better-auth 1.7.0-beta.0 → 1.7.0-beta.2

package/dist/api/index.d.mts

@@ -216,6 +216,7 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
         error_description: zod.ZodOptional<zod.ZodString>;
         state: zod.ZodOptional<zod.ZodString>;
         user: zod.ZodOptional<zod.ZodString>;
+        iss: zod.ZodOptional<zod.ZodString>;
       }, zod_v4_core0.$strip>>;
       query: zod.ZodOptional<zod.ZodObject<{
         code: zod.ZodOptional<zod.ZodString>;
@@ -224,6 +225,7 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
         error_description: zod.ZodOptional<zod.ZodString>;
         state: zod.ZodOptional<zod.ZodString>;
         user: zod.ZodOptional<zod.ZodString>;
+        iss: zod.ZodOptional<zod.ZodString>;
       }, zod_v4_core0.$strip>>;
       metadata: {
         allowedMediaTypes: string[];
@@ -2205,6 +2207,7 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
         error_description: zod.ZodOptional<zod.ZodString>;
         state: zod.ZodOptional<zod.ZodString>;
         user: zod.ZodOptional<zod.ZodString>;
+        iss: zod.ZodOptional<zod.ZodString>;
       }, zod_v4_core0.$strip>>;
       query: zod.ZodOptional<zod.ZodObject<{
         code: zod.ZodOptional<zod.ZodString>;
@@ -2213,6 +2216,7 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
         error_description: zod.ZodOptional<zod.ZodString>;
         state: zod.ZodOptional<zod.ZodString>;
         user: zod.ZodOptional<zod.ZodString>;
+        iss: zod.ZodOptional<zod.ZodString>;
       }, zod_v4_core0.$strip>>;
       metadata: {
         allowedMediaTypes: string[];

package/dist/api/routes/account.mjs

@@ -1,6 +1,6 @@
 import { parseAccountOutput } from "../../db/schema.mjs";
-import { getAwaitableValue } from "../../context/helpers.mjs";
 import { getAccountCookie, setAccountCookie } from "../../cookies/session-store.mjs";
+import { getAwaitableValue } from "../../context/helpers.mjs";
 import { generateState } from "../../oauth2/state.mjs";
 import { decryptOAuthToken, setTokenUtil } from "../../oauth2/utils.mjs";
 import { freshSessionMiddleware, getSessionFromCtx, sessionMiddleware } from "./session.mjs";

package/dist/api/routes/callback.d.mts

@@ -12,6 +12,7 @@ declare const callbackOAuth: better_call0.StrictEndpoint<"/callback/:id", {
     error_description: z.ZodOptional<z.ZodString>;
     state: z.ZodOptional<z.ZodString>;
     user: z.ZodOptional<z.ZodString>;
+    iss: z.ZodOptional<z.ZodString>;
   }, z.core.$strip>>;
   query: z.ZodOptional<z.ZodObject<{
     code: z.ZodOptional<z.ZodString>;
@@ -20,6 +21,7 @@ declare const callbackOAuth: better_call0.StrictEndpoint<"/callback/:id", {
     error_description: z.ZodOptional<z.ZodString>;
     state: z.ZodOptional<z.ZodString>;
     user: z.ZodOptional<z.ZodString>;
+    iss: z.ZodOptional<z.ZodString>;
   }, z.core.$strip>>;
   metadata: {
     allowedMediaTypes: string[];

package/dist/api/routes/callback.mjs

@@ -1,7 +1,8 @@
-import { getAwaitableValue } from "../../context/helpers.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
+import { getAwaitableValue } from "../../context/helpers.mjs";
 import { parseState } from "../../oauth2/state.mjs";
 import { setTokenUtil } from "../../oauth2/utils.mjs";
+import { OAUTH_CALLBACK_ERROR_CODES } from "../../oauth2/error-codes.mjs";
 import { handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
 import { HIDE_METADATA } from "../../utils/hide-metadata.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
@@ -14,7 +15,8 @@ const schema = z.object({
 	device_id: z.string().optional(),
 	error_description: z.string().optional(),
 	state: z.string().optional(),
-	user: z.string().optional()
+	user: z.string().optional(),
+	iss: z.string().optional()
 });
 const callbackOAuth = createAuthEndpoint("/callback/:id", {
 	method: ["GET", "POST"],
@@ -48,7 +50,7 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 		c.context.logger.error("INVALID_CALLBACK_REQUEST", e);
 		throw c.redirect(`${defaultErrorURL}?error=invalid_callback_request`);
 	}
-	const { code, error, state, error_description, device_id, user: userData } = queryOrBody;
+	const { code, error, state, error_description, device_id, user: userData, iss } = queryOrBody;
 	if (!state) {
 		c.context.logger.error("State not found", error);
 		const url = `${defaultErrorURL}${defaultErrorURL.includes("?") ? "&" : "?"}state=state_not_found`;
@@ -65,12 +67,19 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 	if (error) redirectOnError(error, error_description);
 	if (!code) {
 		c.context.logger.error("Code not found");
-		throw redirectOnError("no_code");
+		throw redirectOnError(OAUTH_CALLBACK_ERROR_CODES.NO_CODE);
 	}
 	const provider = await getAwaitableValue(c.context.socialProviders, { value: c.params.id });
 	if (!provider) {
 		c.context.logger.error("Oauth provider with id", c.params.id, "not found");
-		throw redirectOnError("oauth_provider_not_found");
+		throw redirectOnError(OAUTH_CALLBACK_ERROR_CODES.PROVIDER_NOT_FOUND);
+	}
+	if (iss && provider.issuer && iss !== provider.issuer) {
+		c.context.logger.error("OAuth issuer mismatch", {
+			expected: provider.issuer,
+			received: iss
+		});
+		throw redirectOnError(OAUTH_CALLBACK_ERROR_CODES.ISSUER_MISMATCH);
 	}
 	let tokens;
 	try {
@@ -82,9 +91,9 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 		});
 	} catch (e) {
 		c.context.logger.error("", e);
-		throw redirectOnError("invalid_code");
+		throw redirectOnError(OAUTH_CALLBACK_ERROR_CODES.INVALID_CODE);
 	}
-	if (!tokens) throw redirectOnError("invalid_code");
+	if (!tokens) throw redirectOnError(OAUTH_CALLBACK_ERROR_CODES.INVALID_CODE);
 	const parsedUserData = userData ? safeJSONParse(userData) : null;
 	const userInfo = await provider.getUserInfo({
 		...tokens,
@@ -92,21 +101,21 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 	}).then((res) => res?.user);
 	if (!userInfo) {
 		c.context.logger.error("Unable to get user info");
-		return redirectOnError("unable_to_get_user_info");
+		return redirectOnError(OAUTH_CALLBACK_ERROR_CODES.UNABLE_TO_GET_USER_INFO);
 	}
 	if (!callbackURL) {
 		c.context.logger.error("No callback URL found");
-		throw redirectOnError("no_callback_url");
+		throw redirectOnError(OAUTH_CALLBACK_ERROR_CODES.NO_CALLBACK_URL);
 	}
 	if (link) {
 		if (!c.context.trustedProviders.includes(provider.id) && !userInfo.emailVerified || c.context.options.account?.accountLinking?.enabled === false) {
 			c.context.logger.error("Unable to link account - untrusted provider");
-			return redirectOnError("unable_to_link_account");
+			return redirectOnError(OAUTH_CALLBACK_ERROR_CODES.UNABLE_TO_LINK_ACCOUNT);
 		}
-		if (userInfo.email?.toLowerCase() !== link.email.toLowerCase() && c.context.options.account?.accountLinking?.allowDifferentEmails !== true) return redirectOnError("email_doesn't_match");
+		if (userInfo.email?.toLowerCase() !== link.email.toLowerCase() && c.context.options.account?.accountLinking?.allowDifferentEmails !== true) return redirectOnError(OAUTH_CALLBACK_ERROR_CODES.EMAIL_DOES_NOT_MATCH);
 		const existingAccount = await c.context.internalAdapter.findAccountByProviderId(String(userInfo.id), provider.id);
 		if (existingAccount) {
-			if (existingAccount.userId.toString() !== link.userId.toString()) return redirectOnError("account_already_linked_to_different_user");
+			if (existingAccount.userId.toString() !== link.userId.toString()) return redirectOnError(OAUTH_CALLBACK_ERROR_CODES.ACCOUNT_ALREADY_LINKED_TO_DIFFERENT_USER);
 			const updateData = Object.fromEntries(Object.entries({
 				accessToken: await setTokenUtil(tokens.accessToken, c.context),
 				refreshToken: await setTokenUtil(tokens.refreshToken, c.context),
@@ -124,7 +133,7 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 			accessToken: await setTokenUtil(tokens.accessToken, c.context),
 			refreshToken: await setTokenUtil(tokens.refreshToken, c.context),
 			scope: tokens.scopes?.join(",")
-		})) return redirectOnError("unable_to_link_account");
+		})) return redirectOnError(OAUTH_CALLBACK_ERROR_CODES.UNABLE_TO_LINK_ACCOUNT);
 		let toRedirectTo;
 		try {
 			toRedirectTo = callbackURL.toString();
@@ -135,7 +144,7 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 	}
 	if (!userInfo.email) {
 		c.context.logger.error("Provider did not return email. This could be due to misconfiguration in the provider settings.");
-		return redirectOnError("email_not_found");
+		return redirectOnError(OAUTH_CALLBACK_ERROR_CODES.EMAIL_NOT_FOUND);
 	}
 	const accountData = {
 		providerId: provider.id,

package/dist/api/routes/email-verification.mjs

@@ -1,6 +1,6 @@
 import { originCheck } from "../middlewares/origin-check.mjs";
-import { parseUserOutput } from "../../db/schema.mjs";
 import { signJWT } from "../../crypto/jwt.mjs";
+import { parseUserOutput } from "../../db/schema.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
 import { getSessionFromCtx } from "./session.mjs";
 import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";

package/dist/api/routes/session.mjs

@@ -1,7 +1,7 @@
 import { isAPIError } from "../../utils/is-api-error.mjs";
-import { getDate } from "../../utils/date.mjs";
-import { parseSessionOutput, parseUserOutput } from "../../db/schema.mjs";
 import { symmetricDecodeJWT, verifyJWT } from "../../crypto/jwt.mjs";
+import { parseSessionOutput, parseUserOutput } from "../../db/schema.mjs";
+import { getDate } from "../../utils/date.mjs";
 import { getChunkedCookie, getSessionQuerySchema } from "../../cookies/session-store.mjs";
 import { deleteSessionCookie, expireCookie, setCookieCache, setSessionCookie } from "../../cookies/index.mjs";
 import { getShouldSkipSessionRefresh } from "../state/should-session-refresh.mjs";

package/dist/api/routes/sign-in.mjs

@@ -1,7 +1,7 @@
 import { formCsrfMiddleware } from "../middlewares/origin-check.mjs";
 import { parseUserOutput } from "../../db/schema.mjs";
-import { getAwaitableValue } from "../../context/helpers.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
+import { getAwaitableValue } from "../../context/helpers.mjs";
 import { generateState } from "../../oauth2/state.mjs";
 import { handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
 import { createEmailVerificationToken } from "./email-verification.mjs";

package/dist/api/to-auth-endpoints.mjs

@@ -1,7 +1,9 @@
 import { isAPIError } from "../utils/is-api-error.mjs";
+import { isDynamicBaseURLConfig, isRequestLike } from "../utils/url.mjs";
+import { pickSource, resolveDynamicTrustedProxyHeaders, resolveRequestContext } from "../context/helpers.mjs";
 import { hasRequestState, runWithEndpointContext, runWithRequestState } from "@better-auth/core/context";
 import { shouldPublishLog } from "@better-auth/core/env";
-import { APIError } from "@better-auth/core/error";
+import { APIError, BetterAuthError } from "@better-auth/core/error";
 import { createDefu } from "defu";
 import { ATTR_CONTEXT, ATTR_HOOK_TYPE, ATTR_HTTP_ROUTE, ATTR_OPERATION_ID, withSpan } from "@better-auth/core/instrumentation";
 import { kAPIErrorHeaderSymbol, toResponse } from "better-call";
@@ -18,6 +20,27 @@ function getOperationId(endpoint, key) {
 	const opts = endpoint.options;
 	return opts.operationId ?? opts.metadata?.openapi?.operationId ?? key;
 }
+/**
+* Resolves the per-call `AuthContext` for endpoints with a dynamic `baseURL`.
+*
+* - `rawCtx.baseURL` already set: HTTP handler rehydrated upstream; return as-is.
+* - Direct `auth.api` call with a source or a configured `fallback`: resolve here.
+* - Neither: throw `APIError` with a helpful message. Leaving `baseURL = ""`
+*   would let plugins build `new URL("")` and crash cryptically downstream.
+*/
+async function resolveDynamicContext(rawCtx, input) {
+	if (rawCtx.baseURL) return rawCtx;
+	const source = pickSource(input);
+	const config = rawCtx.options.baseURL;
+	const hasFallback = isDynamicBaseURLConfig(config) && Boolean(config.fallback);
+	if (source === void 0 && !hasFallback) throw new APIError("INTERNAL_SERVER_ERROR", { message: "Dynamic baseURL could not be resolved for this direct auth.api call. Pass `headers: request.headers` (or `request`) to the call, or add `fallback` to your baseURL config." });
+	try {
+		return await resolveRequestContext(rawCtx, source, resolveDynamicTrustedProxyHeaders(rawCtx.options));
+	} catch (err) {
+		if (err instanceof BetterAuthError) throw new APIError("INTERNAL_SERVER_ERROR", { message: err.message });
+		throw err;
+	}
+}
 function toAuthEndpoints(endpoints, ctx) {
 	const api = {};
 	for (const [key, endpoint] of Object.entries(endpoints)) {
@@ -26,9 +49,10 @@ function toAuthEndpoints(endpoints, ctx) {
 			const endpointMethod = endpoint?.options?.method;
 			const defaultMethod = Array.isArray(endpointMethod) ? endpointMethod[0] : endpointMethod;
 			const run = async () => {
-				const authContext = await ctx;
+				const rawContext = await ctx;
 				const methodName = context?.method ?? context?.request?.method ?? defaultMethod ?? "?";
 				const route = endpoint.path ?? "/:virtual";
+				const authContext = isDynamicBaseURLConfig(rawContext.options.baseURL) ? await resolveDynamicContext(rawContext, context) : rawContext;
 				let internalContext = {
 					...context,
 					context: {
@@ -40,7 +64,7 @@ function toAuthEndpoints(endpoints, ctx) {
 					path: endpoint.path,
 					headers: context?.headers ? new Headers(context?.headers) : void 0
 				};
-				const hasRequest = context?.request instanceof Request;
+				const hasRequest = isRequestLike(context?.request);
 				const shouldReturnResponse = context?.asResponse ?? hasRequest;
 				return withSpan(`${methodName} ${route}`, {
 					[ATTR_HTTP_ROUTE]: route,
@@ -74,16 +98,43 @@ function toAuthEndpoints(endpoints, ctx) {
 						[ATTR_HTTP_ROUTE]: route,
 						[ATTR_OPERATION_ID]: operationId
 					}, () => endpoint(internalContext))).catch((e) => {
-						if (isAPIError(e))
- /**
-						* API Errors from response are caught
-						* and returned to hooks
-						*/
-						return {
-							response: e,
-							status: e.statusCode,
-							headers: e.headers ? new Headers(e.headers) : null
-						};
+						if (isAPIError(e)) {
+							/**
+							* API Errors from response are caught
+							* and returned to hooks.
+							*
+							* Headers come from two sources that must both
+							* survive:
+							* - `kAPIErrorHeaderSymbol`: ctx.responseHeaders
+							*   accumulated via c.setCookie / c.setHeader
+							*   before the throw.
+							* - `e.headers`: explicit headers on the APIError
+							*   (e.g. `location` from c.redirect).
+							*
+							* Start from the accumulated ctx headers, then
+							* apply e.headers on top — appending `set-cookie`
+							* and setting others — so explicit APIError
+							* headers override while cookies accumulate.
+							*/
+							const ctxHeaders = e[kAPIErrorHeaderSymbol];
+							const errHeaders = e.headers ? new Headers(e.headers) : null;
+							let headers = null;
+							if (ctxHeaders || errHeaders) {
+								headers = new Headers();
+								ctxHeaders?.forEach((value, key) => {
+									headers.append(key, value);
+								});
+								errHeaders?.forEach((value, key) => {
+									if (key.toLowerCase() === "set-cookie") headers.append(key, value);
+									else headers.set(key, value);
+								});
+							}
+							return {
+								response: e,
+								status: e.statusCode,
+								headers
+							};
+						}
 						throw e;
 					});
 					if (result && result instanceof Response) return result;
@@ -92,7 +143,26 @@ function toAuthEndpoints(endpoints, ctx) {
 					const after = await runAfterHooks(internalContext, afterHooks, endpoint, operationId);
 					if (after.response) result.response = after.response;
 					if (isAPIError(result.response) && shouldPublishLog(authContext.logger.level, "debug")) result.response.stack = result.response.errorStack;
-					if (isAPIError(result.response) && !shouldReturnResponse) throw result.response;
+					if (isAPIError(result.response) && !shouldReturnResponse) {
+						/**
+						* Non-response path: we re-throw the raw APIError
+						* to callers of `auth.api.*`. `result.headers`
+						* holds the merged ctx + explicit headers (see
+						* catch block above) — rewrite
+						* `kAPIErrorHeaderSymbol` with the merged set so
+						* downstream pipelines (e.g. better-call's
+						* response builder, or an outer hook catch) see
+						* the same headers we'd have written on the
+						* response.
+						*/
+						if (result.headers) Object.defineProperty(result.response, kAPIErrorHeaderSymbol, {
+							enumerable: false,
+							configurable: true,
+							writable: false,
+							value: result.headers
+						});
+						throw result.response;
+					}
 					return shouldReturnResponse ? toResponse(result.response, {
 						headers: result.headers,
 						status: result.status

package/dist/auth/base.mjs

@@ -1,6 +1,5 @@
-import { getBaseURL, getOrigin, isDynamicBaseURLConfig, resolveBaseURL } from "../utils/url.mjs";
-import { getTrustedOrigins, getTrustedProviders } from "../context/helpers.mjs";
-import { createCookieGetter, getCookies } from "../cookies/index.mjs";
+import { getBaseURL, getOrigin, isDynamicBaseURLConfig } from "../utils/url.mjs";
+import { getTrustedOrigins, getTrustedProviders, resolveDynamicTrustedProxyHeaders, resolveRequestContext } from "../context/helpers.mjs";
 import { getEndpoints, router } from "../api/index.mjs";
 import { runWithAdapter } from "@better-auth/core/context";
 import { BASE_ERROR_CODES, BetterAuthError } from "@better-auth/core/error";
@@ -13,26 +12,8 @@ const createBetterAuth = (options, initFn) => {
 			const ctx = await authContext;
 			const basePath = ctx.options.basePath || "/api/auth";
 			let handlerCtx;
-			if (isDynamicBaseURLConfig(options.baseURL)) {
-				handlerCtx = Object.create(Object.getPrototypeOf(ctx), Object.getOwnPropertyDescriptors(ctx));
-				const baseURL = resolveBaseURL(options.baseURL, basePath, request);
-				if (baseURL) {
-					handlerCtx.baseURL = baseURL;
-					handlerCtx.options = {
-						...ctx.options,
-						baseURL: getOrigin(baseURL) || void 0
-					};
-				} else throw new BetterAuthError("Could not resolve base URL from request. Check your allowedHosts config.");
-				const trustedOriginOptions = {
-					...handlerCtx.options,
-					baseURL: options.baseURL
-				};
-				handlerCtx.trustedOrigins = await getTrustedOrigins(trustedOriginOptions, request);
-				if (options.advanced?.crossSubDomainCookies?.enabled) {
-					handlerCtx.authCookies = getCookies(handlerCtx.options);
-					handlerCtx.createAuthCookie = createCookieGetter(handlerCtx.options);
-				}
-			} else {
+			if (isDynamicBaseURLConfig(options.baseURL)) handlerCtx = await resolveRequestContext(ctx, request, resolveDynamicTrustedProxyHeaders(ctx.options));
+			else {
 				handlerCtx = ctx;
 				if (!ctx.options.baseURL) {
 					const baseURL = getBaseURL(void 0, basePath, request, void 0, ctx.options.advanced?.trustedProxyHeaders);
@@ -42,8 +23,8 @@ const createBetterAuth = (options, initFn) => {
 					} else throw new BetterAuthError("Could not get base URL from request. Please provide a valid base URL.");
 				}
 				handlerCtx.trustedOrigins = await getTrustedOrigins(ctx.options, request);
+				handlerCtx.trustedProviders = await getTrustedProviders(ctx.options, request);
 			}
-			handlerCtx.trustedProviders = await getTrustedProviders(handlerCtx.options, request);
 			const { handler } = router(handlerCtx, options);
 			return runWithAdapter(handlerCtx.adapter, () => handler(request));
 		},

package/dist/client/config.mjs

@@ -67,7 +67,7 @@ const getClientConfig = (options, loadEnv) => {
 	const atomListeners = [{
 		signal: "$sessionSignal",
 		matcher(path) {
-			return path === "/sign-out" || path === "/update-user" || path === "/update-session" || path === "/sign-up/email" || path === "/sign-in/email" || path === "/delete-user" || path === "/verify-email" || path === "/revoke-sessions" || path === "/revoke-session" || path === "/change-email";
+			return path === "/sign-out" || path === "/update-user" || path === "/update-session" || path === "/sign-up/email" || path === "/sign-in/email" || path === "/delete-user" || path === "/verify-email" || path === "/revoke-sessions" || path === "/revoke-session" || path === "/revoke-other-sessions" || path === "/change-email" || path === "/change-password";
 		},
 		callback(path) {
 			if (path === "/sign-out") broadcastSessionUpdate("signout");

package/dist/client/path-to-object.d.mts

@@ -1,10 +1,41 @@
 import { HasRequiredKeys, IsAny, Prettify as Prettify$1, UnionToIntersection } from "../types/helper.mjs";
 import { InferAdditionalFromClient, InferSessionFromClient, InferUserFromClient } from "./types.mjs";
 import { BetterAuthClientOptions, ClientFetchOption } from "@better-auth/core";
+import { SocialProviderList } from "@better-auth/core/social-providers";
 import { Endpoint, InputContext, StandardSchemaV1 } from "better-call";
 import { BetterFetchResponse } from "@better-fetch/fetch";
 
 //#region src/client/path-to-object.d.ts
+/**
+ * Extract generic OAuth provider IDs from the client options.
+ * Supports both `$InferAuth` (server type bridge) and client plugins
+ * with `$InferServerPlugin`.
+ */
+type InferGenericOAuthProviderIds<O extends BetterAuthClientOptions> = (O extends {
+  $InferAuth: {
+    options: {
+      plugins: Array<infer P>;
+    };
+  };
+} ? P extends {
+  id: "generic-oauth";
+  options: {
+    config: Array<{
+      providerId: infer ID;
+    }>;
+  };
+} ? ID & string : never : never) | (O extends {
+  plugins: Array<infer P>;
+} ? P extends {
+  $InferServerPlugin: {
+    id: "generic-oauth";
+    options: {
+      config: Array<{
+        providerId: infer ID;
+      }>;
+    };
+  };
+} ? ID & string : never : never);
 type KeepNullishFromOriginal<Original, Replaced> = Replaced | (undefined extends Original ? undefined : never) | (null extends Original ? null : never);
 type ReplaceTopLevelField<Data, Field extends "user" | "session", Replaced> = Data extends object ? Field extends keyof Data ? Omit<Data, Field> & { [K in Field]: KeepNullishFromOriginal<Data[K], Replaced> } : Data : Data;
 type ReplaceAuthUserAndSession<Data, ClientOpts extends BetterAuthClientOptions> = ReplaceTopLevelField<ReplaceTopLevelField<Data, "user", InferUserFromClient<ClientOpts>>, "session", InferSessionFromClient<ClientOpts>>;
@@ -51,7 +82,10 @@ type InferRoute<API, COpts extends BetterAuthClientOptions> = API extends Record
   scope: "http";
 } | {
   scope: "server";
-} ? {} : PathToObject<T["path"], T extends ((ctx: infer C) => infer R) ? C extends InputContext<any, any> ? <FetchOptions extends ClientFetchOption<Partial<C["body"]> & Record<string, any>, Partial<C["query"]> & Record<string, any>, C["params"]>>(...data: HasRequiredKeys<InferCtx<C, FetchOptions>> extends true ? [Prettify$1<T["path"] extends `/sign-up/email` ? InferSignUpEmailCtx<COpts, FetchOptions> : InferCtx<C, FetchOptions>>, FetchOptions?] : [Prettify$1<T["path"] extends `/update-user` ? InferUserUpdateCtx<COpts, FetchOptions> : InferCtx<C, FetchOptions>>?, FetchOptions?]) => Promise<BetterFetchResponse<T["options"]["metadata"] extends {
+} ? {} : PathToObject<T["path"], T extends ((ctx: infer C) => infer R) ? C extends InputContext<any, any> ? <FetchOptions extends ClientFetchOption<Partial<C["body"]> & Record<string, any>, Partial<C["query"]> & Record<string, any>, C["params"]>>(...data: HasRequiredKeys<InferCtx<C, FetchOptions>> extends true ? [Prettify$1<T["path"] extends `/sign-up/email` ? InferSignUpEmailCtx<COpts, FetchOptions> : T["path"] extends `/sign-in/social` ? Omit<InferCtx<C, FetchOptions>, "provider"> & {
+  provider: SocialProviderList[number] | InferGenericOAuthProviderIds<COpts> | (string & {});
+  fetchOptions?: FetchOptions | undefined;
+} : InferCtx<C, FetchOptions>>, FetchOptions?] : [Prettify$1<T["path"] extends `/update-user` ? InferUserUpdateCtx<COpts, FetchOptions> : InferCtx<C, FetchOptions>>?, FetchOptions?]) => Promise<BetterFetchResponse<T["options"]["metadata"] extends {
   CUSTOM_SESSION: boolean;
 } ? MergeCustomSessionWithInferred<NonNullable<Awaited<R>>, COpts> : T["path"] extends "/get-session" ? {
   user: InferUserFromClient<COpts>;

package/dist/client/plugins/index.d.mts

@@ -14,13 +14,13 @@ import { OktaOptions, okta } from "../../plugins/generic-oauth/providers/okta.mj
 import { PatreonOptions, patreon } from "../../plugins/generic-oauth/providers/patreon.mjs";
 import { SlackOptions, slack } from "../../plugins/generic-oauth/providers/slack.mjs";
 import { BaseOAuthProviderOptions } from "../../plugins/generic-oauth/index.mjs";
-import { JWKOptions, JWSAlgorithms, Jwk, JwtOptions } from "../../plugins/jwt/types.mjs";
+import { JWKOptions, JWSAlgorithms, Jwk, JwtOptions, ResolvedSigningKey } from "../../plugins/jwt/types.mjs";
 import { AuthorizationQuery, Client, CodeVerificationValue, OAuthAccessToken, OIDCMetadata, OIDCOptions, TokenBody } from "../../plugins/oidc-provider/types.mjs";
 import { MULTI_SESSION_ERROR_CODES } from "../../plugins/multi-session/error-codes.mjs";
 import { MultiSessionConfig } from "../../plugins/multi-session/index.mjs";
 import { OneTimeTokenOptions } from "../../plugins/one-time-token/index.mjs";
 import { PhoneNumberOptions, UserWithPhoneNumber } from "../../plugins/phone-number/types.mjs";
-import { BackupCodeOptions, backupCode2fa, generateBackupCodes, getBackupCodes, verifyBackupCode } from "../../plugins/two-factor/backup-codes/index.mjs";
+import { BackupCodeOptions, backupCode2fa, encodeBackupCodes, generateBackupCodes, getBackupCodes, verifyBackupCode } from "../../plugins/two-factor/backup-codes/index.mjs";
 import { OTPOptions, otp2fa } from "../../plugins/two-factor/otp/index.mjs";
 import { TOTPOptions, totp2fa } from "../../plugins/two-factor/totp/index.mjs";
 import { TwoFactorOptions, TwoFactorProvider, TwoFactorTable, UserWithTwoFactor } from "../../plugins/two-factor/types.mjs";
@@ -37,6 +37,7 @@ import { customSessionClient } from "../../plugins/custom-session/client.mjs";
 import { deviceAuthorizationClient } from "../../plugins/device-authorization/client.mjs";
 import { EMAIL_OTP_ERROR_CODES } from "../../plugins/email-otp/error-codes.mjs";
 import { emailOTPClient } from "../../plugins/email-otp/client.mjs";
+import { OAUTH_CALLBACK_ERROR_CODES } from "../../oauth2/error-codes.mjs";
 import { GENERIC_OAUTH_ERROR_CODES } from "../../plugins/generic-oauth/error-codes.mjs";
 import { genericOAuthClient } from "../../plugins/generic-oauth/client.mjs";
 import { jwtClient } from "../../plugins/jwt/client.mjs";
@@ -52,4 +53,4 @@ import { phoneNumberClient } from "../../plugins/phone-number/client.mjs";
 import { siweClient } from "../../plugins/siwe/client.mjs";
 import { usernameClient } from "../../plugins/username/client.mjs";
 import { InferServerPlugin } from "./infer-plugin.mjs";
-export { ADMIN_ERROR_CODES, ANONYMOUS_ERROR_CODES, AdminOptions, AnonymousOptions, AnonymousSession, Auth0Options, AuthorizationQuery, BackupCodeOptions, BaseOAuthProviderOptions, Client, CodeVerificationValue, EMAIL_OTP_ERROR_CODES, ExtractPluginField, GENERIC_OAUTH_ERROR_CODES, GenericOAuthConfig, GenericOAuthOptions, GoogleOneTapActionOptions, GoogleOneTapOptions, GsiButtonConfiguration, GumroadOptions, HasRequiredKeys, HubSpotOptions, InferAdminRolesFromOption, InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginFieldFromTuple, InferServerPlugin, InferTeam, Invitation, InvitationInput, InvitationStatus, IsAny, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, KeycloakOptions, LastLoginMethodClientConfig, LineOptions, MULTI_SESSION_ERROR_CODES, Member, MemberInput, MicrosoftEntraIdOptions, MultiSessionConfig, OAuthAccessToken, OIDCMetadata, OIDCOptions, ORGANIZATION_ERROR_CODES, OTPOptions, OidcClientPlugin, OktaOptions, OneTimeTokenOptions, Organization, OrganizationInput, OrganizationRole, OrganizationSchema, OverrideMerge, PHONE_NUMBER_ERROR_CODES, PatreonOptions, PhoneNumberOptions, Prettify, PrettifyDeep, RequiredKeysOf, SessionWithImpersonatedBy, SlackOptions, StripEmptyObjects, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamInput, TeamMember, TeamMemberInput, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UnionToIntersection, UserWithAnonymous, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, adminClient, anonymousClient, auth0, backupCode2fa, clientSideHasPermission, customSessionClient, defaultRolesSchema, deviceAuthorizationClient, emailOTPClient, generateBackupCodes, genericOAuthClient, getBackupCodes, gumroad, hubspot, inferAdditionalFields, inferOrgAdditionalFields, invitationSchema, invitationStatus, jwtClient, keycloak, lastLoginMethodClient, line, magicLinkClient, memberSchema, microsoftEntraId, multiSessionClient, oidcClient, okta, oneTapClient, oneTimeTokenClient, organizationClient, organizationRoleSchema, organizationSchema, otp2fa, patreon, phoneNumberClient, roleSchema, schema, siweClient, slack, teamMemberSchema, teamSchema, totp2fa, twoFactorClient, usernameClient, verifyBackupCode };
+export { ADMIN_ERROR_CODES, ANONYMOUS_ERROR_CODES, AdminOptions, AnonymousOptions, AnonymousSession, Auth0Options, AuthorizationQuery, BackupCodeOptions, BaseOAuthProviderOptions, Client, CodeVerificationValue, EMAIL_OTP_ERROR_CODES, ExtractPluginField, GENERIC_OAUTH_ERROR_CODES, GenericOAuthConfig, GenericOAuthOptions, GoogleOneTapActionOptions, GoogleOneTapOptions, GsiButtonConfiguration, GumroadOptions, HasRequiredKeys, HubSpotOptions, InferAdminRolesFromOption, InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginFieldFromTuple, InferServerPlugin, InferTeam, Invitation, InvitationInput, InvitationStatus, IsAny, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, KeycloakOptions, LastLoginMethodClientConfig, LineOptions, MULTI_SESSION_ERROR_CODES, Member, MemberInput, MicrosoftEntraIdOptions, MultiSessionConfig, OAUTH_CALLBACK_ERROR_CODES, OAuthAccessToken, OIDCMetadata, OIDCOptions, ORGANIZATION_ERROR_CODES, OTPOptions, OidcClientPlugin, OktaOptions, OneTimeTokenOptions, Organization, OrganizationInput, OrganizationRole, OrganizationSchema, OverrideMerge, PHONE_NUMBER_ERROR_CODES, PatreonOptions, PhoneNumberOptions, Prettify, PrettifyDeep, RequiredKeysOf, ResolvedSigningKey, SessionWithImpersonatedBy, SlackOptions, StripEmptyObjects, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamInput, TeamMember, TeamMemberInput, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UnionToIntersection, UserWithAnonymous, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, adminClient, anonymousClient, auth0, backupCode2fa, clientSideHasPermission, customSessionClient, defaultRolesSchema, deviceAuthorizationClient, emailOTPClient, encodeBackupCodes, generateBackupCodes, genericOAuthClient, getBackupCodes, gumroad, hubspot, inferAdditionalFields, inferOrgAdditionalFields, invitationSchema, invitationStatus, jwtClient, keycloak, lastLoginMethodClient, line, magicLinkClient, memberSchema, microsoftEntraId, multiSessionClient, oidcClient, okta, oneTapClient, oneTimeTokenClient, organizationClient, organizationRoleSchema, organizationSchema, otp2fa, patreon, phoneNumberClient, roleSchema, schema, siweClient, slack, teamMemberSchema, teamSchema, totp2fa, twoFactorClient, usernameClient, verifyBackupCode };

package/dist/client/plugins/index.mjs

@@ -1,3 +1,4 @@
+import { OAUTH_CALLBACK_ERROR_CODES } from "../../oauth2/error-codes.mjs";
 import { inferAdditionalFields } from "../../plugins/additional-fields/client.mjs";
 import { ADMIN_ERROR_CODES } from "../../plugins/admin/error-codes.mjs";
 import { adminClient } from "../../plugins/admin/client.mjs";
@@ -27,4 +28,4 @@ import { twoFactorClient } from "../../plugins/two-factor/client.mjs";
 import { USERNAME_ERROR_CODES } from "../../plugins/username/error-codes.mjs";
 import { usernameClient } from "../../plugins/username/client.mjs";
 import { InferServerPlugin } from "./infer-plugin.mjs";
-export { ADMIN_ERROR_CODES, ANONYMOUS_ERROR_CODES, EMAIL_OTP_ERROR_CODES, GENERIC_OAUTH_ERROR_CODES, InferServerPlugin, MULTI_SESSION_ERROR_CODES, ORGANIZATION_ERROR_CODES, PHONE_NUMBER_ERROR_CODES, TWO_FACTOR_ERROR_CODES, USERNAME_ERROR_CODES, adminClient, anonymousClient, clientSideHasPermission, customSessionClient, deviceAuthorizationClient, emailOTPClient, genericOAuthClient, inferAdditionalFields, inferOrgAdditionalFields, jwtClient, lastLoginMethodClient, magicLinkClient, multiSessionClient, oidcClient, oneTapClient, oneTimeTokenClient, organizationClient, phoneNumberClient, siweClient, twoFactorClient, usernameClient };
+export { ADMIN_ERROR_CODES, ANONYMOUS_ERROR_CODES, EMAIL_OTP_ERROR_CODES, GENERIC_OAUTH_ERROR_CODES, InferServerPlugin, MULTI_SESSION_ERROR_CODES, OAUTH_CALLBACK_ERROR_CODES, ORGANIZATION_ERROR_CODES, PHONE_NUMBER_ERROR_CODES, TWO_FACTOR_ERROR_CODES, USERNAME_ERROR_CODES, adminClient, anonymousClient, clientSideHasPermission, customSessionClient, deviceAuthorizationClient, emailOTPClient, genericOAuthClient, inferAdditionalFields, inferOrgAdditionalFields, jwtClient, lastLoginMethodClient, magicLinkClient, multiSessionClient, oidcClient, oneTapClient, oneTimeTokenClient, organizationClient, phoneNumberClient, siweClient, twoFactorClient, usernameClient };

package/dist/client/query.mjs

@@ -72,15 +72,15 @@ const useAuthQuery = (initializedAtom, path, $fetch, options) => {
 		});
 	};
 	initializedAtom = Array.isArray(initializedAtom) ? initializedAtom : [initializedAtom];
-	let isMounted = false;
+	let isInitialized = false;
 	for (const initAtom of initializedAtom) initAtom.subscribe(async () => {
 		if (isServer()) return;
-		if (isMounted) await fn();
+		if (isInitialized) await fn();
 		else onMount(value, () => {
 			const timeoutId = setTimeout(async () => {
-				if (!isMounted) {
+				if (!isInitialized) {
+					isInitialized = true;
 					await fn();
-					isMounted = true;
 				}
 			}, 0);
 			return () => {

package/dist/context/create-context.mjs

@@ -1,10 +1,10 @@
 import { getBaseURL, isDynamicBaseURLConfig } from "../utils/url.mjs";
 import { matchesOriginPattern } from "../auth/trusted-origins.mjs";
-import { createInternalAdapter } from "../db/internal-adapter.mjs";
 import { isPromise } from "../utils/is-promise.mjs";
-import { getInternalPlugins, getTrustedOrigins, getTrustedProviders, runPluginInit } from "./helpers.mjs";
 import { hashPassword, verifyPassword } from "../crypto/password.mjs";
 import { createCookieGetter, getCookies } from "../cookies/index.mjs";
+import { createInternalAdapter } from "../db/internal-adapter.mjs";
+import { getInternalPlugins, getTrustedOrigins, getTrustedProviders, runPluginInit } from "./helpers.mjs";
 import { checkPassword } from "../utils/password.mjs";
 import { checkEndpointConflicts } from "../api/index.mjs";
 import { DEFAULT_SECRET } from "../utils/constants.mjs";

package/dist/context/helpers.mjs

@@ -1,8 +1,11 @@
-import { getBaseURL, isDynamicBaseURLConfig } from "../utils/url.mjs";
-import { createInternalAdapter } from "../db/internal-adapter.mjs";
+import { getBaseURL, getOrigin, isDynamicBaseURLConfig, isRequestLike, resolveBaseURL } from "../utils/url.mjs";
 import { isPromise } from "../utils/is-promise.mjs";
+import { createCookieGetter, getCookies } from "../cookies/index.mjs";
+import { createInternalAdapter } from "../db/internal-adapter.mjs";
 import { env } from "@better-auth/core/env";
+import { BetterAuthError } from "@better-auth/core/error";
 import { defu } from "defu";
+import { isLoopbackHost } from "@better-auth/core/utils/host";
 //#region src/context/helpers.ts
 async function runPluginInit(context) {
 	let options = context.options;
@@ -60,7 +63,7 @@ async function getTrustedOrigins(options, request) {
 		const allowedHosts = options.baseURL.allowedHosts;
 		for (const host of allowedHosts) if (!host.includes("://")) {
 			trustedOrigins.push(`https://${host}`);
-			if (host.includes("localhost") || host.includes("127.0.0.1")) trustedOrigins.push(`http://${host}`);
+			if (isLoopbackHost(host)) trustedOrigins.push(`http://${host}`);
 		} else trustedOrigins.push(host);
 		if (options.baseURL.fallback) try {
 			trustedOrigins.push(new URL(options.baseURL.fallback).origin);
@@ -80,6 +83,62 @@ async function getTrustedOrigins(options, request) {
 	if (envTrustedOrigins) trustedOrigins.push(...envTrustedOrigins.split(","));
 	return trustedOrigins.filter((v) => Boolean(v));
 }
+/**
+* Picks a `Request`-like or `Headers` value from a direct `auth.api` call.
+* Headers are only accepted when they carry a host: without one, host
+* resolution would fall back to `null` and the caller should use `fallback`
+* or pass a `Request` instead.
+*/
+function pickSource(input) {
+	if (isRequestLike(input?.request)) return input.request;
+	if (!input?.headers) return void 0;
+	const headers = input.headers instanceof Headers ? input.headers : new Headers(input.headers);
+	if (!headers.has("host") && !headers.has("x-forwarded-host")) return;
+	return headers;
+}
+/**
+* Returns the effective `trustedProxyHeaders` value for dynamic `baseURL`
+* resolution. When the user hasn't set `advanced.trustedProxyHeaders`,
+* proxy headers (`x-forwarded-host` / `x-forwarded-proto`) are trusted by
+* default so deployments behind a reverse proxy work without extra config.
+*/
+function resolveDynamicTrustedProxyHeaders(options) {
+	return options.advanced?.trustedProxyHeaders ?? true;
+}
+/**
+* Per-request clone with `baseURL`, `trustedOrigins`, `trustedProviders`
+* and cookies rehydrated for the resolved host. Throws `BetterAuthError`
+* when the URL cannot be resolved; callers on the direct-API path convert
+* this to `APIError`.
+*/
+async function resolveRequestContext(ctx, source, trustedProxyHeaders) {
+	const dynamicBaseURLConfig = ctx.options.baseURL;
+	const baseURL = resolveBaseURL(dynamicBaseURLConfig, ctx.options.basePath || "/api/auth", source, void 0, trustedProxyHeaders);
+	if (!baseURL) throw new BetterAuthError("Could not resolve base URL from request. Check your allowedHosts config.");
+	const resolved = Object.create(Object.getPrototypeOf(ctx), Object.getOwnPropertyDescriptors(ctx));
+	resolved.baseURL = baseURL;
+	resolved.options = {
+		...ctx.options,
+		baseURL: getOrigin(baseURL) || void 0
+	};
+	const trustedOriginOptions = {
+		...resolved.options,
+		baseURL: dynamicBaseURLConfig
+	};
+	const needsRequest = typeof ctx.options.trustedOrigins === "function" || typeof ctx.options.account?.accountLinking?.trustedProviders === "function";
+	let callbackRequest;
+	if (needsRequest) if (isRequestLike(source)) callbackRequest = source;
+	else if (source) callbackRequest = new Request(baseURL, { headers: source });
+	else callbackRequest = void 0;
+	else callbackRequest = void 0;
+	resolved.trustedOrigins = await getTrustedOrigins(trustedOriginOptions, callbackRequest);
+	resolved.trustedProviders = await getTrustedProviders(resolved.options, callbackRequest);
+	if (ctx.options.advanced?.crossSubDomainCookies?.enabled) {
+		resolved.authCookies = getCookies(resolved.options);
+		resolved.createAuthCookie = createCookieGetter(resolved.options);
+	}
+	return resolved;
+}
 async function getAwaitableValue(arr, item) {
 	if (!arr) return void 0;
 	for (const val of arr) {
@@ -94,4 +153,4 @@ async function getTrustedProviders(options, request) {
 	return (await trustedProviders(request) ?? []).filter((v) => Boolean(v));
 }
 //#endregion
-export { getAwaitableValue, getInternalPlugins, getTrustedOrigins, getTrustedProviders, runPluginInit };
+export { getAwaitableValue, getInternalPlugins, getTrustedOrigins, getTrustedProviders, pickSource, resolveDynamicTrustedProxyHeaders, resolveRequestContext, runPluginInit };