better-auth 1.6.9 → 1.6.11

package/dist/api/index.d.mts

@@ -178,7 +178,6 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
                       };
                       redirect: {
                         type: string;
-                        enum: boolean[];
                       };
                     };
                     required: string[];
@@ -2167,7 +2166,6 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
                       };
                       redirect: {
                         type: string;
-                        enum: boolean[];
                       };
                     };
                     required: string[];

package/dist/api/routes/callback.mjs

@@ -91,10 +91,11 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 		...tokens,
 		user: parsedUserData ?? void 0
 	}).then((res) => res?.user);
-	if (!userInfo) {
+	if (!userInfo || userInfo.id === void 0 || userInfo.id === null) {
 		c.context.logger.error("Unable to get user info");
 		return redirectOnError("unable_to_get_user_info");
 	}
+	const providerAccountId = String(userInfo.id);
 	if (!callbackURL) {
 		c.context.logger.error("No callback URL found");
 		throw redirectOnError("no_callback_url");
@@ -105,7 +106,7 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 			return redirectOnError("unable_to_link_account");
 		}
 		if (userInfo.email?.toLowerCase() !== link.email.toLowerCase() && c.context.options.account?.accountLinking?.allowDifferentEmails !== true) return redirectOnError("email_doesn't_match");
-		const existingAccount = await c.context.internalAdapter.findAccountByProviderId(String(userInfo.id), provider.id);
+		const existingAccount = await c.context.internalAdapter.findAccountByProviderId(providerAccountId, provider.id);
 		if (existingAccount) {
 			if (existingAccount.userId.toString() !== link.userId.toString()) return redirectOnError("account_already_linked_to_different_user");
 			const updateData = Object.fromEntries(Object.entries({
@@ -120,7 +121,7 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 		} else if (!await c.context.internalAdapter.createAccount({
 			userId: link.userId,
 			providerId: provider.id,
-			accountId: String(userInfo.id),
+			accountId: providerAccountId,
 			...tokens,
 			accessToken: await setTokenUtil(tokens.accessToken, c.context),
 			refreshToken: await setTokenUtil(tokens.refreshToken, c.context),
@@ -140,14 +141,14 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 	}
 	const accountData = {
 		providerId: provider.id,
-		accountId: String(userInfo.id),
+		accountId: providerAccountId,
 		...tokens,
 		scope: tokens.scopes?.join(",")
 	};
 	const result = await handleOAuthUserInfo(c, {
 		userInfo: {
 			...userInfo,
-			id: String(userInfo.id),
+			id: providerAccountId,
 			email: userInfo.email,
 			name: userInfo.name || ""
 		},

package/dist/api/routes/email-verification.mjs

@@ -12,7 +12,7 @@ import { JWTExpired } from "jose/errors";
 async function createEmailVerificationToken(secret, email, updateTo, expiresIn = 3600, extraPayload) {
 	return await signJWT({
 		email: email.toLowerCase(),
-		updateTo,
+		updateTo: updateTo?.toLowerCase(),
 		...extraPayload
 	}, secret, expiresIn);
 }
@@ -101,7 +101,7 @@ const sendVerificationEmail = createAuthEndpoint("/send-verification-email", {
 		await sendVerificationEmailFn(ctx, user.user);
 		return ctx.json({ status: true });
 	}
-	if (session?.user.email !== email) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.EMAIL_MISMATCH);
+	if (session?.user.email.toLowerCase() !== email.toLowerCase()) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.EMAIL_MISMATCH);
 	if (session?.user.emailVerified) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.EMAIL_ALREADY_VERIFIED);
 	await sendVerificationEmailFn(ctx, session.user);
 	return ctx.json({ status: true });

package/dist/api/routes/error.mjs

@@ -282,7 +282,7 @@ ${custom?.disableBackgroundGrid ? "" : `
               text-wrap: pretty;
             "
           >
-            ${!description ? `We encountered an unexpected error. Please try again or return to the home page. If you're a developer, you can find more information about the error <a href='https://better-auth.com/docs/reference/errors/${encodeURIComponent(code)}' target='_blank' rel="noopener noreferrer" style='color: var(--foreground); text-decoration: underline;'>here</a>.` : description}
+            ${!description ? `We encountered an unexpected error. Please try again or return to the home page. If you're a developer, you can find <a href='https://better-auth.com/docs/reference/errors/${encodeURIComponent(code)}' target='_blank' rel="noopener noreferrer" style='color: var(--foreground); text-decoration: underline;'>more information about the error</a>.` : description}
           </p>
         </div>
 

package/dist/api/routes/sign-in.d.mts

@@ -91,7 +91,6 @@ declare const signInSocial: <O extends BetterAuthOptions>() => better_call0.Stri
                   };
                   redirect: {
                     type: string;
-                    enum: boolean[];
                   };
                 };
                 required: string[];

package/dist/api/routes/sign-in.mjs

@@ -49,10 +49,10 @@ const signInSocial = () => createAuthEndpoint("/sign-in/social", {
 			description: "Sign in with a social provider",
 			operationId: "socialSignIn",
 			responses: { "200": {
-				description: "Success - Returns either session details or redirect URL",
+				description: "Success - Returns session details (idToken branch) or an authorize URL (redirect branch)",
 				content: { "application/json": { schema: {
 					type: "object",
-					description: "Session response when idToken is provided",
+					description: "Returns session details when idToken is provided, or an authorize URL otherwise",
 					properties: {
 						token: { type: "string" },
 						user: {
@@ -60,16 +60,9 @@ const signInSocial = () => createAuthEndpoint("/sign-in/social", {
 							$ref: "#/components/schemas/User"
 						},
 						url: { type: "string" },
-						redirect: {
-							type: "boolean",
-							enum: [false]
-						}
+						redirect: { type: "boolean" }
 					},
-					required: [
-						"redirect",
-						"token",
-						"user"
-					]
+					required: ["redirect"]
 				} } }
 			} }
 		}

package/dist/api/routes/sign-up.mjs

@@ -157,7 +157,7 @@ const signUpEmail = () => createAuthEndpoint("/sign-up/email", {
 			ctx.context.logger.error("Password is too long");
 			throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.PASSWORD_TOO_LONG);
 		}
-		const shouldReturnGenericDuplicateResponse = ctx.context.options.emailAndPassword.requireEmailVerification;
+		const shouldReturnGenericDuplicateResponse = ctx.context.options.emailAndPassword.requireEmailVerification || ctx.context.options.emailAndPassword.autoSignIn === false;
 		const shouldSkipAutoSignIn = ctx.context.options.emailAndPassword.autoSignIn === false || shouldReturnGenericDuplicateResponse;
 		const additionalUserFields = parseUserInput(ctx.context.options, rest, "create");
 		const normalizedEmail = email.toLowerCase();

package/dist/api/routes/update-user.mjs

@@ -410,7 +410,7 @@ const changeEmail = createAuthEndpoint("/change-email", {
 }, async (ctx) => {
 	if (!ctx.context.options.user?.changeEmail?.enabled) {
 		ctx.context.logger.error("Change email is disabled.");
-		throw APIError.fromStatus("BAD_REQUEST", { message: "Change email is disabled" });
+		throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.CHANGE_EMAIL_DISABLED);
 	}
 	const newEmail = ctx.body.newEmail.toLowerCase();
 	if (newEmail === ctx.context.session.user.email) {

package/dist/api/to-auth-endpoints.mjs

@@ -117,7 +117,13 @@ function toAuthEndpoints(endpoints, ctx) {
 							* headers override while cookies accumulate.
 							*/
 							const ctxHeaders = e[kAPIErrorHeaderSymbol];
-							const errHeaders = e.headers ? new Headers(e.headers) : null;
+							/**
+							* `c.redirect()` (and similar APIError throws) reuse
+							* `ctx.responseHeaders` as `e.headers`, so when both sources
+							* reference the same Headers, iterating both duplicates every
+							* `set-cookie`. Skip the `errHeaders` copy in that case.
+							*/
+							const errHeaders = e.headers && e.headers !== ctxHeaders ? new Headers(e.headers) : null;
 							let headers = null;
 							if (ctxHeaders || errHeaders) {
 								headers = new Headers();

package/dist/client/index.d.mts

@@ -8,7 +8,7 @@ import { parseJSON } from "./parser.mjs";
 import { AuthQueryAtom, useAuthQuery } from "./query.mjs";
 import { SessionRefreshOptions, SessionResponse, createSessionRefreshManager } from "./session-refresh.mjs";
 import { AuthClient, createAuthClient } from "./vanilla.mjs";
-import { AccessControl, ArrayElement, Role, Statements, SubArray, Subset } from "../plugins/access/types.mjs";
+import { AccessControl, ArrayElement, ExactRoleStatements, Role, RoleAuthorizeRequest, RoleInput, RoleStatements, Statements, SubArray, Subset } from "../plugins/access/types.mjs";
 import { AuthorizeResponse, createAccessControl, role } from "../plugins/access/access.mjs";
 import { OrganizationOptions } from "../plugins/organization/types.mjs";
 import { InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferTeam, Invitation, InvitationInput, InvitationStatus, Member, MemberInput, Organization, OrganizationInput, OrganizationRole, OrganizationSchema, Team, TeamInput, TeamMember, TeamMemberInput, defaultRolesSchema, invitationSchema, invitationStatus, memberSchema, organizationRoleSchema, organizationSchema, roleSchema, teamMemberSchema, teamSchema } from "../plugins/organization/schema.mjs";
@@ -31,4 +31,4 @@ declare function InferAuth<O extends {
   options: BetterAuthOptions;
 }>(): O["options"];
 //#endregion
-export { AccessControl, ArrayElement, AuthClient, AuthQueryAtom, AuthorizeResponse, BetterAuthClientOptions, BetterAuthClientPlugin, BroadcastChannel, BroadcastListener, BroadcastMessage, CamelCase, ClientAtomListener, ClientStore, type DBPrimitive, DefaultOrganizationPlugin, DynamicAccessControlEndpoints, ExtractPluginField, type FocusListener, type FocusManager, HasRequiredKeys, InferActions, InferAdditionalFromClient, InferAuth, InferClientAPI, InferCtx, InferErrorCodes, InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPlugin, InferPluginFieldFromTuple, InferRoute, InferRoutes, InferSessionFromClient, InferSignUpEmailCtx, InferTeam, InferUserFromClient, InferUserUpdateCtx, Invitation, InvitationInput, InvitationStatus, IsAny, IsSignal, Member, MemberInput, MergeRoutes, type OnlineListener, type OnlineManager, Organization, OrganizationCreator, OrganizationEndpoints, OrganizationInput, OrganizationOptions, OrganizationPlugin, OrganizationRole, OrganizationSchema, OverrideMerge, PathToObject, Prettify, PrettifyDeep, ProxyRequest, RequiredKeysOf, Role, SessionQueryParams, SessionRefreshOptions, SessionResponse, Statements, StripEmptyObjects, SubArray, Subset, Team, TeamEndpoints, TeamInput, TeamMember, TeamMemberInput, type UnionToIntersection, createAccessControl, createAuthClient, createSessionRefreshManager, defaultRolesSchema, getGlobalBroadcastChannel, getOrgAdapter, hasPermission, invitationSchema, invitationStatus, kBroadcastChannel, kFocusManager, kOnlineManager, memberSchema, organization, organizationRoleSchema, organizationSchema, parseJSON, parseRoles, role, roleSchema, teamMemberSchema, teamSchema, useAuthQuery };
+export { AccessControl, ArrayElement, AuthClient, AuthQueryAtom, AuthorizeResponse, BetterAuthClientOptions, BetterAuthClientPlugin, BroadcastChannel, BroadcastListener, BroadcastMessage, CamelCase, ClientAtomListener, ClientStore, type DBPrimitive, DefaultOrganizationPlugin, DynamicAccessControlEndpoints, ExactRoleStatements, ExtractPluginField, type FocusListener, type FocusManager, HasRequiredKeys, InferActions, InferAdditionalFromClient, InferAuth, InferClientAPI, InferCtx, InferErrorCodes, InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPlugin, InferPluginFieldFromTuple, InferRoute, InferRoutes, InferSessionFromClient, InferSignUpEmailCtx, InferTeam, InferUserFromClient, InferUserUpdateCtx, Invitation, InvitationInput, InvitationStatus, IsAny, IsSignal, Member, MemberInput, MergeRoutes, type OnlineListener, type OnlineManager, Organization, OrganizationCreator, OrganizationEndpoints, OrganizationInput, OrganizationOptions, OrganizationPlugin, OrganizationRole, OrganizationSchema, OverrideMerge, PathToObject, Prettify, PrettifyDeep, ProxyRequest, RequiredKeysOf, Role, RoleAuthorizeRequest, RoleInput, RoleStatements, SessionQueryParams, SessionRefreshOptions, SessionResponse, Statements, StripEmptyObjects, SubArray, Subset, Team, TeamEndpoints, TeamInput, TeamMember, TeamMemberInput, type UnionToIntersection, createAccessControl, createAuthClient, createSessionRefreshManager, defaultRolesSchema, getGlobalBroadcastChannel, getOrgAdapter, hasPermission, invitationSchema, invitationStatus, kBroadcastChannel, kFocusManager, kOnlineManager, memberSchema, organization, organizationRoleSchema, organizationSchema, parseJSON, parseRoles, role, roleSchema, teamMemberSchema, teamSchema, useAuthQuery };

package/dist/client/plugins/index.d.mts

@@ -1,3 +1,4 @@
+import { FieldAttributeToObject, RemoveFieldsWithReturnedFalse } from "../../db/field.mjs";
 import { ExtractPluginField, HasRequiredKeys, InferPluginFieldFromTuple, IsAny, OverrideMerge, Prettify, PrettifyDeep, RequiredKeysOf, StripEmptyObjects, UnionToIntersection } from "../../types/helper.mjs";
 import { InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferTeam, Invitation, InvitationInput, InvitationStatus, Member, MemberInput, Organization, OrganizationInput, OrganizationRole, OrganizationSchema, Team, TeamInput, TeamMember, TeamMemberInput, defaultRolesSchema, invitationSchema, invitationStatus, memberSchema, organizationRoleSchema, organizationSchema, roleSchema, teamMemberSchema, teamSchema } from "../../plugins/organization/schema.mjs";
 import { AdminOptions, InferAdminRolesFromOption, SessionWithImpersonatedBy, UserWithRole } from "../../plugins/admin/types.mjs";
@@ -52,4 +53,4 @@ import { phoneNumberClient } from "../../plugins/phone-number/client.mjs";
 import { siweClient } from "../../plugins/siwe/client.mjs";
 import { usernameClient } from "../../plugins/username/client.mjs";
 import { InferServerPlugin } from "./infer-plugin.mjs";
-export { ADMIN_ERROR_CODES, ANONYMOUS_ERROR_CODES, AdminOptions, AnonymousOptions, AnonymousSession, Auth0Options, AuthorizationQuery, BackupCodeOptions, BaseOAuthProviderOptions, Client, CodeVerificationValue, EMAIL_OTP_ERROR_CODES, ExtractPluginField, GENERIC_OAUTH_ERROR_CODES, GenericOAuthConfig, GenericOAuthOptions, GoogleOneTapActionOptions, GoogleOneTapOptions, GsiButtonConfiguration, GumroadOptions, HasRequiredKeys, HubSpotOptions, InferAdminRolesFromOption, InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginFieldFromTuple, InferServerPlugin, InferTeam, Invitation, InvitationInput, InvitationStatus, IsAny, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, KeycloakOptions, LastLoginMethodClientConfig, LineOptions, MULTI_SESSION_ERROR_CODES, Member, MemberInput, MicrosoftEntraIdOptions, MultiSessionConfig, OAuthAccessToken, OIDCMetadata, OIDCOptions, ORGANIZATION_ERROR_CODES, OTPOptions, OidcClientPlugin, OktaOptions, OneTimeTokenOptions, Organization, OrganizationInput, OrganizationRole, OrganizationSchema, OverrideMerge, PHONE_NUMBER_ERROR_CODES, PatreonOptions, PhoneNumberOptions, Prettify, PrettifyDeep, RequiredKeysOf, SessionWithImpersonatedBy, SlackOptions, StripEmptyObjects, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamInput, TeamMember, TeamMemberInput, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UnionToIntersection, UserWithAnonymous, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, adminClient, anonymousClient, auth0, backupCode2fa, clientSideHasPermission, customSessionClient, defaultRolesSchema, deviceAuthorizationClient, emailOTPClient, encodeBackupCodes, generateBackupCodes, genericOAuthClient, getBackupCodes, gumroad, hubspot, inferAdditionalFields, inferOrgAdditionalFields, invitationSchema, invitationStatus, jwtClient, keycloak, lastLoginMethodClient, line, magicLinkClient, memberSchema, microsoftEntraId, multiSessionClient, oidcClient, okta, oneTapClient, oneTimeTokenClient, organizationClient, organizationRoleSchema, organizationSchema, otp2fa, patreon, phoneNumberClient, roleSchema, schema, siweClient, slack, teamMemberSchema, teamSchema, totp2fa, twoFactorClient, usernameClient, verifyBackupCode };
+export { ADMIN_ERROR_CODES, ANONYMOUS_ERROR_CODES, AdminOptions, AnonymousOptions, AnonymousSession, Auth0Options, AuthorizationQuery, BackupCodeOptions, BaseOAuthProviderOptions, Client, CodeVerificationValue, EMAIL_OTP_ERROR_CODES, ExtractPluginField, type FieldAttributeToObject, GENERIC_OAUTH_ERROR_CODES, GenericOAuthConfig, GenericOAuthOptions, GoogleOneTapActionOptions, GoogleOneTapOptions, GsiButtonConfiguration, GumroadOptions, HasRequiredKeys, HubSpotOptions, InferAdminRolesFromOption, InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginFieldFromTuple, InferServerPlugin, InferTeam, Invitation, InvitationInput, InvitationStatus, IsAny, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, KeycloakOptions, LastLoginMethodClientConfig, LineOptions, MULTI_SESSION_ERROR_CODES, Member, MemberInput, MicrosoftEntraIdOptions, MultiSessionConfig, OAuthAccessToken, OIDCMetadata, OIDCOptions, ORGANIZATION_ERROR_CODES, OTPOptions, OidcClientPlugin, OktaOptions, OneTimeTokenOptions, Organization, OrganizationInput, OrganizationRole, OrganizationSchema, OverrideMerge, PHONE_NUMBER_ERROR_CODES, PatreonOptions, PhoneNumberOptions, Prettify, PrettifyDeep, type RemoveFieldsWithReturnedFalse, RequiredKeysOf, SessionWithImpersonatedBy, SlackOptions, StripEmptyObjects, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamInput, TeamMember, TeamMemberInput, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UnionToIntersection, UserWithAnonymous, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, adminClient, anonymousClient, auth0, backupCode2fa, clientSideHasPermission, customSessionClient, defaultRolesSchema, deviceAuthorizationClient, emailOTPClient, encodeBackupCodes, generateBackupCodes, genericOAuthClient, getBackupCodes, gumroad, hubspot, inferAdditionalFields, inferOrgAdditionalFields, invitationSchema, invitationStatus, jwtClient, keycloak, lastLoginMethodClient, line, magicLinkClient, memberSchema, microsoftEntraId, multiSessionClient, oidcClient, okta, oneTapClient, oneTimeTokenClient, organizationClient, organizationRoleSchema, organizationSchema, otp2fa, patreon, phoneNumberClient, roleSchema, schema, siweClient, slack, teamMemberSchema, teamSchema, totp2fa, twoFactorClient, usernameClient, verifyBackupCode };

package/dist/cookies/cookie-utils.d.mts

@@ -33,8 +33,17 @@ declare function stripSecureCookiePrefix(cookieName: string): string;
 declare function splitSetCookieHeader(setCookie: string): string[];
 declare function parseSetCookieHeader(setCookie: string): Map<string, CookieAttributes>;
 declare function toCookieOptions(attributes: CookieAttributes): ParsedCookieOptions;
+/**
+ * Add or replace a cookie in the request `Cookie` header.
+ *
+ * Cookie pairs are joined with `; `, but `headers.append("cookie", ...)`
+ * joins with `, ` in some runtimes (e.g. Deno, Cloudflare Workers) and
+ * breaks downstream cookie parsing. This builds the header value via
+ * parse-mutate-serialize.
+ */
+declare function setRequestCookie(headers: Headers, name: string, value: string): void;
 declare function setCookieToHeader(headers: Headers): (context: {
   response: Response;
 }) => void;
 //#endregion
-export { CookieAttributes, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };
+export { CookieAttributes, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, setRequestCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };

package/dist/cookies/cookie-utils.mjs

@@ -102,6 +102,24 @@ function toCookieOptions(attributes) {
 		partitioned: attributes.partitioned
 	};
 }
+/**
+* Add or replace a cookie in the request `Cookie` header.
+*
+* Cookie pairs are joined with `; `, but `headers.append("cookie", ...)`
+* joins with `, ` in some runtimes (e.g. Deno, Cloudflare Workers) and
+* breaks downstream cookie parsing. This builds the header value via
+* parse-mutate-serialize.
+*/
+function setRequestCookie(headers, name, value) {
+	const cookieMap = /* @__PURE__ */ new Map();
+	for (const pair of (headers.get("cookie") || "").split(";")) {
+		const trimmed = pair.trim();
+		const eq = trimmed.indexOf("=");
+		if (eq > 0) cookieMap.set(trimmed.slice(0, eq), trimmed.slice(eq + 1));
+	}
+	cookieMap.set(name, value);
+	headers.set("cookie", Array.from(cookieMap, ([k, v]) => `${k}=${v}`).join("; "));
+}
 function setCookieToHeader(headers) {
 	return (context) => {
 		const setCookieHeader = context.response.headers.get("set-cookie");
@@ -119,4 +137,4 @@ function setCookieToHeader(headers) {
 	};
 }
 //#endregion
-export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };
+export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, setRequestCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };

package/dist/cookies/index.d.mts

@@ -1,5 +1,5 @@
 import { Session, User } from "../types/models.mjs";
-import { CookieAttributes, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions } from "./cookie-utils.mjs";
+import { CookieAttributes, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, setRequestCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions } from "./cookie-utils.mjs";
 import { createSessionStore, getAccountCookie, getChunkedCookie } from "./session-store.mjs";
 import { BetterAuthCookie, BetterAuthCookies, BetterAuthOptions, GenericEndpointContext } from "@better-auth/core";
 import * as better_call0 from "better-call";
@@ -116,4 +116,4 @@ declare const getCookieCache: <S extends {
   version?: string | ((session: Session & Record<string, any>, user: User & Record<string, any>) => string) | ((session: Session & Record<string, any>, user: User & Record<string, any>) => Promise<string>);
 } | undefined) => Promise<S | null>;
 //#endregion
-export { CookieAttributes, EligibleCookies, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };
+export { CookieAttributes, EligibleCookies, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setRequestCookie, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };

package/dist/cookies/index.mjs

@@ -4,7 +4,7 @@ import { parseUserOutput } from "../db/schema.mjs";
 import { getDate } from "../utils/date.mjs";
 import { isPromise } from "../utils/is-promise.mjs";
 import { sec } from "../utils/time.mjs";
-import { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions } from "./cookie-utils.mjs";
+import { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, setRequestCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions } from "./cookie-utils.mjs";
 import { createAccountStore, createSessionStore, getAccountCookie, getChunkedCookie, setAccountCookie } from "./session-store.mjs";
 import { env, isProduction } from "@better-auth/core/env";
 import { BetterAuthError } from "@better-auth/core/error";
@@ -258,4 +258,4 @@ const getCookieCache = async (request, config) => {
 	return null;
 };
 //#endregion
-export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };
+export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setRequestCookie, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };

package/dist/db/internal-adapter.mjs

@@ -15,8 +15,9 @@ const createInternalAdapter = (adapter, ctx) => {
 	const logger = ctx.logger;
 	const options = ctx.options;
 	const secondaryStorage = options.secondaryStorage;
+	const verificationConsumeLocks = /* @__PURE__ */ new Map();
 	const sessionExpiration = options.session?.expiresIn || 3600 * 24 * 7;
-	const { createWithHooks, updateWithHooks, updateManyWithHooks, deleteWithHooks, deleteManyWithHooks } = getWithHooks(adapter, ctx);
+	const { createWithHooks, updateWithHooks, updateManyWithHooks, deleteWithHooks, deleteManyWithHooks, consumeOneWithHooks } = getWithHooks(adapter, ctx);
 	async function refreshUserSessions(user) {
 		if (!secondaryStorage) return;
 		const listRaw = await secondaryStorage.get(`active-sessions-${user.id}`);
@@ -35,13 +36,30 @@ const createInternalAdapter = (adapter, ctx) => {
 			}), Math.floor(sessionTTL));
 		}));
 	}
+	async function withVerificationConsumeLock(key, fn) {
+		const previous = verificationConsumeLocks.get(key) ?? Promise.resolve();
+		let release;
+		const current = new Promise((resolve) => {
+			release = resolve;
+		});
+		const next = previous.catch(() => {}).then(() => current);
+		verificationConsumeLocks.set(key, next);
+		await previous.catch(() => {});
+		try {
+			return await fn();
+		} finally {
+			release();
+			if (verificationConsumeLocks.get(key) === next) verificationConsumeLocks.delete(key);
+		}
+	}
 	return {
 		createOAuthUser: async (user, account) => {
 			return runWithTransaction(adapter, async () => {
 				const createdUser = await createWithHooks({
 					createdAt: /* @__PURE__ */ new Date(),
 					updatedAt: /* @__PURE__ */ new Date(),
-					...user
+					...user,
+					email: user.email?.toLowerCase()
 				}, "user", void 0);
 				return {
 					user: createdUser,
@@ -364,10 +382,10 @@ const createInternalAdapter = (adapter, ctx) => {
 				value: userId
 			}], "account", void 0);
 		},
-		deleteAccount: async (accountId) => {
+		deleteAccount: async (id) => {
 			await deleteWithHooks([{
 				field: "id",
-				value: accountId
+				value: id
 			}], "account", void 0);
 		},
 		deleteSessions: async (userIdOrSessionTokens) => {
@@ -475,7 +493,10 @@ const createInternalAdapter = (adapter, ctx) => {
 			}, "account", void 0);
 		},
 		updateUser: async (userId, data) => {
-			const user = await updateWithHooks(data, [{
+			const user = await updateWithHooks({
+				...data,
+				...data.email ? { email: data.email.toLowerCase() } : {}
+			}, [{
 				field: "id",
 				value: userId
 			}], "user", void 0);
@@ -483,7 +504,10 @@ const createInternalAdapter = (adapter, ctx) => {
 			return user;
 		},
 		updateUserByEmail: async (email, data) => {
-			const user = await updateWithHooks(data, [{
+			const user = await updateWithHooks({
+				...data,
+				...data.email ? { email: data.email.toLowerCase() } : {}
+			}, [{
 				field: "email",
 				value: email.toLowerCase()
 			}], "user", void 0);
@@ -611,6 +635,77 @@ const createInternalAdapter = (adapter, ctx) => {
 				value: storedIdentifier
 			}], "verification", void 0);
 		},
+		consumeVerificationValue: async (identifier) => {
+			const storageOption = getStorageOption(identifier, options.verification?.storeIdentifier);
+			const storedIdentifier = await processIdentifier(identifier, storageOption);
+			const identifiersToTry = storageOption && storageOption !== "plain" ? [storedIdentifier, identifier] : [storedIdentifier];
+			if (secondaryStorage && !options.verification?.storeInDatabase) {
+				const parseCachedVerification = (raw) => {
+					if (!raw) return null;
+					if (typeof raw === "string") return safeJSONParse(raw);
+					if (typeof raw === "object") return raw;
+					return null;
+				};
+				const consumeCacheKey = async (key) => {
+					if (secondaryStorage.getAndDelete) return parseCachedVerification(await secondaryStorage.getAndDelete(key));
+					return withVerificationConsumeLock(key, async () => {
+						const parsed = parseCachedVerification(await secondaryStorage.get(key));
+						if (!parsed) return null;
+						await secondaryStorage.delete(key);
+						return parsed;
+					});
+				};
+				for (const stored of identifiersToTry) {
+					const cached = await consumeCacheKey(`verification:${stored}`);
+					if (!cached) continue;
+					await Promise.all(identifiersToTry.filter((candidate) => candidate !== stored).map((candidate) => secondaryStorage.delete(`verification:${candidate}`)));
+					return cached;
+				}
+				return null;
+			}
+			async function consumeByIdentifier(id) {
+				const where = [{
+					field: "identifier",
+					value: id
+				}];
+				return withVerificationConsumeLock(`verification:${id}`, () => runWithTransaction(adapter, async () => {
+					const txAdapter = await getCurrentAdapter(adapter);
+					const latest = (await txAdapter.findMany({
+						model: "verification",
+						where,
+						sortBy: {
+							field: "createdAt",
+							direction: "desc"
+						},
+						limit: 1
+					}))[0] ?? null;
+					if (!latest) return null;
+					const hookWhere = [{
+						field: "id",
+						value: latest.id
+					}];
+					return consumeOneWithHooks("verification", hookWhere, async () => {
+						const consumed = await txAdapter.consumeOne({
+							model: "verification",
+							where: hookWhere
+						});
+						if (!consumed) return null;
+						await txAdapter.deleteMany({
+							model: "verification",
+							where
+						});
+						return consumed;
+					}, latest);
+				}));
+			}
+			let consumed = null;
+			for (const stored of identifiersToTry) {
+				consumed = await consumeByIdentifier(stored);
+				if (consumed) break;
+			}
+			if (consumed && secondaryStorage) await Promise.all(identifiersToTry.map((stored) => secondaryStorage.delete(`verification:${stored}`)));
+			return consumed;
+		},
 		updateVerificationByIdentifier: async (identifier, data) => {
 			const storedIdentifier = await processIdentifier(identifier, getStorageOption(identifier, options.verification?.storeIdentifier));
 			if (secondaryStorage) {
@@ -634,7 +729,8 @@ const createInternalAdapter = (adapter, ctx) => {
 				value: storedIdentifier
 			}], "verification", void 0);
 			return data;
-		}
+		},
+		refreshUserSessions
 	};
 };
 //#endregion

package/dist/db/with-hooks.d.mts

@@ -31,6 +31,7 @@ declare function getWithHooks(adapter: DBAdapter<BetterAuthOptions>, ctx: {
     fn: (where: Where[]) => void | Promise<any>;
     executeMainFn?: boolean;
   } | undefined) => Promise<any>;
+  consumeOneWithHooks: <T extends Record<string, any>>(model: BaseModelNames, hookWhere: Where[], consumeFn: () => Promise<T | null>, preSnapshot?: T | null) => Promise<T | null>;
 };
 //#endregion
 export { DatabaseHooksEntry, getWithHooks };

package/dist/db/with-hooks.mjs

@@ -185,12 +185,69 @@ function getWithHooks(adapter, ctx) {
 		}
 		return deleted;
 	}
+	/**
+	* Wraps an atomic consume operation in the plugin `delete.before` and
+	* `delete.after` hook lifecycle. The caller supplies a `consumeFn` that
+	* performs the actual single-row delete-and-return (typically the
+	* adapter's `consumeOne`). The first concurrent caller wins, subsequent
+	* racers resolve to `null` without firing `delete.after` hooks.
+	*
+	* `preSnapshot` lets the caller hand in a row it already fetched so
+	* `delete.before` hooks don't trigger a second read. Without it, the
+	* helper falls back to a best-effort `findMany` against `hookWhere`.
+	* The snapshot only feeds `delete.before`; the `consumeFn` return value
+	* is the race gate.
+	*
+	* Returning `false` from a `delete.before` hook aborts the consume and
+	* the helper resolves to `null` (no `consumeFn` call, no after hooks).
+	*/
+	async function consumeOneWithHooks(model, hookWhere, consumeFn, preSnapshot) {
+		const context = await getCurrentAuthContext().catch(() => null);
+		const beforeHooks = hooksEntries.flatMap(({ source, hooks }) => {
+			const fn = hooks[model]?.delete?.before;
+			return fn ? [{
+				source,
+				fn
+			}] : [];
+		});
+		let snapshot = preSnapshot ?? null;
+		if (beforeHooks.length) {
+			if (!snapshot) try {
+				snapshot = (await (await getCurrentAdapter(adapter)).findMany({
+					model,
+					where: hookWhere,
+					limit: 1
+				}))[0] || null;
+			} catch {}
+			if (snapshot) {
+				for (const { source, fn } of beforeHooks) if (await withSpan(`db delete.before ${model}`, {
+					[ATTR_HOOK_TYPE]: "delete.before",
+					[ATTR_DB_COLLECTION_NAME]: model,
+					[ATTR_CONTEXT]: source
+				}, () => fn(snapshot, context)) === false) return null;
+			}
+		}
+		const consumed = await consumeFn();
+		if (!consumed) return null;
+		for (const { source, hooks } of hooksEntries) {
+			const toRun = hooks[model]?.delete?.after;
+			if (toRun) await queueAfterTransactionHook(async () => {
+				await withSpan(`db delete.after ${model}`, {
+					[ATTR_HOOK_TYPE]: "delete.after",
+					[ATTR_DB_COLLECTION_NAME]: model,
+					[ATTR_CONTEXT]: source
+				}, () => toRun(consumed, context));
+			});
+		}
+		return consumed;
+	}
 	return {
 		createWithHooks,
 		updateWithHooks,
 		updateManyWithHooks,
 		deleteWithHooks,
-		deleteManyWithHooks
+		deleteManyWithHooks,
+		consumeOneWithHooks
 	};
 }
 //#endregion

package/dist/integrations/cookie-plugin-guard.mjs

@@ -0,0 +1,18 @@
+//#region src/integrations/cookie-plugin-guard.ts
+/**
+* Warns when a cookie integration plugin is not effectively last.
+*
+* A plugin is considered misordered when there is at least one other plugin
+* after it in the `plugins` array that declares `hooks.after`, since those
+* hooks can set cookies that this integration will not see.
+*/
+function warnIfCookiePluginNotLast(ctx, pluginId) {
+	const plugins = ctx.options.plugins || [];
+	if (plugins.length === 0) return;
+	const index = plugins.findIndex((p) => p.id === pluginId);
+	if (index === -1) return;
+	if (!plugins.slice(index + 1).some((p) => p.hooks && Array.isArray(p.hooks.after) && p.hooks.after.length > 0)) return;
+	ctx.logger.warn(`[better-auth] Cookie integration plugin "${pluginId}" should be placed last in the plugins array. Plugins with \`hooks.after\` running after it may set cookies that are not forwarded to the framework cookie store. Move your cookie integration plugin to the end of the \`plugins\` array to avoid missing \`Set-Cookie\` headers.`);
+}
+//#endregion
+export { warnIfCookiePluginNotLast };

package/dist/integrations/next-js.mjs

@@ -1,6 +1,7 @@
 import { parseSetCookieHeader, toCookieOptions } from "../cookies/cookie-utils.mjs";
 import { setShouldSkipSessionRefresh } from "../api/state/should-session-refresh.mjs";
 import { PACKAGE_VERSION } from "../version.mjs";
+import { warnIfCookiePluginNotLast } from "./cookie-plugin-guard.mjs";
 import { createAuthMiddleware } from "@better-auth/core/api";
 //#region src/integrations/next-js.ts
 function toNextJsHandler(auth) {
@@ -16,6 +17,7 @@ function toNextJsHandler(auth) {
 	};
 }
 const nextCookies = () => {
+	let hasWarned = false;
 	return {
 		id: "next-cookies",
 		version: PACKAGE_VERSION,
@@ -25,6 +27,10 @@ const nextCookies = () => {
 					return ctx.path === "/get-session";
 				},
 				handler: createAuthMiddleware(async (ctx) => {
+					if (!hasWarned) {
+						warnIfCookiePluginNotLast(ctx.context, "next-cookies");
+						hasWarned = true;
+					}
 					if ("_flag" in ctx && ctx._flag === "router") return;
 					let headersStore;
 					try {

package/dist/integrations/svelte-kit.mjs

@@ -1,5 +1,6 @@
 import { parseSetCookieHeader, toCookieOptions } from "../cookies/cookie-utils.mjs";
 import { PACKAGE_VERSION } from "../version.mjs";
+import { warnIfCookiePluginNotLast } from "./cookie-plugin-guard.mjs";
 import { createAuthMiddleware } from "@better-auth/core/api";
 //#region src/integrations/svelte-kit.ts
 const toSvelteKitHandler = (auth) => {
@@ -20,6 +21,7 @@ function isAuthPath(url, options) {
 	return true;
 }
 const sveltekitCookies = (getRequestEvent) => {
+	let hasWarned = false;
 	return {
 		id: "sveltekit-cookies",
 		version: PACKAGE_VERSION,
@@ -28,6 +30,10 @@ const sveltekitCookies = (getRequestEvent) => {
 				return true;
 			},
 			handler: createAuthMiddleware(async (ctx) => {
+				if (!hasWarned) {
+					warnIfCookiePluginNotLast(ctx.context, "sveltekit-cookies");
+					hasWarned = true;
+				}
 				const returned = ctx.context.responseHeaders;
 				if ("_flag" in ctx && ctx._flag === "router") return;
 				if (returned instanceof Headers) {

package/dist/integrations/tanstack-start-solid.mjs

@@ -1,5 +1,6 @@
 import { parseSetCookieHeader, toCookieOptions } from "../cookies/cookie-utils.mjs";
 import { PACKAGE_VERSION } from "../version.mjs";
+import { warnIfCookiePluginNotLast } from "./cookie-plugin-guard.mjs";
 import { createAuthMiddleware } from "@better-auth/core/api";
 //#region src/integrations/tanstack-start-solid.ts
 /**
@@ -20,6 +21,7 @@ import { createAuthMiddleware } from "@better-auth/core/api";
 * ```
 */
 const tanstackStartCookies = () => {
+	let hasWarned = false;
 	return {
 		id: "tanstack-start-cookies-solid",
 		version: PACKAGE_VERSION,
@@ -28,6 +30,10 @@ const tanstackStartCookies = () => {
 				return true;
 			},
 			handler: createAuthMiddleware(async (ctx) => {
+				if (!hasWarned) {
+					warnIfCookiePluginNotLast(ctx.context, "tanstack-start-cookies-solid");
+					hasWarned = true;
+				}
 				const returned = ctx.context.responseHeaders;
 				if ("_flag" in ctx && ctx._flag === "router") return;
 				if (returned instanceof Headers) {