better-auth 1.6.9 → 1.6.11

package/dist/plugins/organization/access/statement.d.mts

@@ -1,5 +1,4 @@
-import { Subset } from "../../access/types.mjs";
-import { AuthorizeResponse } from "../../access/access.mjs";
+import { ExactRoleStatements, Role, RoleInput, Statements } from "../../access/types.mjs";
 //#region src/plugins/organization/access/statement.d.ts
 declare const defaultStatements: {
   readonly organization: readonly ["update", "delete"];
@@ -9,137 +8,100 @@ declare const defaultStatements: {
   readonly ac: readonly ["create", "read", "update", "delete"];
 };
 declare const defaultAc: {
-  newRole<K extends "organization" | "member" | "team" | "ac" | "invitation">(statements: Subset<K, {
+  newRole<const TRoleStatements extends Statements>(statements: RoleInput<{
     readonly organization: readonly ["update", "delete"];
     readonly member: readonly ["create", "update", "delete"];
     readonly invitation: readonly ["create", "cancel"];
     readonly team: readonly ["create", "update", "delete"];
     readonly ac: readonly ["create", "read", "update", "delete"];
-  }>): {
-    authorize<K_1 extends K>(request: K_1 extends infer T extends keyof Subset<K, {
-      readonly organization: readonly ["update", "delete"];
-      readonly member: readonly ["create", "update", "delete"];
-      readonly invitation: readonly ["create", "cancel"];
-      readonly team: readonly ["create", "update", "delete"];
-      readonly ac: readonly ["create", "read", "update", "delete"];
-    }> ? { [key in T]?: Subset<K, {
-      readonly organization: readonly ["update", "delete"];
-      readonly member: readonly ["create", "update", "delete"];
-      readonly invitation: readonly ["create", "cancel"];
-      readonly team: readonly ["create", "update", "delete"];
-      readonly ac: readonly ["create", "read", "update", "delete"];
-    }>[key] | {
-      actions: Subset<K, {
-        readonly organization: readonly ["update", "delete"];
-        readonly member: readonly ["create", "update", "delete"];
-        readonly invitation: readonly ["create", "cancel"];
-        readonly team: readonly ["create", "update", "delete"];
-        readonly ac: readonly ["create", "read", "update", "delete"];
-      }>[key];
-      connector: "OR" | "AND";
-    } | undefined } : never, connector?: "OR" | "AND"): AuthorizeResponse;
-    statements: Subset<K, {
-      readonly organization: readonly ["update", "delete"];
-      readonly member: readonly ["create", "update", "delete"];
-      readonly invitation: readonly ["create", "cancel"];
-      readonly team: readonly ["create", "update", "delete"];
-      readonly ac: readonly ["create", "read", "update", "delete"];
-    }>;
-  };
-  statements: {
-    readonly organization: readonly ["update", "delete"];
-    readonly member: readonly ["create", "update", "delete"];
-    readonly invitation: readonly ["create", "cancel"];
-    readonly team: readonly ["create", "update", "delete"];
-    readonly ac: readonly ["create", "read", "update", "delete"];
-  };
-};
-declare const adminAc: {
-  authorize<K extends "organization" | "member" | "team" | "ac" | "invitation">(request: K extends infer T extends keyof Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-    readonly organization: readonly ["update", "delete"];
-    readonly member: readonly ["create", "update", "delete"];
-    readonly invitation: readonly ["create", "cancel"];
-    readonly team: readonly ["create", "update", "delete"];
-    readonly ac: readonly ["create", "read", "update", "delete"];
-  }> ? { [key in T]?: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-    readonly organization: readonly ["update", "delete"];
-    readonly member: readonly ["create", "update", "delete"];
-    readonly invitation: readonly ["create", "cancel"];
-    readonly team: readonly ["create", "update", "delete"];
-    readonly ac: readonly ["create", "read", "update", "delete"];
-  }>[key] | {
-    actions: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-      readonly organization: readonly ["update", "delete"];
-      readonly member: readonly ["create", "update", "delete"];
-      readonly invitation: readonly ["create", "cancel"];
-      readonly team: readonly ["create", "update", "delete"];
-      readonly ac: readonly ["create", "read", "update", "delete"];
-    }>[key];
-    connector: "OR" | "AND";
-  } | undefined } : never, connector?: "OR" | "AND"): AuthorizeResponse;
-  statements: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
+  }, TRoleStatements>): Role<ExactRoleStatements<TRoleStatements>, {
     readonly organization: readonly ["update", "delete"];
     readonly member: readonly ["create", "update", "delete"];
     readonly invitation: readonly ["create", "cancel"];
     readonly team: readonly ["create", "update", "delete"];
     readonly ac: readonly ["create", "read", "update", "delete"];
   }>;
-};
-declare const ownerAc: {
-  authorize<K extends "organization" | "member" | "team" | "ac" | "invitation">(request: K extends infer T extends keyof Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-    readonly organization: readonly ["update", "delete"];
-    readonly member: readonly ["create", "update", "delete"];
-    readonly invitation: readonly ["create", "cancel"];
-    readonly team: readonly ["create", "update", "delete"];
-    readonly ac: readonly ["create", "read", "update", "delete"];
-  }> ? { [key in T]?: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-    readonly organization: readonly ["update", "delete"];
-    readonly member: readonly ["create", "update", "delete"];
-    readonly invitation: readonly ["create", "cancel"];
-    readonly team: readonly ["create", "update", "delete"];
-    readonly ac: readonly ["create", "read", "update", "delete"];
-  }>[key] | {
-    actions: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-      readonly organization: readonly ["update", "delete"];
-      readonly member: readonly ["create", "update", "delete"];
-      readonly invitation: readonly ["create", "cancel"];
-      readonly team: readonly ["create", "update", "delete"];
-      readonly ac: readonly ["create", "read", "update", "delete"];
-    }>[key];
-    connector: "OR" | "AND";
-  } | undefined } : never, connector?: "OR" | "AND"): AuthorizeResponse;
-  statements: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
+  statements: {
     readonly organization: readonly ["update", "delete"];
     readonly member: readonly ["create", "update", "delete"];
     readonly invitation: readonly ["create", "cancel"];
     readonly team: readonly ["create", "update", "delete"];
     readonly ac: readonly ["create", "read", "update", "delete"];
-  }>;
+  };
 };
-declare const memberAc: {
-  authorize<K extends "organization" | "member" | "team" | "ac" | "invitation">(request: K extends infer T extends keyof Subset<"organization" | "member" | "team" | "ac" | "invitation", {
+declare const adminAc: Role<ExactRoleStatements<{
+  readonly organization: ["update"];
+  readonly invitation: ["create", "cancel"];
+  readonly member: ["create", "update", "delete"];
+  readonly team: ["create", "update", "delete"];
+  readonly ac: ["create", "read", "update", "delete"];
+}>, {
+  readonly organization: readonly ["update", "delete"];
+  readonly member: readonly ["create", "update", "delete"];
+  readonly invitation: readonly ["create", "cancel"];
+  readonly team: readonly ["create", "update", "delete"];
+  readonly ac: readonly ["create", "read", "update", "delete"];
+}>;
+declare const ownerAc: Role<ExactRoleStatements<{
+  readonly organization: ["update", "delete"];
+  readonly member: ["create", "update", "delete"];
+  readonly invitation: ["create", "cancel"];
+  readonly team: ["create", "update", "delete"];
+  readonly ac: ["create", "read", "update", "delete"];
+}>, {
+  readonly organization: readonly ["update", "delete"];
+  readonly member: readonly ["create", "update", "delete"];
+  readonly invitation: readonly ["create", "cancel"];
+  readonly team: readonly ["create", "update", "delete"];
+  readonly ac: readonly ["create", "read", "update", "delete"];
+}>;
+declare const memberAc: Role<ExactRoleStatements<{
+  readonly organization: [];
+  readonly member: [];
+  readonly invitation: [];
+  readonly team: [];
+  readonly ac: ["read"];
+}>, {
+  readonly organization: readonly ["update", "delete"];
+  readonly member: readonly ["create", "update", "delete"];
+  readonly invitation: readonly ["create", "cancel"];
+  readonly team: readonly ["create", "update", "delete"];
+  readonly ac: readonly ["create", "read", "update", "delete"];
+}>;
+declare const defaultRoles: {
+  admin: Role<ExactRoleStatements<{
+    readonly organization: ["update"];
+    readonly invitation: ["create", "cancel"];
+    readonly member: ["create", "update", "delete"];
+    readonly team: ["create", "update", "delete"];
+    readonly ac: ["create", "read", "update", "delete"];
+  }>, {
     readonly organization: readonly ["update", "delete"];
     readonly member: readonly ["create", "update", "delete"];
     readonly invitation: readonly ["create", "cancel"];
     readonly team: readonly ["create", "update", "delete"];
     readonly ac: readonly ["create", "read", "update", "delete"];
-  }> ? { [key in T]?: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
+  }>;
+  owner: Role<ExactRoleStatements<{
+    readonly organization: ["update", "delete"];
+    readonly member: ["create", "update", "delete"];
+    readonly invitation: ["create", "cancel"];
+    readonly team: ["create", "update", "delete"];
+    readonly ac: ["create", "read", "update", "delete"];
+  }>, {
     readonly organization: readonly ["update", "delete"];
     readonly member: readonly ["create", "update", "delete"];
     readonly invitation: readonly ["create", "cancel"];
     readonly team: readonly ["create", "update", "delete"];
     readonly ac: readonly ["create", "read", "update", "delete"];
-  }>[key] | {
-    actions: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-      readonly organization: readonly ["update", "delete"];
-      readonly member: readonly ["create", "update", "delete"];
-      readonly invitation: readonly ["create", "cancel"];
-      readonly team: readonly ["create", "update", "delete"];
-      readonly ac: readonly ["create", "read", "update", "delete"];
-    }>[key];
-    connector: "OR" | "AND";
-  } | undefined } : never, connector?: "OR" | "AND"): AuthorizeResponse;
-  statements: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
+  }>;
+  member: Role<ExactRoleStatements<{
+    readonly organization: [];
+    readonly member: [];
+    readonly invitation: [];
+    readonly team: [];
+    readonly ac: ["read"];
+  }>, {
     readonly organization: readonly ["update", "delete"];
     readonly member: readonly ["create", "update", "delete"];
     readonly invitation: readonly ["create", "cancel"];
@@ -147,100 +109,5 @@ declare const memberAc: {
     readonly ac: readonly ["create", "read", "update", "delete"];
   }>;
 };
-declare const defaultRoles: {
-  admin: {
-    authorize<K extends "organization" | "member" | "team" | "ac" | "invitation">(request: K extends infer T extends keyof Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-      readonly organization: readonly ["update", "delete"];
-      readonly member: readonly ["create", "update", "delete"];
-      readonly invitation: readonly ["create", "cancel"];
-      readonly team: readonly ["create", "update", "delete"];
-      readonly ac: readonly ["create", "read", "update", "delete"];
-    }> ? { [key in T]?: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-      readonly organization: readonly ["update", "delete"];
-      readonly member: readonly ["create", "update", "delete"];
-      readonly invitation: readonly ["create", "cancel"];
-      readonly team: readonly ["create", "update", "delete"];
-      readonly ac: readonly ["create", "read", "update", "delete"];
-    }>[key] | {
-      actions: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-        readonly organization: readonly ["update", "delete"];
-        readonly member: readonly ["create", "update", "delete"];
-        readonly invitation: readonly ["create", "cancel"];
-        readonly team: readonly ["create", "update", "delete"];
-        readonly ac: readonly ["create", "read", "update", "delete"];
-      }>[key];
-      connector: "OR" | "AND";
-    } | undefined } : never, connector?: "OR" | "AND"): AuthorizeResponse;
-    statements: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-      readonly organization: readonly ["update", "delete"];
-      readonly member: readonly ["create", "update", "delete"];
-      readonly invitation: readonly ["create", "cancel"];
-      readonly team: readonly ["create", "update", "delete"];
-      readonly ac: readonly ["create", "read", "update", "delete"];
-    }>;
-  };
-  owner: {
-    authorize<K extends "organization" | "member" | "team" | "ac" | "invitation">(request: K extends infer T extends keyof Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-      readonly organization: readonly ["update", "delete"];
-      readonly member: readonly ["create", "update", "delete"];
-      readonly invitation: readonly ["create", "cancel"];
-      readonly team: readonly ["create", "update", "delete"];
-      readonly ac: readonly ["create", "read", "update", "delete"];
-    }> ? { [key in T]?: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-      readonly organization: readonly ["update", "delete"];
-      readonly member: readonly ["create", "update", "delete"];
-      readonly invitation: readonly ["create", "cancel"];
-      readonly team: readonly ["create", "update", "delete"];
-      readonly ac: readonly ["create", "read", "update", "delete"];
-    }>[key] | {
-      actions: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-        readonly organization: readonly ["update", "delete"];
-        readonly member: readonly ["create", "update", "delete"];
-        readonly invitation: readonly ["create", "cancel"];
-        readonly team: readonly ["create", "update", "delete"];
-        readonly ac: readonly ["create", "read", "update", "delete"];
-      }>[key];
-      connector: "OR" | "AND";
-    } | undefined } : never, connector?: "OR" | "AND"): AuthorizeResponse;
-    statements: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-      readonly organization: readonly ["update", "delete"];
-      readonly member: readonly ["create", "update", "delete"];
-      readonly invitation: readonly ["create", "cancel"];
-      readonly team: readonly ["create", "update", "delete"];
-      readonly ac: readonly ["create", "read", "update", "delete"];
-    }>;
-  };
-  member: {
-    authorize<K extends "organization" | "member" | "team" | "ac" | "invitation">(request: K extends infer T extends keyof Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-      readonly organization: readonly ["update", "delete"];
-      readonly member: readonly ["create", "update", "delete"];
-      readonly invitation: readonly ["create", "cancel"];
-      readonly team: readonly ["create", "update", "delete"];
-      readonly ac: readonly ["create", "read", "update", "delete"];
-    }> ? { [key in T]?: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-      readonly organization: readonly ["update", "delete"];
-      readonly member: readonly ["create", "update", "delete"];
-      readonly invitation: readonly ["create", "cancel"];
-      readonly team: readonly ["create", "update", "delete"];
-      readonly ac: readonly ["create", "read", "update", "delete"];
-    }>[key] | {
-      actions: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-        readonly organization: readonly ["update", "delete"];
-        readonly member: readonly ["create", "update", "delete"];
-        readonly invitation: readonly ["create", "cancel"];
-        readonly team: readonly ["create", "update", "delete"];
-        readonly ac: readonly ["create", "read", "update", "delete"];
-      }>[key];
-      connector: "OR" | "AND";
-    } | undefined } : never, connector?: "OR" | "AND"): AuthorizeResponse;
-    statements: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-      readonly organization: readonly ["update", "delete"];
-      readonly member: readonly ["create", "update", "delete"];
-      readonly invitation: readonly ["create", "cancel"];
-      readonly team: readonly ["create", "update", "delete"];
-      readonly ac: readonly ["create", "read", "update", "delete"];
-    }>;
-  };
-};
 //#endregion
 export { adminAc, defaultAc, defaultRoles, defaultStatements, memberAc, ownerAc };

package/dist/plugins/organization/client.d.mts

@@ -238,6 +238,7 @@ declare const organizationClient: <CO extends OrganizationClientOptions>(options
     INVITATION_NOT_FOUND: _better_auth_core_utils_error_codes0.RawError<"INVITATION_NOT_FOUND">;
     YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION: _better_auth_core_utils_error_codes0.RawError<"YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION">;
     EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION: _better_auth_core_utils_error_codes0.RawError<"EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION">;
+    EMAIL_VERIFICATION_REQUIRED_FOR_INVITATION: _better_auth_core_utils_error_codes0.RawError<"EMAIL_VERIFICATION_REQUIRED_FOR_INVITATION">;
     YOU_ARE_NOT_ALLOWED_TO_CANCEL_THIS_INVITATION: _better_auth_core_utils_error_codes0.RawError<"YOU_ARE_NOT_ALLOWED_TO_CANCEL_THIS_INVITATION">;
     INVITER_IS_NO_LONGER_A_MEMBER_OF_THE_ORGANIZATION: _better_auth_core_utils_error_codes0.RawError<"INVITER_IS_NO_LONGER_A_MEMBER_OF_THE_ORGANIZATION">;
     YOU_ARE_NOT_ALLOWED_TO_INVITE_USER_WITH_THIS_ROLE: _better_auth_core_utils_error_codes0.RawError<"YOU_ARE_NOT_ALLOWED_TO_INVITE_USER_WITH_THIS_ROLE">;

package/dist/plugins/organization/client.mjs

@@ -71,7 +71,7 @@ const organizationClient = (options) => {
 			},
 			{
 				matcher(path) {
-					return path.startsWith("/organization");
+					return path === "/sign-out" || path.startsWith("/organization");
 				},
 				signal: "$activeOrgSignal"
 			},

package/dist/plugins/organization/error-codes.d.mts

@@ -25,6 +25,7 @@ declare const ORGANIZATION_ERROR_CODES: {
   INVITATION_NOT_FOUND: _better_auth_core_utils_error_codes0.RawError<"INVITATION_NOT_FOUND">;
   YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION: _better_auth_core_utils_error_codes0.RawError<"YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION">;
   EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION: _better_auth_core_utils_error_codes0.RawError<"EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION">;
+  EMAIL_VERIFICATION_REQUIRED_FOR_INVITATION: _better_auth_core_utils_error_codes0.RawError<"EMAIL_VERIFICATION_REQUIRED_FOR_INVITATION">;
   YOU_ARE_NOT_ALLOWED_TO_CANCEL_THIS_INVITATION: _better_auth_core_utils_error_codes0.RawError<"YOU_ARE_NOT_ALLOWED_TO_CANCEL_THIS_INVITATION">;
   INVITER_IS_NO_LONGER_A_MEMBER_OF_THE_ORGANIZATION: _better_auth_core_utils_error_codes0.RawError<"INVITER_IS_NO_LONGER_A_MEMBER_OF_THE_ORGANIZATION">;
   YOU_ARE_NOT_ALLOWED_TO_INVITE_USER_WITH_THIS_ROLE: _better_auth_core_utils_error_codes0.RawError<"YOU_ARE_NOT_ALLOWED_TO_INVITE_USER_WITH_THIS_ROLE">;

package/dist/plugins/organization/error-codes.mjs

@@ -24,6 +24,7 @@ const ORGANIZATION_ERROR_CODES = defineErrorCodes({
 	INVITATION_NOT_FOUND: "Invitation not found",
 	YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION: "You are not the recipient of the invitation",
 	EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION: "Email verification required before accepting or rejecting invitation",
+	EMAIL_VERIFICATION_REQUIRED_FOR_INVITATION: "Email verification required to view or list invitations for the session email",
 	YOU_ARE_NOT_ALLOWED_TO_CANCEL_THIS_INVITATION: "You are not allowed to cancel this invitation",
 	INVITER_IS_NO_LONGER_A_MEMBER_OF_THE_ORGANIZATION: "Inviter is no longer a member of the organization",
 	YOU_ARE_NOT_ALLOWED_TO_INVITE_USER_WITH_THIS_ROLE: "You are not allowed to invite a user with this role",

package/dist/plugins/organization/routes/crud-access-control.d.mts

@@ -1,5 +1,5 @@
 import { InferAdditionalFieldsFromPluginOptions } from "../../../db/field.mjs";
-import { Statements, Subset } from "../../access/types.mjs";
+import { ExactRoleStatements } from "../../access/types.mjs";
 import { OrganizationOptions } from "../types.mjs";
 import { OrganizationRole } from "../schema.mjs";
 import * as better_call0 from "better-call";
@@ -91,7 +91,7 @@ declare const createOrgRole: <O extends OrganizationOptions>(options: O) => bett
     createdAt: Date;
     updatedAt?: Date | undefined;
   } & InferAdditionalFieldsFromPluginOptions<"organizationRole", O, false>;
-  statements: Subset<string, Statements>;
+  statements: ExactRoleStatements<Record<string, string[]>>;
 }>;
 declare const deleteOrgRole: <O extends OrganizationOptions>(options: O) => better_call0.StrictEndpoint<"/organization/delete-role", {
   method: "POST";

package/dist/plugins/organization/routes/crud-invites.d.mts

@@ -4,11 +4,18 @@ import { OrganizationOptions } from "../types.mjs";
 import { InferOrganizationRolesFromOption, InvitationStatus } from "../schema.mjs";
 import { defaultRoles } from "../access/statement.mjs";
 import * as _better_auth_core0 from "@better-auth/core";
+import { LiteralString } from "@better-auth/core";
 import * as _better_auth_core_db0 from "@better-auth/core/db";
 import * as better_call0 from "better-call";
 import * as z from "zod";
 
 //#region src/plugins/organization/routes/crud-invites.d.ts
+type DynamicOrganizationRole<O extends OrganizationOptions> = O extends {
+  dynamicAccessControl: {
+    enabled: true;
+  };
+} ? LiteralString : never;
+type OrganizationInvitationRole<O extends OrganizationOptions> = InferOrganizationRolesFromOption<O> | DynamicOrganizationRole<O>;
 declare const createInvitation: <O extends OrganizationOptions>(option: O) => better_call0.StrictEndpoint<"/organization/invite-member", {
   method: "POST";
   requireHeaders: true;
@@ -109,7 +116,7 @@ declare const createInvitation: <O extends OrganizationOptions>(option: O) => be
         /**
          * The role to assign to the user
          */
-        role: InferOrganizationRolesFromOption<O> | InferOrganizationRolesFromOption<O>[];
+        role: OrganizationInvitationRole<O> | OrganizationInvitationRole<O>[];
         /**
          * The organization ID to invite
          * the user to

package/dist/plugins/organization/routes/crud-invites.mjs

@@ -114,7 +114,7 @@ const createInvitation = (option) => {
 			email,
 			organizationId
 		});
-		if (alreadyInvited.length && !ctx.body.resend) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.USER_IS_ALREADY_INVITED_TO_THIS_ORGANIZATION);
+		if (alreadyInvited.length && !ctx.body.resend && !ctx.context.orgOptions.cancelPendingInvitationsOnReInvite) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.USER_IS_ALREADY_INVITED_TO_THIS_ORGANIZATION);
 		const organization = await adapter.findOrganizationById(organizationId);
 		if (!organization) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.ORGANIZATION_NOT_FOUND);
 		if (alreadyInvited.length && ctx.body.resend) {
@@ -244,7 +244,7 @@ const acceptInvitation = (options) => createAuthEndpoint("/organization/accept-i
 	const invitation = await adapter.findInvitationById(ctx.body.invitationId);
 	if (!invitation || invitation.expiresAt < /* @__PURE__ */ new Date() || invitation.status !== "pending") throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.INVITATION_NOT_FOUND);
 	if (invitation.email.toLowerCase() !== session.user.email.toLowerCase()) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION);
-	if (ctx.context.orgOptions.requireEmailVerificationOnInvitation && !session.user.emailVerified) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION);
+	if ((ctx.context.orgOptions.requireEmailVerificationOnInvitation ?? true) && !session.user.emailVerified) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION);
 	const membershipLimit = ctx.context.orgOptions?.membershipLimit || 100;
 	const membersCount = await adapter.countMembers({ organizationId: invitation.organizationId });
 	const organization = await adapter.findOrganizationById(invitation.organizationId);
@@ -333,7 +333,7 @@ const rejectInvitation = (options) => createAuthEndpoint("/organization/reject-i
 		code: "INVITATION_NOT_FOUND"
 	});
 	if (invitation.email.toLowerCase() !== session.user.email.toLowerCase()) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION);
-	if (ctx.context.orgOptions.requireEmailVerificationOnInvitation && !session.user.emailVerified) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION);
+	if ((ctx.context.orgOptions.requireEmailVerificationOnInvitation ?? true) && !session.user.emailVerified) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION);
 	const organization = await adapter.findOrganizationById(invitation.organizationId);
 	if (!organization) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.ORGANIZATION_NOT_FOUND);
 	if (options?.organizationHooks?.beforeRejectInvitation) await options?.organizationHooks.beforeRejectInvitation({
@@ -452,6 +452,7 @@ const getInvitation = (options) => createAuthEndpoint("/organization/get-invitat
 	const invitation = await adapter.findInvitationById(ctx.query.id);
 	if (!invitation || invitation.status !== "pending" || invitation.expiresAt < /* @__PURE__ */ new Date()) throw APIError.fromStatus("BAD_REQUEST", { message: "Invitation not found!" });
 	if (invitation.email.toLowerCase() !== session.user.email.toLowerCase()) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION);
+	if ((ctx.context.orgOptions.requireEmailVerificationOnInvitation ?? true) && !session.user.emailVerified) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.EMAIL_VERIFICATION_REQUIRED_FOR_INVITATION);
 	const organization = await adapter.findOrganizationById(invitation.organizationId);
 	if (!organization) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.ORGANIZATION_NOT_FOUND);
 	const member = await adapter.findMemberByOrgId({
@@ -537,6 +538,7 @@ const listUserInvitations = (options) => createAuthEndpoint("/organization/list-
 }, async (ctx) => {
 	const session = await getSessionFromCtx(ctx);
 	if (ctx.request && ctx.query?.email) throw APIError.fromStatus("BAD_REQUEST", { message: "User email cannot be passed for client side API calls." });
+	if (session && (ctx.context.orgOptions.requireEmailVerificationOnInvitation ?? true) && !session.user.emailVerified) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.EMAIL_VERIFICATION_REQUIRED_FOR_INVITATION);
 	const userEmail = session?.user.email || ctx.query?.email;
 	if (!userEmail) throw APIError.fromStatus("BAD_REQUEST", { message: "Missing session headers, or email query parameter." });
 	const pendingInvitations = (await getOrgAdapter(ctx.context, options).listUserInvitations(userEmail)).filter((inv) => inv.status === "pending");

package/dist/plugins/organization/routes/crud-team.mjs

@@ -376,7 +376,7 @@ const setActiveTeam = (options) => createAuthEndpoint("/organization/set-active-
 	requireHeaders: true,
 	use: [orgSessionMiddleware, orgMiddleware],
 	metadata: { openapi: {
-		description: "Set the active team",
+		description: "Set the active team for the current active organization",
 		responses: { "200": {
 			description: "Success",
 			content: { "application/json": { schema: {
@@ -403,7 +403,12 @@ const setActiveTeam = (options) => createAuthEndpoint("/organization/set-active-
 		if (!sessionTeamId) return ctx.json(null);
 		else teamId = sessionTeamId;
 	} else teamId = ctx.body.teamId;
-	const team = await adapter.findTeamById({ teamId });
+	const activeOrganizationId = session.session.activeOrganizationId;
+	if (!activeOrganizationId) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.NO_ACTIVE_ORGANIZATION);
+	const team = await adapter.findTeamById({
+		teamId,
+		organizationId: activeOrganizationId
+	});
 	if (!team) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.TEAM_NOT_FOUND);
 	if (!await adapter.findTeamMember({
 		teamId,

package/dist/plugins/organization/types.d.mts

@@ -165,9 +165,19 @@ interface OrganizationOptions {
    */
   cancelPendingInvitationsOnReInvite?: boolean | undefined;
   /**
-   * Require email verification on accepting or rejecting an invitation
+   * Require email verification on session-authenticated recipient invitation
+   * calls (accept, reject, get, list). Defaults to `true` so unverified
+   * accounts registered against a victim's email cannot accept, read, or
+   * enumerate invitations targeted at that email. Server-side
+   * `listUserInvitations` calls without a session (caller passes
+   * `ctx.query.email`) continue to bypass the gate because the caller is
+   * trusted. Set to `false` for backward compatibility on apps that do not
+   * require email verification; understand the takeover risk before doing so.
    *
-   * @default false
+   * @default true
+   *
+   * @deprecated The option will be removed on the next minor; the gate will
+   * become unconditional. Plan to verify emails before invitation acceptance.
    */
   requireEmailVerificationOnInvitation?: boolean | undefined;
   /**

package/dist/plugins/siwe/client.d.mts

@@ -5,6 +5,10 @@ declare const siweClient: () => {
   id: "siwe";
   version: string;
   $InferServerPlugin: ReturnType<typeof siwe>;
+  pathMethods: {
+    "/siwe/nonce": "POST";
+    "/siwe/get-nonce": "POST";
+  };
 };
 //#endregion
 export { siweClient };

package/dist/plugins/siwe/client.mjs

@@ -4,7 +4,11 @@ const siweClient = () => {
 	return {
 		id: "siwe",
 		version: PACKAGE_VERSION,
-		$InferServerPlugin: {}
+		$InferServerPlugin: {},
+		pathMethods: {
+			"/siwe/nonce": "POST",
+			"/siwe/get-nonce": "POST"
+		}
 	};
 };
 //#endregion

package/dist/plugins/siwe/index.d.mts

@@ -26,10 +26,21 @@ declare const siwe: (options: SIWEPluginOptions) => {
   version: string;
   schema: WalletAddressSchema;
   endpoints: {
-    getSiweNonce: better_call0.StrictEndpoint<"/siwe/nonce", {
+    getSiweNonce: better_call0.StrictEndpoint<"/siwe/nonce" | "/siwe/get-nonce", {
       method: "POST";
       body: z.ZodObject<{
-        walletAddress: z.ZodString;
+        walletAddress: z.ZodOptional<z.ZodString>;
+        address: z.ZodOptional<z.ZodString>;
+        chainId: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+      }, z.core.$strip>;
+    }, {
+      nonce: string;
+    }>;
+    getNonce: better_call0.StrictEndpoint<"/siwe/nonce" | "/siwe/get-nonce", {
+      method: "POST";
+      body: z.ZodObject<{
+        walletAddress: z.ZodOptional<z.ZodString>;
+        address: z.ZodOptional<z.ZodString>;
         chainId: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
       }, z.core.$strip>;
     }, {