, InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginFieldFromTuple, InferServerPlugin, InferTeam, Invitation, InvitationInput, InvitationStatus, IsAny, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, KeycloakOptions, LastLoginMethodClientConfig, LineOptions, MULTI_SESSION_ERROR_CODES, Member, MemberInput, MicrosoftEntraIdOptions, MultiSessionConfig, OAuthAccessToken, OIDCMetadata, OIDCOptions, ORGANIZATION_ERROR_CODES, OTPOptions, OidcClientPlugin, OktaOptions, OneTimeTokenOptions, Organization, OrganizationInput, OrganizationRole, OrganizationSchema, OverrideMerge, PHONE_NUMBER_ERROR_CODES, PatreonOptions, PhoneNumberOptions, Prettify, PrettifyDeep, RequiredKeysOf, SessionWithImpersonatedBy, SlackOptions, StripEmptyObjects, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamInput, TeamMember, TeamMemberInput, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UnionToIntersection, UserWithAnonymous, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, adminClient, anonymousClient, auth0, backupCode2fa, clientSideHasPermission, customSessionClient, defaultRolesSchema, deviceAuthorizationClient, emailOTPClient, encodeBackupCodes, generateBackupCodes, genericOAuthClient, getBackupCodes, gumroad, hubspot, inferAdditionalFields, inferOrgAdditionalFields, invitationSchema, invitationStatus, jwtClient, keycloak, lastLoginMethodClient, line, magicLinkClient, memberSchema, microsoftEntraId, multiSessionClient, oidcClient, okta, oneTapClient, oneTimeTokenClient, organizationClient, organizationRoleSchema, organizationSchema, otp2fa, patreon, phoneNumberClient, roleSchema, schema, siweClient, slack, teamMemberSchema, teamSchema, totp2fa, twoFactorClient, usernameClient, verifyBackupCode };
+export { ADMIN_ERROR_CODES, ANONYMOUS_ERROR_CODES, AdminOptions, AnonymousOptions, AnonymousSession, Auth0Options, AuthorizationQuery, BackupCodeOptions, BaseOAuthProviderOptions, Client, CodeVerificationValue, EMAIL_OTP_ERROR_CODES, ExtractPluginField, type FieldAttributeToObject, GENERIC_OAUTH_ERROR_CODES, GenericOAuthConfig, GenericOAuthOptions, GoogleOneTapActionOptions, GoogleOneTapOptions, GsiButtonConfiguration, GumroadOptions, HasRequiredKeys, HubSpotOptions, InferAdminRolesFromOption, InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginFieldFromTuple, InferServerPlugin, InferTeam, Invitation, InvitationInput, InvitationStatus, IsAny, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, KeycloakOptions, LastLoginMethodClientConfig, LineOptions, MULTI_SESSION_ERROR_CODES, Member, MemberInput, MicrosoftEntraIdOptions, MultiSessionConfig, OAuthAccessToken, OIDCMetadata, OIDCOptions, ORGANIZATION_ERROR_CODES, OTPOptions, OidcClientPlugin, OktaOptions, OneTimeTokenOptions, Organization, OrganizationInput, OrganizationRole, OrganizationSchema, OverrideMerge, PHONE_NUMBER_ERROR_CODES, PatreonOptions, PhoneNumberOptions, Prettify, PrettifyDeep, type RemoveFieldsWithReturnedFalse, RequiredKeysOf, SessionWithImpersonatedBy, SlackOptions, StripEmptyObjects, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamInput, TeamMember, TeamMemberInput, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UnionToIntersection, UserWithAnonymous, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, adminClient, anonymousClient, auth0, backupCode2fa, clientSideHasPermission, customSessionClient, defaultRolesSchema, deviceAuthorizationClient, emailOTPClient, encodeBackupCodes, generateBackupCodes, genericOAuthClient, getBackupCodes, gumroad, hubspot, inferAdditionalFields, inferOrgAdditionalFields, invitationSchema, invitationStatus, jwtClient, keycloak, lastLoginMethodClient, line, magicLinkClient, memberSchema, microsoftEntraId, multiSessionClient, oidcClient, okta, oneTapClient, oneTimeTokenClient, organizationClient, organizationRoleSchema, organizationSchema, otp2fa, patreon, phoneNumberClient, roleSchema, schema, siweClient, slack, teamMemberSchema, teamSchema, totp2fa, twoFactorClient, usernameClient, verifyBackupCode };

package/dist/cookies/cookie-utils.d.mts

@@ -33,8 +33,17 @@ declare function stripSecureCookiePrefix(cookieName: string): string;
 declare function splitSetCookieHeader(setCookie: string): string[];
 declare function parseSetCookieHeader(setCookie: string): Map<string, CookieAttributes>;
 declare function toCookieOptions(attributes: CookieAttributes): ParsedCookieOptions;
+/**
+ * Add or replace a cookie in the request `Cookie` header.
+ *
+ * Cookie pairs are joined with `; `, but `headers.append("cookie", ...)`
+ * joins with `, ` in some runtimes (e.g. Deno, Cloudflare Workers) and
+ * breaks downstream cookie parsing. This builds the header value via
+ * parse-mutate-serialize.
+ */
+declare function setRequestCookie(headers: Headers, name: string, value: string): void;
 declare function setCookieToHeader(headers: Headers): (context: {
   response: Response;
 }) => void;
 //#endregion
-export { CookieAttributes, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };
+export { CookieAttributes, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, setRequestCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };

package/dist/cookies/cookie-utils.mjs

@@ -102,6 +102,24 @@ function toCookieOptions(attributes) {
 		partitioned: attributes.partitioned
 	};
 }
+/**
+* Add or replace a cookie in the request `Cookie` header.
+*
+* Cookie pairs are joined with `; `, but `headers.append("cookie", ...)`
+* joins with `, ` in some runtimes (e.g. Deno, Cloudflare Workers) and
+* breaks downstream cookie parsing. This builds the header value via
+* parse-mutate-serialize.
+*/
+function setRequestCookie(headers, name, value) {
+	const cookieMap = /* @__PURE__ */ new Map();
+	for (const pair of (headers.get("cookie") || "").split(";")) {
+		const trimmed = pair.trim();
+		const eq = trimmed.indexOf("=");
+		if (eq > 0) cookieMap.set(trimmed.slice(0, eq), trimmed.slice(eq + 1));
+	}
+	cookieMap.set(name, value);
+	headers.set("cookie", Array.from(cookieMap, ([k, v]) => `${k}=${v}`).join("; "));
+}
 function setCookieToHeader(headers) {
 	return (context) => {
 		const setCookieHeader = context.response.headers.get("set-cookie");
@@ -119,4 +137,4 @@ function setCookieToHeader(headers) {
 	};
 }
 //#endregion
-export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };
+export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, setRequestCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };

package/dist/cookies/index.d.mts

@@ -1,5 +1,5 @@
 import { Session, User } from "../types/models.mjs";
-import { CookieAttributes, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions } from "./cookie-utils.mjs";
+import { CookieAttributes, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, setRequestCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions } from "./cookie-utils.mjs";
 import { createSessionStore, getAccountCookie, getChunkedCookie } from "./session-store.mjs";
 import { BetterAuthCookie, BetterAuthCookies, BetterAuthOptions, GenericEndpointContext } from "@better-auth/core";
 import * as better_call0 from "better-call";
@@ -116,4 +116,4 @@ declare const getCookieCache: <S extends {
   version?: string | ((session: Session & Record<string, any>, user: User & Record<string, any>) => string) | ((session: Session & Record<string, any>, user: User & Record<string, any>) => Promise<string>);
 } | undefined) => Promise<S | null>;
 //#endregion
-export { CookieAttributes, EligibleCookies, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };
+export { CookieAttributes, EligibleCookies, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setRequestCookie, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };

package/dist/cookies/index.mjs

@@ -4,7 +4,7 @@ import { parseUserOutput } from "../db/schema.mjs";
 import { getDate } from "../utils/date.mjs";
 import { isPromise } from "../utils/is-promise.mjs";
 import { sec } from "../utils/time.mjs";
-import { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions } from "./cookie-utils.mjs";
+import { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, setRequestCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions } from "./cookie-utils.mjs";
 import { createAccountStore, createSessionStore, getAccountCookie, getChunkedCookie, setAccountCookie } from "./session-store.mjs";
 import { env, isProduction } from "@better-auth/core/env";
 import { BetterAuthError } from "@better-auth/core/error";
@@ -258,4 +258,4 @@ const getCookieCache = async (request, config) => {
 	return null;
 };
 //#endregion
-export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };
+export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setRequestCookie, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };

package/dist/db/internal-adapter.mjs

@@ -41,7 +41,8 @@ const createInternalAdapter = (adapter, ctx) => {
 				const createdUser = await createWithHooks({
 					createdAt: /* @__PURE__ */ new Date(),
 					updatedAt: /* @__PURE__ */ new Date(),
-					...user
+					...user,
+					email: user.email?.toLowerCase()
 				}, "user", void 0);
 				return {
 					user: createdUser,
@@ -364,10 +365,10 @@ const createInternalAdapter = (adapter, ctx) => {
 				value: userId
 			}], "account", void 0);
 		},
-		deleteAccount: async (accountId) => {
+		deleteAccount: async (id) => {
 			await deleteWithHooks([{
 				field: "id",
-				value: accountId
+				value: id
 			}], "account", void 0);
 		},
 		deleteSessions: async (userIdOrSessionTokens) => {
@@ -475,7 +476,10 @@ const createInternalAdapter = (adapter, ctx) => {
 			}, "account", void 0);
 		},
 		updateUser: async (userId, data) => {
-			const user = await updateWithHooks(data, [{
+			const user = await updateWithHooks({
+				...data,
+				...data.email ? { email: data.email.toLowerCase() } : {}
+			}, [{
 				field: "id",
 				value: userId
 			}], "user", void 0);
@@ -483,7 +487,10 @@ const createInternalAdapter = (adapter, ctx) => {
 			return user;
 		},
 		updateUserByEmail: async (email, data) => {
-			const user = await updateWithHooks(data, [{
+			const user = await updateWithHooks({
+				...data,
+				...data.email ? { email: data.email.toLowerCase() } : {}
+			}, [{
 				field: "email",
 				value: email.toLowerCase()
 			}], "user", void 0);
@@ -634,7 +641,8 @@ const createInternalAdapter = (adapter, ctx) => {
 				value: storedIdentifier
 			}], "verification", void 0);
 			return data;
-		}
+		},
+		refreshUserSessions
 	};
 };
 //#endregion

package/dist/integrations/cookie-plugin-guard.mjs

@@ -0,0 +1,18 @@
+//#region src/integrations/cookie-plugin-guard.ts
+/**
+* Warns when a cookie integration plugin is not effectively last.
+*
+* A plugin is considered misordered when there is at least one other plugin
+* after it in the `plugins` array that declares `hooks.after`, since those
+* hooks can set cookies that this integration will not see.
+*/
+function warnIfCookiePluginNotLast(ctx, pluginId) {
+	const plugins = ctx.options.plugins || [];
+	if (plugins.length === 0) return;
+	const index = plugins.findIndex((p) => p.id === pluginId);
+	if (index === -1) return;
+	if (!plugins.slice(index + 1).some((p) => p.hooks && Array.isArray(p.hooks.after) && p.hooks.after.length > 0)) return;
+	ctx.logger.warn(`[better-auth] Cookie integration plugin "${pluginId}" should be placed last in the plugins array. Plugins with \`hooks.after\` running after it may set cookies that are not forwarded to the framework cookie store. Move your cookie integration plugin to the end of the \`plugins\` array to avoid missing \`Set-Cookie\` headers.`);
+}
+//#endregion
+export { warnIfCookiePluginNotLast };

package/dist/integrations/next-js.mjs

@@ -1,6 +1,7 @@
 import { parseSetCookieHeader, toCookieOptions } from "../cookies/cookie-utils.mjs";
 import { setShouldSkipSessionRefresh } from "../api/state/should-session-refresh.mjs";
 import { PACKAGE_VERSION } from "../version.mjs";
+import { warnIfCookiePluginNotLast } from "./cookie-plugin-guard.mjs";
 import { createAuthMiddleware } from "@better-auth/core/api";
 //#region src/integrations/next-js.ts
 function toNextJsHandler(auth) {
@@ -16,6 +17,7 @@ function toNextJsHandler(auth) {
 	};
 }
 const nextCookies = () => {
+	let hasWarned = false;
 	return {
 		id: "next-cookies",
 		version: PACKAGE_VERSION,
@@ -25,6 +27,10 @@ const nextCookies = () => {
 					return ctx.path === "/get-session";
 				},
 				handler: createAuthMiddleware(async (ctx) => {
+					if (!hasWarned) {
+						warnIfCookiePluginNotLast(ctx.context, "next-cookies");
+						hasWarned = true;
+					}
 					if ("_flag" in ctx && ctx._flag === "router") return;
 					let headersStore;
 					try {

package/dist/integrations/svelte-kit.mjs

@@ -1,5 +1,6 @@
 import { parseSetCookieHeader, toCookieOptions } from "../cookies/cookie-utils.mjs";
 import { PACKAGE_VERSION } from "../version.mjs";
+import { warnIfCookiePluginNotLast } from "./cookie-plugin-guard.mjs";
 import { createAuthMiddleware } from "@better-auth/core/api";
 //#region src/integrations/svelte-kit.ts
 const toSvelteKitHandler = (auth) => {
@@ -20,6 +21,7 @@ function isAuthPath(url, options) {
 	return true;
 }
 const sveltekitCookies = (getRequestEvent) => {
+	let hasWarned = false;
 	return {
 		id: "sveltekit-cookies",
 		version: PACKAGE_VERSION,
@@ -28,6 +30,10 @@ const sveltekitCookies = (getRequestEvent) => {
 				return true;
 			},
 			handler: createAuthMiddleware(async (ctx) => {
+				if (!hasWarned) {
+					warnIfCookiePluginNotLast(ctx.context, "sveltekit-cookies");
+					hasWarned = true;
+				}
 				const returned = ctx.context.responseHeaders;
 				if ("_flag" in ctx && ctx._flag === "router") return;
 				if (returned instanceof Headers) {

package/dist/integrations/tanstack-start-solid.mjs

@@ -1,5 +1,6 @@
 import { parseSetCookieHeader, toCookieOptions } from "../cookies/cookie-utils.mjs";
 import { PACKAGE_VERSION } from "../version.mjs";
+import { warnIfCookiePluginNotLast } from "./cookie-plugin-guard.mjs";
 import { createAuthMiddleware } from "@better-auth/core/api";
 //#region src/integrations/tanstack-start-solid.ts
 /**
@@ -20,6 +21,7 @@ import { createAuthMiddleware } from "@better-auth/core/api";
 * ```
 */
 const tanstackStartCookies = () => {
+	let hasWarned = false;
 	return {
 		id: "tanstack-start-cookies-solid",
 		version: PACKAGE_VERSION,
@@ -28,6 +30,10 @@ const tanstackStartCookies = () => {
 				return true;
 			},
 			handler: createAuthMiddleware(async (ctx) => {
+				if (!hasWarned) {
+					warnIfCookiePluginNotLast(ctx.context, "tanstack-start-cookies-solid");
+					hasWarned = true;
+				}
 				const returned = ctx.context.responseHeaders;
 				if ("_flag" in ctx && ctx._flag === "router") return;
 				if (returned instanceof Headers) {

package/dist/integrations/tanstack-start.mjs

@@ -1,5 +1,6 @@
 import { parseSetCookieHeader, toCookieOptions } from "../cookies/cookie-utils.mjs";
 import { PACKAGE_VERSION } from "../version.mjs";
+import { warnIfCookiePluginNotLast } from "./cookie-plugin-guard.mjs";
 import { createAuthMiddleware } from "@better-auth/core/api";
 //#region src/integrations/tanstack-start.ts
 /**
@@ -20,6 +21,7 @@ import { createAuthMiddleware } from "@better-auth/core/api";
 * ```
 */
 const tanstackStartCookies = () => {
+	let hasWarned = false;
 	return {
 		id: "tanstack-start-cookies",
 		version: PACKAGE_VERSION,
@@ -28,6 +30,10 @@ const tanstackStartCookies = () => {
 				return true;
 			},
 			handler: createAuthMiddleware(async (ctx) => {
+				if (!hasWarned) {
+					warnIfCookiePluginNotLast(ctx.context, "tanstack-start-cookies");
+					hasWarned = true;
+				}
 				const returned = ctx.context.responseHeaders;
 				if ("_flag" in ctx && ctx._flag === "router") return;
 				if (returned instanceof Headers) {

package/dist/package.mjs

@@ -1,4 +1,4 @@
 //#region package.json
-var version = "1.6.8";
+var version = "1.6.10";
 //#endregion
 export { version };

package/dist/plugins/admin/client.d.mts

@@ -44,8 +44,13 @@ declare const adminClient: <O extends AdminClientOptions>(options?: O | undefine
   };
   pathMethods: {
     "/admin/list-users": "GET";
+    "/admin/impersonate-user": "POST";
     "/admin/stop-impersonating": "POST";
   };
+  atomListeners: {
+    matcher: (path: string) => path is "/admin/impersonate-user" | "/admin/stop-impersonating";
+    signal: "$sessionSignal";
+  }[];
   $ERROR_CODES: {
     USER_ALREADY_EXISTS_USE_ANOTHER_EMAIL: _better_auth_core_utils_error_codes0.RawError<"USER_ALREADY_EXISTS_USE_ANOTHER_EMAIL">;
     FAILED_TO_CREATE_USER: _better_auth_core_utils_error_codes0.RawError<"FAILED_TO_CREATE_USER">;

package/dist/plugins/admin/client.mjs

@@ -25,8 +25,13 @@ const adminClient = (options) => {
 		} } }),
 		pathMethods: {
 			"/admin/list-users": "GET",
+			"/admin/impersonate-user": "POST",
 			"/admin/stop-impersonating": "POST"
 		},
+		atomListeners: [{
+			matcher: (path) => path === "/admin/impersonate-user" || path === "/admin/stop-impersonating",
+			signal: "$sessionSignal"
+		}],
 		$ERROR_CODES: ADMIN_ERROR_CODES
 	};
 };

package/dist/plugins/bearer/index.mjs

@@ -1,4 +1,4 @@
-import { parseSetCookieHeader } from "../../cookies/cookie-utils.mjs";
+import { parseSetCookieHeader, setRequestCookie } from "../../cookies/cookie-utils.mjs";
 import { PACKAGE_VERSION } from "../../version.mjs";
 import { serializeSignedCookie } from "better-call";
 import { createAuthMiddleware } from "@better-auth/core/api";
@@ -48,9 +48,7 @@ const bearer = (options) => {
 					}
 					const existingHeaders = c.request?.headers || c.headers;
 					const headers = new Headers({ ...Object.fromEntries(existingHeaders?.entries()) });
-					const existingCookie = headers.get("cookie");
-					const newCookie = `${c.context.authCookies.sessionToken.name}=${signedToken}`;
-					headers.set("cookie", existingCookie ? `${existingCookie}; ${newCookie}` : newCookie);
+					setRequestCookie(headers, c.context.authCookies.sessionToken.name, signedToken);
 					return { context: { headers } };
 				})
 			}],

package/dist/plugins/captcha/index.mjs

@@ -14,7 +14,20 @@ const captcha = (options) => ({
 	$ERROR_CODES: EXTERNAL_ERROR_CODES,
 	onRequest: async (request, ctx) => {
 		try {
-			if (!(options.endpoints?.length ? options.endpoints : defaultEndpoints).some((endpoint) => request.url.includes(endpoint))) return void 0;
+			const endpoints = options.endpoints?.length ? options.endpoints : defaultEndpoints;
+			const url = new URL(request.url);
+			const basePath = ctx.options.basePath ?? "/api/auth";
+			let pathname = url.pathname.replace(basePath, "");
+			if (pathname.endsWith("//")) pathname = pathname.slice(0, -1);
+			if (pathname.startsWith("//")) pathname = pathname.slice(1);
+			if (!pathname.startsWith("/")) pathname = "/" + pathname;
+			const blockedPaths = ["/sign-in/email-otp"].reduce((acc, curr) => {
+				if (options.endpoints?.length && options.endpoints.includes(curr)) return acc;
+				return [...acc, curr];
+			}, []);
+			if (!endpoints.some((endpoint) => {
+				return pathname.includes(endpoint) && !blockedPaths.includes(endpoint);
+			})) return;
 			if (!options.secretKey) throw new Error(INTERNAL_ERROR_CODES.MISSING_SECRET_KEY.message);
 			const captchaResponse = request.headers.get("x-captcha-response");
 			const remoteUserIP = getIp(request, ctx.options) ?? void 0;

package/dist/plugins/email-otp/routes.mjs

@@ -465,7 +465,7 @@ const requestPasswordResetEmailOTP = (opts) => createAuthEndpoint("/email-otp/re
 		} }
 	} }
 }, async (ctx) => {
-	const email = ctx.body.email;
+	const email = ctx.body.email.toLowerCase();
 	const identifier = toOTPIdentifier("forget-password", email);
 	const otp = await resolveOTP(ctx, opts, email, "forget-password");
 	if (!await ctx.context.internalAdapter.findUserByEmail(email)) {
@@ -517,7 +517,7 @@ const forgetPasswordEmailOTP = (opts) => {
 		} }
 	}, async (ctx) => {
 		warnDeprecation();
-		const email = ctx.body.email;
+		const email = ctx.body.email.toLowerCase();
 		const identifier = toOTPIdentifier("forget-password", email);
 		const otp = await resolveOTP(ctx, opts, email, "forget-password");
 		if (!await ctx.context.internalAdapter.findUserByEmail(email)) {
@@ -567,7 +567,7 @@ const resetPasswordEmailOTP = (opts) => createAuthEndpoint("/email-otp/reset-pas
 		} }
 	} }
 }, async (ctx) => {
-	const email = ctx.body.email;
+	const email = ctx.body.email.toLowerCase();
 	await atomicVerifyOTP(ctx, opts, toOTPIdentifier("forget-password", email), ctx.body.otp);
 	const user = await ctx.context.internalAdapter.findUserByEmail(email, { includeAccounts: true });
 	if (!user) throw APIError$1.from("BAD_REQUEST", BASE_ERROR_CODES.USER_NOT_FOUND);

package/dist/plugins/generic-oauth/routes.mjs

@@ -132,7 +132,7 @@ const oAuth2Callback = (options) => createAuthEndpoint("/oauth2/callback/:provid
 	}
 }, async (ctx) => {
 	const defaultErrorURL = ctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;
-	if (ctx.query.error || !ctx.query.code) throw ctx.redirect(`${defaultErrorURL}?error=${ctx.query.error || "oAuth_code_missing"}&error_description=${ctx.query.error_description}`);
+	if (ctx.query.error || !ctx.query.code) throw ctx.redirect(`${defaultErrorURL}?error=${encodeURIComponent(ctx.query.error || "oAuth_code_missing")}&error_description=${encodeURIComponent(ctx.query.error_description || "")}`);
 	const providerId = ctx.params?.providerId;
 	if (!providerId) throw APIError$1.from("BAD_REQUEST", GENERIC_OAUTH_ERROR_CODES.PROVIDER_ID_REQUIRED);
 	const providerConfig = options.config.find((p) => p.providerId === providerId);
@@ -143,8 +143,8 @@ const oAuth2Callback = (options) => createAuthEndpoint("/oauth2/callback/:provid
 	function redirectOnError(error) {
 		const defaultErrorURL = ctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;
 		let url = errorURL || defaultErrorURL;
-		if (url.includes("?")) url = `${url}&error=${error}`;
-		else url = `${url}?error=${error}`;
+		if (url.includes("?")) url = `${url}&error=${encodeURIComponent(error)}`;
+		else url = `${url}?error=${encodeURIComponent(error)}`;
 		throw ctx.redirect(url);
 	}
 	let finalTokenUrl = providerConfig.tokenUrl;

package/dist/plugins/one-tap/index.mjs

@@ -45,8 +45,9 @@ const oneTap = (options) => ({
 		} catch {
 			throw new APIError("BAD_REQUEST", { message: "invalid id token" });
 		}
-		const { email, email_verified, name, picture, sub } = payload;
-		if (!email) return ctx.json({ error: "Email not available in token" });
+		const { email: rawEmail, email_verified, name, picture, sub } = payload;
+		if (!rawEmail) return ctx.json({ error: "Email not available in token" });
+		const email = rawEmail.toLowerCase();
 		const user = await ctx.context.internalAdapter.findUserByEmail(email);
 		if (!user) {
 			if (options?.disableSignup) throw new APIError("BAD_GATEWAY", { message: "User not found" });