better-auth 1.6.9 → 1.6.11

package/dist/plugins/magic-link/index.mjs

@@ -27,6 +27,7 @@ const magicLink = (options) => {
 		allowedAttempts: 1,
 		...options
 	};
+	if (options.allowedAttempts !== void 0 && options.allowedAttempts !== 1) console.warn("[better-auth/magic-link] `allowedAttempts` is ignored: tokens are consumed atomically on the first verification call (GHSA-hc7v-rggr-4hvx). Any value other than `1` has no effect; remove the option to silence this warning.");
 	async function storeToken(ctx, token) {
 		if (opts.storeToken === "hashed") return await defaultKeyHasher(token);
 		if (typeof opts.storeToken === "object" && "type" in opts.storeToken && opts.storeToken.type === "custom-hasher") return await opts.storeToken.hash(token);
@@ -59,8 +60,7 @@ const magicLink = (options) => {
 					identifier: storedToken,
 					value: JSON.stringify({
 						email,
-						name: ctx.body.name,
-						attempt: 0
+						name: ctx.body.name
 					}),
 					expiresAt: new Date(Date.now() + (opts.expiresIn || 300) * 1e3)
 				});
@@ -119,22 +119,10 @@ const magicLink = (options) => {
 				}
 				const newUserCallbackURL = new URL(ctx.query.newUserCallbackURL ? decodeURIComponent(ctx.query.newUserCallbackURL) : callbackURL, ctx.context.baseURL).toString();
 				const storedToken = await storeToken(ctx, token);
-				const tokenValue = await ctx.context.internalAdapter.findVerificationValue(storedToken);
+				const tokenValue = await ctx.context.internalAdapter.consumeVerificationValue(storedToken);
 				if (!tokenValue) redirectWithError("INVALID_TOKEN");
-				if (tokenValue.expiresAt < /* @__PURE__ */ new Date()) {
-					await ctx.context.internalAdapter.deleteVerificationByIdentifier(storedToken);
-					redirectWithError("EXPIRED_TOKEN");
-				}
-				const { email, name, attempt = 0 } = JSON.parse(tokenValue.value);
-				if (attempt >= opts.allowedAttempts) {
-					await ctx.context.internalAdapter.deleteVerificationByIdentifier(storedToken);
-					redirectWithError("ATTEMPTS_EXCEEDED");
-				}
-				await ctx.context.internalAdapter.updateVerificationByIdentifier(storedToken, { value: JSON.stringify({
-					email,
-					name,
-					attempt: attempt + 1
-				}) });
+				if (tokenValue.expiresAt < /* @__PURE__ */ new Date()) redirectWithError("EXPIRED_TOKEN");
+				const { email, name } = JSON.parse(tokenValue.value);
 				let isNewUser = false;
 				let user = await ctx.context.internalAdapter.findUserByEmail(email).then((res) => res?.user);
 				if (!user) if (!opts.disableSignUp) {

package/dist/plugins/mcp/authorize.mjs

@@ -72,8 +72,14 @@ async function authorizeMCPOAuth(ctx, options) {
 	});
 	if (invalidScopes.length) throw ctx.redirect(redirectErrorURL(query.redirect_uri, "invalid_scope", `The following scopes are invalid: ${invalidScopes.join(", ")}`));
 	if ((!query.code_challenge || !query.code_challenge_method) && options.requirePKCE) throw ctx.redirect(redirectErrorURL(query.redirect_uri, "invalid_request", "pkce is required"));
-	if (!query.code_challenge_method) query.code_challenge_method = "plain";
-	if (!["s256", options.allowPlainCodeChallengeMethod ? "plain" : "s256"].includes(query.code_challenge_method?.toLowerCase() || "")) throw ctx.redirect(redirectErrorURL(query.redirect_uri, "invalid_request", "invalid code_challenge method"));
+	if (query.code_challenge_method && !query.code_challenge) throw ctx.redirect(redirectErrorURL(query.redirect_uri, "invalid_request", "code_challenge_method requires code_challenge"));
+	if (query.code_challenge) {
+		const allowedCodeChallengeMethods = options.allowPlainCodeChallengeMethod ? ["s256", "plain"] : ["s256"];
+		let codeChallengeMethod = query.code_challenge_method?.toLowerCase();
+		if (!codeChallengeMethod && options.allowPlainCodeChallengeMethod) codeChallengeMethod = "plain";
+		if (!codeChallengeMethod || !allowedCodeChallengeMethods.includes(codeChallengeMethod)) throw ctx.redirect(redirectErrorURL(query.redirect_uri, "invalid_request", "invalid code_challenge method"));
+		query.code_challenge_method = codeChallengeMethod;
+	}
 	const code = generateRandomString(32, "a-z", "A-Z", "0-9");
 	const codeExpiresInMs = opts.codeExpiresIn * 1e3;
 	const expiresAt = new Date(Date.now() + codeExpiresInMs);

package/dist/plugins/mcp/index.mjs

@@ -1,5 +1,6 @@
 import { getBaseURL, isDynamicBaseURLConfig, resolveBaseURL } from "../../utils/url.mjs";
 import { parseSetCookieHeader } from "../../cookies/cookie-utils.mjs";
+import { constantTimeEqual } from "../../crypto/buffer.mjs";
 import { generateRandomString } from "../../crypto/random.mjs";
 import { expireCookie } from "../../cookies/index.mjs";
 import { resolveDynamicTrustedProxyHeaders } from "../../context/helpers.mjs";
@@ -45,7 +46,7 @@ const getMCPProviderMetadata = (ctx, options) => {
 		grant_types_supported: ["authorization_code", "refresh_token"],
 		acr_values_supported: ["urn:mace:incommon:iap:silver", "urn:mace:incommon:iap:bronze"],
 		subject_types_supported: ["public"],
-		id_token_signing_alg_values_supported: ["RS256", "none"],
+		id_token_signing_alg_values_supported: ["RS256"],
 		token_endpoint_auth_methods_supported: [
 			"client_secret_basic",
 			"client_secret_post",
@@ -81,7 +82,7 @@ const getMCPProtectedResourceMetadata = (ctx, options) => {
 			"offline_access"
 		],
 		bearer_methods_supported: ["header"],
-		resource_signing_alg_values_supported: ["RS256", "none"]
+		resource_signing_alg_values_supported: ["RS256"]
 	};
 };
 const registerMcpClientBodySchema = z.object({
@@ -122,7 +123,7 @@ const mcp = (options) => {
 		defaultScope: "openid",
 		accessTokenExpiresIn: 3600,
 		refreshTokenExpiresIn: 604800,
-		allowPlainCodeChallengeMethod: true,
+		allowPlainCodeChallengeMethod: false,
 		...options.oidcConfig,
 		loginPage: options.loginPage,
 		scopes: [
@@ -225,10 +226,6 @@ const mcp = (options) => {
 					allowedMediaTypes: ["application/x-www-form-urlencoded", "application/json"]
 				}
 			}, async (ctx) => {
-				ctx.setHeader("Access-Control-Allow-Origin", "*");
-				ctx.setHeader("Access-Control-Allow-Methods", "POST, OPTIONS");
-				ctx.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
-				ctx.setHeader("Access-Control-Max-Age", "86400");
 				let { body } = ctx;
 				if (!body) throw ctx.error("BAD_REQUEST", {
 					error_description: "request body not found",
@@ -241,25 +238,43 @@ const mcp = (options) => {
 				});
 				let { client_id, client_secret } = body;
 				const authorization = ctx.request?.headers.get("authorization") || null;
-				if (authorization && !client_id && !client_secret && authorization.startsWith("Basic ")) try {
-					const encoded = authorization.replace("Basic ", "");
-					const decoded = new TextDecoder().decode(base64.decode(encoded));
-					if (!decoded.includes(":")) throw new APIError("UNAUTHORIZED", {
+				if (authorization && !client_secret && authorization.startsWith("Basic ")) {
+					let decoded;
+					try {
+						const encoded = authorization.replace("Basic ", "");
+						decoded = new TextDecoder().decode(base64.decode(encoded));
+					} catch {
+						throw new APIError("UNAUTHORIZED", {
+							error_description: "invalid authorization header format",
+							error: "invalid_client"
+						});
+					}
+					const colonIndex = decoded.indexOf(":");
+					if (colonIndex === -1) throw new APIError("UNAUTHORIZED", {
 						error_description: "invalid authorization header format",
 						error: "invalid_client"
 					});
-					const [id, secret] = decoded.split(":");
+					let id;
+					let secret;
+					try {
+						id = decodeURIComponent(decoded.slice(0, colonIndex));
+						secret = decodeURIComponent(decoded.slice(colonIndex + 1));
+					} catch {
+						throw new APIError("UNAUTHORIZED", {
+							error_description: "invalid authorization header format",
+							error: "invalid_client"
+						});
+					}
 					if (!id || !secret) throw new APIError("UNAUTHORIZED", {
 						error_description: "invalid authorization header format",
 						error: "invalid_client"
 					});
-					client_id = id;
-					client_secret = secret;
-				} catch {
-					throw new APIError("UNAUTHORIZED", {
-						error_description: "invalid authorization header format",
+					if (client_id && client_id.toString() !== id) throw new APIError("UNAUTHORIZED", {
+						error_description: "client_id in body does not match Authorization header",
 						error: "invalid_client"
 					});
+					client_id = id;
+					client_secret = secret;
 				}
 				const { grant_type, code, redirect_uri, refresh_token, code_verifier } = body;
 				if (grant_type === "refresh_token") {
@@ -286,6 +301,38 @@ const mcp = (options) => {
 						error_description: "refresh token expired",
 						error: "invalid_grant"
 					});
+					const refreshClient = await ctx.context.adapter.findOne({
+						model: modelName.oauthClient,
+						where: [{
+							field: "clientId",
+							value: client_id.toString()
+						}]
+					}).then((res) => {
+						if (!res) return null;
+						return {
+							...res,
+							redirectUrls: res.redirectUrls.split(","),
+							metadata: res.metadata ? JSON.parse(res.metadata) : {}
+						};
+					});
+					if (!refreshClient) throw new APIError("UNAUTHORIZED", {
+						error_description: "invalid client_id",
+						error: "invalid_client"
+					});
+					if (refreshClient.disabled) throw new APIError("UNAUTHORIZED", {
+						error_description: "client is disabled",
+						error: "invalid_client"
+					});
+					if (refreshClient.type !== "public") {
+						if (!refreshClient.clientSecret || !client_secret) throw new APIError("UNAUTHORIZED", {
+							error_description: "client_secret is required for confidential clients",
+							error: "invalid_client"
+						});
+						if (!constantTimeEqual(refreshClient.clientSecret, client_secret.toString())) throw new APIError("UNAUTHORIZED", {
+							error_description: "invalid client_secret",
+							error: "invalid_client"
+						});
+					}
 					const accessToken = generateRandomString(32, "a-z", "A-Z");
 					const newRefreshToken = generateRandomString(32, "a-z", "A-Z");
 					const accessTokenExpiresAt = new Date(Date.now() + opts.accessTokenExpiresIn * 1e3);
@@ -320,11 +367,7 @@ const mcp = (options) => {
 					error_description: "code verifier is missing",
 					error: "invalid_request"
 				});
-				/**
-				* We need to check if the code is valid before we can proceed
-				* with the rest of the request.
-				*/
-				const verificationValue = await ctx.context.internalAdapter.findVerificationValue(code.toString());
+				const verificationValue = await ctx.context.internalAdapter.consumeVerificationValue(code.toString());
 				if (!verificationValue) throw new APIError("UNAUTHORIZED", {
 					error_description: "invalid code",
 					error: "invalid_grant"
@@ -333,7 +376,6 @@ const mcp = (options) => {
 					error_description: "code expired",
 					error: "invalid_grant"
 				});
-				await ctx.context.internalAdapter.deleteVerificationByIdentifier(code.toString());
 				if (!client_id) throw new APIError("UNAUTHORIZED", {
 					error_description: "client_id is required",
 					error: "invalid_client"
@@ -378,11 +420,11 @@ const mcp = (options) => {
 						error: "invalid_request"
 					});
 				} else {
-					if (!client_secret) throw new APIError("UNAUTHORIZED", {
+					if (!client.clientSecret || !client_secret) throw new APIError("UNAUTHORIZED", {
 						error_description: "client_secret is required for confidential clients",
 						error: "invalid_client"
 					});
-					if (!(client.clientSecret === client_secret.toString())) throw new APIError("UNAUTHORIZED", {
+					if (!constantTimeEqual(client.clientSecret, client_secret.toString())) throw new APIError("UNAUTHORIZED", {
 						error_description: "invalid client_secret",
 						error: "invalid_client"
 					});
@@ -400,12 +442,13 @@ const mcp = (options) => {
 					error_description: "code verifier is missing",
 					error: "invalid_request"
 				});
-				if ((value.codeChallengeMethod === "plain" ? code_verifier : await createHash("SHA-256", "base64urlnopad").digest(code_verifier)) !== value.codeChallenge) throw new APIError("UNAUTHORIZED", {
-					error_description: "code verification failed",
-					error: "invalid_request"
-				});
+				if (value.codeChallenge) {
+					if ((value.codeChallengeMethod === "plain" ? code_verifier : await createHash("SHA-256", "base64urlnopad").digest(code_verifier)) !== value.codeChallenge) throw new APIError("UNAUTHORIZED", {
+						error_description: "code verification failed",
+						error: "invalid_request"
+					});
+				}
 				const requestedScopes = value.scope;
-				await ctx.context.internalAdapter.deleteVerificationByIdentifier(code.toString());
 				const accessToken = generateRandomString(32, "a-z", "A-Z");
 				const refreshToken = generateRandomString(32, "A-Z", "a-z");
 				const accessTokenExpiresAt = new Date(Date.now() + opts.accessTokenExpiresIn * 1e3);

package/dist/plugins/oidc-provider/authorize.mjs

@@ -93,8 +93,14 @@ async function authorize(ctx, options) {
 	});
 	if (invalidScopes.length) return handleRedirect(formatErrorURL(query.redirect_uri, "invalid_scope", `The following scopes are invalid: ${invalidScopes.join(", ")}`));
 	if ((!query.code_challenge || !query.code_challenge_method) && options.requirePKCE) return handleRedirect(formatErrorURL(query.redirect_uri, "invalid_request", "pkce is required"));
-	if (!query.code_challenge_method) query.code_challenge_method = "plain";
-	if (!["s256", options.allowPlainCodeChallengeMethod ? "plain" : "s256"].includes(query.code_challenge_method?.toLowerCase() || "")) return handleRedirect(formatErrorURL(query.redirect_uri, "invalid_request", "invalid code_challenge method"));
+	if (query.code_challenge_method && !query.code_challenge) return handleRedirect(formatErrorURL(query.redirect_uri, "invalid_request", "code_challenge_method requires code_challenge"));
+	if (query.code_challenge) {
+		const allowedCodeChallengeMethods = options.allowPlainCodeChallengeMethod ? ["s256", "plain"] : ["s256"];
+		let codeChallengeMethod = query.code_challenge_method?.toLowerCase();
+		if (!codeChallengeMethod && options.allowPlainCodeChallengeMethod) codeChallengeMethod = "plain";
+		if (!codeChallengeMethod || !allowedCodeChallengeMethods.includes(codeChallengeMethod)) return handleRedirect(formatErrorURL(query.redirect_uri, "invalid_request", "invalid code_challenge method"));
+		query.code_challenge_method = codeChallengeMethod;
+	}
 	const code = generateRandomString(32, "a-z", "A-Z", "0-9");
 	const codeExpiresInMs = opts.codeExpiresIn * 1e3;
 	const expiresAt = new Date(Date.now() + codeExpiresInMs);

package/dist/plugins/oidc-provider/index.mjs

@@ -1,5 +1,6 @@
 import { mergeSchema } from "../../db/schema.mjs";
 import { parseSetCookieHeader } from "../../cookies/cookie-utils.mjs";
+import { constantTimeEqual } from "../../crypto/buffer.mjs";
 import { generateRandomString } from "../../crypto/random.mjs";
 import { symmetricDecrypt, symmetricEncrypt } from "../../crypto/index.mjs";
 import { expireCookie } from "../../cookies/index.mjs";
@@ -52,11 +53,7 @@ const getMetadata = (ctx, options) => {
 	const jwtPlugin = ctx.context.getPlugin("jwt");
 	const issuer = jwtPlugin && jwtPlugin.options?.jwt && jwtPlugin.options.jwt.issuer ? jwtPlugin.options.jwt.issuer : ctx.context.options.baseURL;
 	const baseURL = ctx.context.baseURL;
-	const supportedAlgs = options?.useJWTPlugin ? [
-		"RS256",
-		"EdDSA",
-		"none"
-	] : ["HS256", "none"];
+	const supportedAlgs = options?.useJWTPlugin ? ["RS256", "EdDSA"] : ["HS256"];
 	return {
 		issuer,
 		authorization_endpoint: `${baseURL}/oauth2/authorize`,
@@ -161,7 +158,7 @@ const oidcProvider = (options) => {
 		defaultScope: "openid",
 		accessTokenExpiresIn: DEFAULT_ACCESS_TOKEN_EXPIRES_IN,
 		refreshTokenExpiresIn: DEFAULT_REFRESH_TOKEN_EXPIRES_IN,
-		allowPlainCodeChallengeMethod: true,
+		allowPlainCodeChallengeMethod: false,
 		storeClientSecret: "plain",
 		...options,
 		scopes: [
@@ -190,14 +187,14 @@ const oidcProvider = (options) => {
 	* Verify stored client secret against provided client secret
 	*/
 	async function verifyStoredClientSecret(ctx, storedClientSecret, clientSecret) {
-		if (opts.storeClientSecret === "encrypted") return await symmetricDecrypt({
+		if (opts.storeClientSecret === "encrypted") return constantTimeEqual(await symmetricDecrypt({
 			key: ctx.context.secretConfig,
 			data: storedClientSecret
-		}) === clientSecret;
-		if (opts.storeClientSecret === "hashed") return await defaultClientSecretHasher(clientSecret) === storedClientSecret;
-		if (typeof opts.storeClientSecret === "object" && "hash" in opts.storeClientSecret) return await opts.storeClientSecret.hash(clientSecret) === storedClientSecret;
-		if (typeof opts.storeClientSecret === "object" && "decrypt" in opts.storeClientSecret) return await opts.storeClientSecret.decrypt(storedClientSecret) === clientSecret;
-		return clientSecret === storedClientSecret;
+		}), clientSecret);
+		if (opts.storeClientSecret === "hashed") return constantTimeEqual(await defaultClientSecretHasher(clientSecret), storedClientSecret);
+		if (typeof opts.storeClientSecret === "object" && "hash" in opts.storeClientSecret) return constantTimeEqual(await opts.storeClientSecret.hash(clientSecret), storedClientSecret);
+		if (typeof opts.storeClientSecret === "object" && "decrypt" in opts.storeClientSecret) return constantTimeEqual(await opts.storeClientSecret.decrypt(storedClientSecret), clientSecret);
+		return constantTimeEqual(clientSecret, storedClientSecret);
 	}
 	return {
 		id: "oidc-provider",
@@ -378,25 +375,43 @@ const oidcProvider = (options) => {
 				});
 				let { client_id, client_secret } = body;
 				const authorization = ctx.request?.headers.get("authorization") || null;
-				if (authorization && !client_id && !client_secret && authorization.startsWith("Basic ")) try {
-					const encoded = authorization.replace("Basic ", "");
-					const decoded = new TextDecoder().decode(base64.decode(encoded));
-					if (!decoded.includes(":")) throw new APIError("UNAUTHORIZED", {
+				if (authorization && !client_secret && authorization.startsWith("Basic ")) {
+					let decoded;
+					try {
+						const encoded = authorization.replace("Basic ", "");
+						decoded = new TextDecoder().decode(base64.decode(encoded));
+					} catch {
+						throw new APIError("UNAUTHORIZED", {
+							error_description: "invalid authorization header format",
+							error: "invalid_client"
+						});
+					}
+					const colonIndex = decoded.indexOf(":");
+					if (colonIndex === -1) throw new APIError("UNAUTHORIZED", {
 						error_description: "invalid authorization header format",
 						error: "invalid_client"
 					});
-					const [id, secret] = decoded.split(":");
+					let id;
+					let secret;
+					try {
+						id = decodeURIComponent(decoded.slice(0, colonIndex));
+						secret = decodeURIComponent(decoded.slice(colonIndex + 1));
+					} catch {
+						throw new APIError("UNAUTHORIZED", {
+							error_description: "invalid authorization header format",
+							error: "invalid_client"
+						});
+					}
 					if (!id || !secret) throw new APIError("UNAUTHORIZED", {
 						error_description: "invalid authorization header format",
 						error: "invalid_client"
 					});
-					client_id = id;
-					client_secret = secret;
-				} catch {
-					throw new APIError("UNAUTHORIZED", {
-						error_description: "invalid authorization header format",
+					if (client_id && client_id.toString() !== id) throw new APIError("UNAUTHORIZED", {
+						error_description: "client_id in body does not match Authorization header",
 						error: "invalid_client"
 					});
+					client_id = id;
+					client_secret = secret;
 				}
 				const now = Date.now();
 				const iat = Math.floor(now / 1e3);
@@ -428,6 +443,25 @@ const oidcProvider = (options) => {
 						error_description: "refresh token expired",
 						error: "invalid_grant"
 					});
+					const refreshClient = await getClient(client_id.toString(), trustedClients);
+					if (!refreshClient) throw new APIError("UNAUTHORIZED", {
+						error_description: "invalid client_id",
+						error: "invalid_client"
+					});
+					if (refreshClient.disabled) throw new APIError("UNAUTHORIZED", {
+						error_description: "client is disabled",
+						error: "invalid_client"
+					});
+					if (refreshClient.type !== "public") {
+						if (!refreshClient.clientSecret || !client_secret) throw new APIError("UNAUTHORIZED", {
+							error_description: "client_secret is required for confidential clients",
+							error: "invalid_client"
+						});
+						if (!await verifyStoredClientSecret(ctx, refreshClient.clientSecret, client_secret.toString())) throw new APIError("UNAUTHORIZED", {
+							error_description: "invalid client_secret",
+							error: "invalid_client"
+						});
+					}
 					const accessToken = generateRandomString(32, "a-z", "A-Z");
 					const newRefreshToken = generateRandomString(32, "a-z", "A-Z");
 					await ctx.context.adapter.create({
@@ -460,11 +494,7 @@ const oidcProvider = (options) => {
 					error_description: "code verifier is missing",
 					error: "invalid_request"
 				});
-				/**
-				* We need to check if the code is valid before we can proceed
-				* with the rest of the request.
-				*/
-				const verificationValue = await ctx.context.internalAdapter.findVerificationValue(code.toString());
+				const verificationValue = await ctx.context.internalAdapter.consumeVerificationValue(code.toString());
 				if (!verificationValue) throw new APIError("UNAUTHORIZED", {
 					error_description: "invalid code",
 					error: "invalid_grant"
@@ -473,7 +503,6 @@ const oidcProvider = (options) => {
 					error_description: "code expired",
 					error: "invalid_grant"
 				});
-				await ctx.context.internalAdapter.deleteVerificationByIdentifier(code.toString());
 				if (!client_id) throw new APIError("UNAUTHORIZED", {
 					error_description: "client_id is required",
 					error: "invalid_client"
@@ -527,12 +556,13 @@ const oidcProvider = (options) => {
 						error: "invalid_client"
 					});
 				}
-				if ((value.codeChallengeMethod === "plain" ? code_verifier : await createHash("SHA-256", "base64urlnopad").digest(code_verifier)) !== value.codeChallenge) throw new APIError("UNAUTHORIZED", {
-					error_description: "code verification failed",
-					error: "invalid_request"
-				});
+				if (value.codeChallenge) {
+					if ((value.codeChallengeMethod === "plain" ? code_verifier : await createHash("SHA-256", "base64urlnopad").digest(code_verifier)) !== value.codeChallenge) throw new APIError("UNAUTHORIZED", {
+						error_description: "code verification failed",
+						error: "invalid_request"
+					});
+				}
 				const requestedScopes = value.scope;
-				await ctx.context.internalAdapter.deleteVerificationByIdentifier(code.toString());
 				const accessToken = generateRandomString(32, "a-z", "A-Z");
 				const refreshToken = generateRandomString(32, "A-Z", "a-z");
 				await ctx.context.adapter.create({

package/dist/plugins/one-tap/index.mjs

@@ -45,8 +45,9 @@ const oneTap = (options) => ({
 		} catch {
 			throw new APIError("BAD_REQUEST", { message: "invalid id token" });
 		}
-		const { email, email_verified, name, picture, sub } = payload;
-		if (!email) return ctx.json({ error: "Email not available in token" });
+		const { email: rawEmail, email_verified, name, picture, sub } = payload;
+		if (!rawEmail) return ctx.json({ error: "Email not available in token" });
+		const email = rawEmail.toLowerCase();
 		const user = await ctx.context.internalAdapter.findUserByEmail(email);
 		if (!user) {
 			if (options?.disableSignup) throw new APIError("BAD_GATEWAY", { message: "User not found" });
@@ -70,14 +71,19 @@ const oneTap = (options) => ({
 				user: parseUserOutput(ctx.context.options, newUser.user)
 			});
 		}
-		if (!await ctx.context.internalAdapter.findAccount(sub)) if ((ctx.context.options.account?.accountLinking)?.enabled !== false && (ctx.context.trustedProviders.includes("google") || email_verified)) await ctx.context.internalAdapter.linkAccount({
-			userId: user.user.id,
-			providerId: "google",
-			accountId: sub,
-			scope: "openid,profile,email",
-			idToken
-		});
-		else throw new APIError("UNAUTHORIZED", { message: "Google sub doesn't match" });
+		if (!await ctx.context.internalAdapter.findAccount(sub)) {
+			const accountLinking = ctx.context.options.account?.accountLinking;
+			const providerEmailVerified = typeof email_verified === "boolean" ? email_verified : toBoolean(email_verified);
+			const requireLocalEmailVerified = accountLinking?.requireLocalEmailVerified ?? true;
+			if (accountLinking?.enabled !== false && accountLinking?.disableImplicitLinking !== true && (!requireLocalEmailVerified || user.user.emailVerified) && (ctx.context.trustedProviders.includes("google") || providerEmailVerified)) await ctx.context.internalAdapter.linkAccount({
+				userId: user.user.id,
+				providerId: "google",
+				accountId: sub,
+				scope: "openid,profile,email",
+				idToken
+			});
+			else throw new APIError("UNAUTHORIZED", { message: "Google identity cannot be linked: implicit account-linking is disabled, the local email is not verified, or the Google email_verified claim is false and Google is not a trusted provider" });
+		}
 		const session = await ctx.context.internalAdapter.createSession(user.user.id);
 		await setSessionCookie(ctx, {
 			user: user.user,