better-auth 1.7.0-beta.1 → 1.7.0-beta.2

package/dist/api/to-auth-endpoints.mjs

@@ -98,16 +98,43 @@ function toAuthEndpoints(endpoints, ctx) {
 						[ATTR_HTTP_ROUTE]: route,
 						[ATTR_OPERATION_ID]: operationId
 					}, () => endpoint(internalContext))).catch((e) => {
-						if (isAPIError(e))
- /**
-						* API Errors from response are caught
-						* and returned to hooks
-						*/
-						return {
-							response: e,
-							status: e.statusCode,
-							headers: e.headers ? new Headers(e.headers) : null
-						};
+						if (isAPIError(e)) {
+							/**
+							* API Errors from response are caught
+							* and returned to hooks.
+							*
+							* Headers come from two sources that must both
+							* survive:
+							* - `kAPIErrorHeaderSymbol`: ctx.responseHeaders
+							*   accumulated via c.setCookie / c.setHeader
+							*   before the throw.
+							* - `e.headers`: explicit headers on the APIError
+							*   (e.g. `location` from c.redirect).
+							*
+							* Start from the accumulated ctx headers, then
+							* apply e.headers on top — appending `set-cookie`
+							* and setting others — so explicit APIError
+							* headers override while cookies accumulate.
+							*/
+							const ctxHeaders = e[kAPIErrorHeaderSymbol];
+							const errHeaders = e.headers ? new Headers(e.headers) : null;
+							let headers = null;
+							if (ctxHeaders || errHeaders) {
+								headers = new Headers();
+								ctxHeaders?.forEach((value, key) => {
+									headers.append(key, value);
+								});
+								errHeaders?.forEach((value, key) => {
+									if (key.toLowerCase() === "set-cookie") headers.append(key, value);
+									else headers.set(key, value);
+								});
+							}
+							return {
+								response: e,
+								status: e.statusCode,
+								headers
+							};
+						}
 						throw e;
 					});
 					if (result && result instanceof Response) return result;
@@ -116,7 +143,26 @@ function toAuthEndpoints(endpoints, ctx) {
 					const after = await runAfterHooks(internalContext, afterHooks, endpoint, operationId);
 					if (after.response) result.response = after.response;
 					if (isAPIError(result.response) && shouldPublishLog(authContext.logger.level, "debug")) result.response.stack = result.response.errorStack;
-					if (isAPIError(result.response) && !shouldReturnResponse) throw result.response;
+					if (isAPIError(result.response) && !shouldReturnResponse) {
+						/**
+						* Non-response path: we re-throw the raw APIError
+						* to callers of `auth.api.*`. `result.headers`
+						* holds the merged ctx + explicit headers (see
+						* catch block above) — rewrite
+						* `kAPIErrorHeaderSymbol` with the merged set so
+						* downstream pipelines (e.g. better-call's
+						* response builder, or an outer hook catch) see
+						* the same headers we'd have written on the
+						* response.
+						*/
+						if (result.headers) Object.defineProperty(result.response, kAPIErrorHeaderSymbol, {
+							enumerable: false,
+							configurable: true,
+							writable: false,
+							value: result.headers
+						});
+						throw result.response;
+					}
 					return shouldReturnResponse ? toResponse(result.response, {
 						headers: result.headers,
 						status: result.status

package/dist/client/config.mjs

@@ -67,7 +67,7 @@ const getClientConfig = (options, loadEnv) => {
 	const atomListeners = [{
 		signal: "$sessionSignal",
 		matcher(path) {
-			return path === "/sign-out" || path === "/update-user" || path === "/update-session" || path === "/sign-up/email" || path === "/sign-in/email" || path === "/delete-user" || path === "/verify-email" || path === "/revoke-sessions" || path === "/revoke-session" || path === "/change-email";
+			return path === "/sign-out" || path === "/update-user" || path === "/update-session" || path === "/sign-up/email" || path === "/sign-in/email" || path === "/delete-user" || path === "/verify-email" || path === "/revoke-sessions" || path === "/revoke-session" || path === "/revoke-other-sessions" || path === "/change-email" || path === "/change-password";
 		},
 		callback(path) {
 			if (path === "/sign-out") broadcastSessionUpdate("signout");

package/dist/context/helpers.mjs

@@ -5,6 +5,7 @@ import { createInternalAdapter } from "../db/internal-adapter.mjs";
 import { env } from "@better-auth/core/env";
 import { BetterAuthError } from "@better-auth/core/error";
 import { defu } from "defu";
+import { isLoopbackHost } from "@better-auth/core/utils/host";
 //#region src/context/helpers.ts
 async function runPluginInit(context) {
 	let options = context.options;
@@ -62,7 +63,7 @@ async function getTrustedOrigins(options, request) {
 		const allowedHosts = options.baseURL.allowedHosts;
 		for (const host of allowedHosts) if (!host.includes("://")) {
 			trustedOrigins.push(`https://${host}`);
-			if (host.includes("localhost") || host.includes("127.0.0.1")) trustedOrigins.push(`http://${host}`);
+			if (isLoopbackHost(host)) trustedOrigins.push(`http://${host}`);
 		} else trustedOrigins.push(host);
 		if (options.baseURL.fallback) try {
 			trustedOrigins.push(new URL(options.baseURL.fallback).origin);

package/dist/cookies/cookie-utils.d.mts

@@ -7,9 +7,20 @@ interface CookieAttributes {
   path?: string | undefined;
   secure?: boolean | undefined;
   httponly?: boolean | undefined;
+  partitioned?: boolean | undefined;
   samesite?: ("strict" | "lax" | "none") | undefined;
   [key: string]: any;
 }
+interface ParsedCookieOptions {
+  maxAge?: number | undefined;
+  expires?: Date | undefined;
+  domain?: string | undefined;
+  path?: string | undefined;
+  secure?: boolean | undefined;
+  httpOnly?: boolean | undefined;
+  partitioned?: boolean | undefined;
+  sameSite?: CookieAttributes["samesite"];
+}
 declare const SECURE_COOKIE_PREFIX = "__Secure-";
 declare const HOST_COOKIE_PREFIX = "__Host-";
 /**
@@ -21,8 +32,9 @@ declare function stripSecureCookiePrefix(cookieName: string): string;
  */
 declare function splitSetCookieHeader(setCookie: string): string[];
 declare function parseSetCookieHeader(setCookie: string): Map<string, CookieAttributes>;
+declare function toCookieOptions(attributes: CookieAttributes): ParsedCookieOptions;
 declare function setCookieToHeader(headers: Headers): (context: {
   response: Response;
 }) => void;
 //#endregion
-export { CookieAttributes, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix };
+export { CookieAttributes, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };

package/dist/cookies/cookie-utils.mjs

@@ -78,6 +78,9 @@ function parseSetCookieHeader(setCookie) {
 				case "samesite":
 					attrObj.samesite = attrValue ? attrValue.trim().toLowerCase() : void 0;
 					break;
+				case "partitioned":
+					attrObj.partitioned = true;
+					break;
 				default:
 					attrObj[normalizedAttrName] = attrValue ? attrValue.trim() : true;
 					break;
@@ -87,6 +90,18 @@ function parseSetCookieHeader(setCookie) {
 	});
 	return cookies;
 }
+function toCookieOptions(attributes) {
+	return {
+		maxAge: attributes["max-age"],
+		expires: attributes.expires,
+		domain: attributes.domain,
+		path: attributes.path,
+		secure: attributes.secure,
+		httpOnly: attributes.httponly,
+		sameSite: attributes.samesite,
+		partitioned: attributes.partitioned
+	};
+}
 function setCookieToHeader(headers) {
 	return (context) => {
 		const setCookieHeader = context.response.headers.get("set-cookie");
@@ -104,4 +119,4 @@ function setCookieToHeader(headers) {
 	};
 }
 //#endregion
-export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix };
+export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };

package/dist/cookies/index.d.mts

@@ -1,5 +1,5 @@
 import { Session, User } from "../types/models.mjs";
-import { CookieAttributes, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix } from "./cookie-utils.mjs";
+import { CookieAttributes, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions } from "./cookie-utils.mjs";
 import { createSessionStore, getAccountCookie, getChunkedCookie } from "./session-store.mjs";
 import { BetterAuthCookie, BetterAuthCookies, BetterAuthOptions, GenericEndpointContext } from "@better-auth/core";
 import * as better_call0 from "better-call";
@@ -116,4 +116,4 @@ declare const getCookieCache: <S extends {
   version?: string | ((session: Session & Record<string, any>, user: User & Record<string, any>) => string) | ((session: Session & Record<string, any>, user: User & Record<string, any>) => Promise<string>);
 } | undefined) => Promise<S | null>;
 //#endregion
-export { CookieAttributes, EligibleCookies, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix };
+export { CookieAttributes, EligibleCookies, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };

package/dist/cookies/index.mjs

@@ -4,7 +4,7 @@ import { parseUserOutput } from "../db/schema.mjs";
 import { getDate } from "../utils/date.mjs";
 import { isPromise } from "../utils/is-promise.mjs";
 import { sec } from "../utils/time.mjs";
-import { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix } from "./cookie-utils.mjs";
+import { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions } from "./cookie-utils.mjs";
 import { createAccountStore, createSessionStore, getAccountCookie, getChunkedCookie, setAccountCookie } from "./session-store.mjs";
 import { env, isProduction } from "@better-auth/core/env";
 import { BetterAuthError } from "@better-auth/core/error";
@@ -258,4 +258,4 @@ const getCookieCache = async (request, config) => {
 	return null;
 };
 //#endregion
-export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix };
+export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };

package/dist/integrations/next-js.mjs

@@ -1,4 +1,4 @@
-import { parseSetCookieHeader } from "../cookies/cookie-utils.mjs";
+import { parseSetCookieHeader, toCookieOptions } from "../cookies/cookie-utils.mjs";
 import { setShouldSkipSessionRefresh } from "../api/state/should-session-refresh.mjs";
 import { PACKAGE_VERSION } from "../version.mjs";
 import { createAuthMiddleware } from "@better-auth/core/api";
@@ -70,16 +70,8 @@ const nextCookies = () => {
 						}
 						parsed.forEach((value, key) => {
 							if (!key) return;
-							const opts = {
-								sameSite: value.samesite,
-								secure: value.secure,
-								maxAge: value["max-age"],
-								httpOnly: value.httponly,
-								domain: value.domain,
-								path: value.path
-							};
 							try {
-								cookieHelper.set(key, value.value, opts);
+								cookieHelper.set(key, value.value, toCookieOptions(value));
 							} catch {}
 						});
 						return;

package/dist/integrations/svelte-kit.mjs

@@ -1,4 +1,4 @@
-import { parseSetCookieHeader } from "../cookies/cookie-utils.mjs";
+import { parseSetCookieHeader, toCookieOptions } from "../cookies/cookie-utils.mjs";
 import { PACKAGE_VERSION } from "../version.mjs";
 import { createAuthMiddleware } from "@better-auth/core/api";
 //#region src/integrations/svelte-kit.ts
@@ -36,15 +36,10 @@ const sveltekitCookies = (getRequestEvent) => {
 					const event = getRequestEvent();
 					if (!event) return;
 					const parsed = parseSetCookieHeader(setCookies);
-					for (const [name, { value, ...ops }] of parsed) try {
-						event.cookies.set(name, value, {
-							sameSite: ops.samesite,
-							path: ops.path || "/",
-							expires: ops.expires,
-							secure: ops.secure,
-							httpOnly: ops.httponly,
-							domain: ops.domain,
-							maxAge: ops["max-age"]
+					for (const [name, attributes] of parsed) try {
+						event.cookies.set(name, attributes.value, {
+							...toCookieOptions(attributes),
+							path: attributes.path || "/"
 						});
 					} catch {}
 				}

package/dist/integrations/tanstack-start-solid.mjs

@@ -1,4 +1,4 @@
-import { parseSetCookieHeader } from "../cookies/cookie-utils.mjs";
+import { parseSetCookieHeader, toCookieOptions } from "../cookies/cookie-utils.mjs";
 import { PACKAGE_VERSION } from "../version.mjs";
 import { createAuthMiddleware } from "@better-auth/core/api";
 //#region src/integrations/tanstack-start-solid.ts
@@ -37,16 +37,8 @@ const tanstackStartCookies = () => {
 					const { setCookie } = await import("@tanstack/solid-start/server");
 					parsed.forEach((value, key) => {
 						if (!key) return;
-						const opts = {
-							sameSite: value.samesite,
-							secure: value.secure,
-							maxAge: value["max-age"],
-							httpOnly: value.httponly,
-							domain: value.domain,
-							path: value.path
-						};
 						try {
-							setCookie(key, value.value, opts);
+							setCookie(key, value.value, toCookieOptions(value));
 						} catch {}
 					});
 					return;

package/dist/integrations/tanstack-start.mjs

@@ -1,4 +1,4 @@
-import { parseSetCookieHeader } from "../cookies/cookie-utils.mjs";
+import { parseSetCookieHeader, toCookieOptions } from "../cookies/cookie-utils.mjs";
 import { PACKAGE_VERSION } from "../version.mjs";
 import { createAuthMiddleware } from "@better-auth/core/api";
 //#region src/integrations/tanstack-start.ts
@@ -37,16 +37,8 @@ const tanstackStartCookies = () => {
 					const { setCookie } = await import("@tanstack/react-start/server");
 					parsed.forEach((value, key) => {
 						if (!key) return;
-						const opts = {
-							sameSite: value.samesite,
-							secure: value.secure,
-							maxAge: value["max-age"],
-							httpOnly: value.httponly,
-							domain: value.domain,
-							path: value.path
-						};
 						try {
-							setCookie(key, value.value, opts);
+							setCookie(key, value.value, toCookieOptions(value));
 						} catch {}
 					});
 					return;

package/dist/oauth2/state.mjs

@@ -29,7 +29,7 @@ async function generateState(c, link, additionalData) {
 	}
 }
 async function parseState(c) {
-	const state = c.query.state || c.body.state;
+	const state = c.query.state || c.body?.state;
 	const errorURL = c.context.options.onAPIError?.errorURL || `${c.context.baseURL}/error`;
 	let parsedData;
 	try {

package/dist/package.mjs

@@ -1,4 +1,4 @@
 //#region package.json
-var version = "1.7.0-beta.1";
+var version = "1.7.0-beta.2";
 //#endregion
 export { version };

package/dist/plugins/custom-session/index.d.mts

@@ -2,7 +2,8 @@ import * as _better_auth_core0 from "@better-auth/core";
 import { BetterAuthOptions, GenericEndpointContext } from "@better-auth/core";
 import { Session, User } from "@better-auth/core/db";
 import * as better_call0 from "better-call";
-import * as z from "zod";
+import * as zod from "zod";
+import * as zod_v4_core0 from "zod/v4/core";
 
 //#region src/plugins/custom-session/index.d.ts
 declare module "@better-auth/core" {
@@ -34,10 +35,10 @@ declare const customSession: <Returns extends Record<string, any>, O extends Bet
   endpoints: {
     getSession: better_call0.StrictEndpoint<"/get-session", {
       method: "GET";
-      query: z.ZodOptional<z.ZodObject<{
-        disableCookieCache: z.ZodOptional<z.ZodUnion<[z.ZodBoolean, z.ZodPipe<z.ZodString, z.ZodTransform<boolean, string>>]>>;
-        disableRefresh: z.ZodOptional<z.ZodBoolean>;
-      }, z.core.$strip>>;
+      query: zod.ZodOptional<zod.ZodObject<{
+        disableCookieCache: zod.ZodOptional<zod.ZodCoercedBoolean<unknown>>;
+        disableRefresh: zod.ZodOptional<zod.ZodCoercedBoolean<unknown>>;
+      }, zod_v4_core0.$strip>>;
       metadata: {
         CUSTOM_SESSION: boolean;
         openapi: {

package/dist/plugins/custom-session/index.mjs

@@ -1,14 +1,10 @@
-import { parseSetCookieHeader } from "../../cookies/cookie-utils.mjs";
+import { parseSetCookieHeader, toCookieOptions } from "../../cookies/cookie-utils.mjs";
+import { getSessionQuerySchema } from "../../cookies/session-store.mjs";
 import { getSession } from "../../api/routes/session.mjs";
 import { PACKAGE_VERSION } from "../../version.mjs";
 import { getEndpointResponse } from "../../utils/plugin-helper.mjs";
 import { createAuthEndpoint, createAuthMiddleware } from "@better-auth/core/api";
-import * as z from "zod";
 //#region src/plugins/custom-session/index.ts
-const getSessionQuerySchema = z.optional(z.object({
-	disableCookieCache: z.boolean().meta({ description: "Disable cookie cache and fetch session from database" }).or(z.string().transform((v) => v === "true")).optional(),
-	disableRefresh: z.boolean().meta({ description: "Disable session refresh. Useful for checking session status, without updating the session" }).optional()
-}));
 const customSession = (fn, options, pluginOptions) => {
 	return {
 		id: "custom-session",
@@ -53,15 +49,7 @@ const customSession = (fn, options, pluginOptions) => {
 			if (!session?.response) return ctx.json(null);
 			const fnResult = await fn(session.response, ctx);
 			for (const cookieStr of session.headers.getSetCookie()) parseSetCookieHeader(cookieStr).forEach((attrs, name) => {
-				ctx.setCookie(name, attrs.value, {
-					maxAge: attrs["max-age"],
-					expires: attrs.expires,
-					domain: attrs.domain,
-					path: attrs.path,
-					secure: attrs.secure,
-					httpOnly: attrs.httponly,
-					sameSite: attrs.samesite
-				});
+				ctx.setCookie(name, attrs.value, toCookieOptions(attrs));
 			});
 			session.headers.delete("set-cookie");
 			session.headers.forEach((value, key) => {

package/dist/plugins/organization/organization.d.mts

@@ -1,6 +1,6 @@
 import { AccessControl, ArrayElement, Statements } from "../access/types.mjs";
 import { OrganizationOptions } from "./types.mjs";
-import { InferInvitation, InferMember, InferOrganization, InferTeam, OrganizationSchema, Team, TeamMember } from "./schema.mjs";
+import { InferInvitation, InferMember, InferOrganization, InferTeam, OrganizationSchema, TeamMember } from "./schema.mjs";
 import { ORGANIZATION_ERROR_CODES } from "./error-codes.mjs";
 import { createOrgRole, deleteOrgRole, getOrgRole, listOrgRoles, updateOrgRole } from "./routes/crud-access-control.mjs";
 import { acceptInvitation, cancelInvitation, createInvitation, getInvitation, listInvitations, listUserInvitations, rejectInvitation } from "./routes/crud-invites.mjs";
@@ -30,7 +30,7 @@ type DefaultOrganizationPlugin<Options extends OrganizationOptions> = {
     Member: InferMember<Options>;
     Team: Options["teams"] extends {
       enabled: true;
-    } ? Team : never;
+    } ? InferTeam<Options> : never;
     TeamMember: Options["teams"] extends {
       enabled: true;
     } ? TeamMember : never;
@@ -249,7 +249,7 @@ type OrganizationPlugin<O extends OrganizationOptions> = {
     Member: InferMember<O>;
     Team: O["teams"] extends {
       enabled: true;
-    } ? Team : never;
+    } ? InferTeam<O> : never;
     TeamMember: O["teams"] extends {
       enabled: true;
     } ? TeamMember : never;
@@ -300,7 +300,7 @@ declare function organization<O extends OrganizationOptions & {
     Member: InferMember<O>;
     Team: O["teams"] extends {
       enabled: true;
-    } ? Team : never;
+    } ? InferTeam<O> : never;
     TeamMember: O["teams"] extends {
       enabled: true;
     } ? TeamMember : never;
@@ -336,7 +336,7 @@ declare function organization<O extends OrganizationOptions & {
     Member: InferMember<O>;
     Team: O["teams"] extends {
       enabled: true;
-    } ? Team : never;
+    } ? InferTeam<O> : never;
     TeamMember: O["teams"] extends {
       enabled: true;
     } ? TeamMember : never;
@@ -372,7 +372,7 @@ declare function organization<O extends OrganizationOptions & {
     Member: InferMember<O>;
     Team: O["teams"] extends {
       enabled: true;
-    } ? Team : never;
+    } ? InferTeam<O> : never;
     TeamMember: O["teams"] extends {
       enabled: true;
     } ? TeamMember : never;

package/dist/plugins/organization/routes/crud-team.d.mts

@@ -576,6 +576,10 @@ declare const setActiveTeam: <O extends OrganizationOptions>(options: O) => bett
 } | null>;
 declare const listUserTeams: <O extends OrganizationOptions>(options: O) => better_call0.StrictEndpoint<"/organization/list-user-teams", {
   method: "GET";
+  query: z.ZodOptional<z.ZodObject<{
+    userId: z.ZodOptional<z.ZodString>;
+    organizationId: z.ZodOptional<z.ZodString>;
+  }, z.core.$strip>>;
   metadata: {
     openapi: {
       description: string;

package/dist/plugins/organization/routes/crud-team.mjs

@@ -417,8 +417,12 @@ const setActiveTeam = (options) => createAuthEndpoint("/organization/set-active-
 });
 const listUserTeams = (options) => createAuthEndpoint("/organization/list-user-teams", {
 	method: "GET",
+	query: z.object({
+		userId: z.string().optional().meta({ description: "The user ID to list teams for. Defaults to the current session user." }),
+		organizationId: z.string().optional().meta({ description: "The organization ID to scope the team list to. When omitted on a self-query, teams are returned across every organization the user belongs to. When querying another user, falls back to the session's active organization and is required if there is no active organization." })
+	}).optional(),
 	metadata: { openapi: {
-		description: "List all teams that the current user is a part of.",
+		description: "List teams for a user. Without parameters, returns teams for the current user across every organization they belong to. Pass `organizationId` to scope the result to a specific organization. Pass `userId` to list teams for another member; this requires `member:update` permission in the target organization (the explicit `organizationId` if provided, otherwise the session's active organization).",
 		responses: { "200": {
 			description: "Teams retrieved successfully",
 			content: { "application/json": { schema: {
@@ -436,7 +440,40 @@ const listUserTeams = (options) => createAuthEndpoint("/organization/list-user-t
 	use: [orgMiddleware, orgSessionMiddleware]
 }, async (ctx) => {
 	const session = ctx.context.session;
-	const teams = await getOrgAdapter(ctx.context, ctx.context.orgOptions).listTeamsByUser({ userId: session.user.id });
+	const adapter = getOrgAdapter(ctx.context, ctx.context.orgOptions);
+	const targetUserId = ctx.query?.userId || session.user.id;
+	const isSelf = targetUserId === session.user.id;
+	const organizationId = ctx.query?.organizationId || session.session.activeOrganizationId;
+	const isExplicitOrg = Boolean(ctx.query?.organizationId);
+	if (!isSelf) {
+		if (!organizationId) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.NO_ACTIVE_ORGANIZATION);
+		const requesterMember = await adapter.findMemberByOrgId({
+			userId: session.user.id,
+			organizationId
+		});
+		if (!requesterMember) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.YOU_ARE_NOT_A_MEMBER_OF_THIS_ORGANIZATION);
+		if (!await hasPermission({
+			role: requesterMember.role,
+			options: ctx.context.orgOptions,
+			permissions: { member: ["update"] },
+			organizationId
+		}, ctx)) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_UPDATE_THIS_MEMBER);
+		if (!await adapter.findMemberByOrgId({
+			userId: targetUserId,
+			organizationId
+		})) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.USER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION);
+		const teams = await adapter.listTeamsByUser({ userId: targetUserId });
+		return ctx.json(teams.filter((t) => t.organizationId === organizationId));
+	}
+	if (isExplicitOrg && organizationId) {
+		if (!await adapter.findMemberByOrgId({
+			userId: session.user.id,
+			organizationId
+		})) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.YOU_ARE_NOT_A_MEMBER_OF_THIS_ORGANIZATION);
+		const teams = await adapter.listTeamsByUser({ userId: session.user.id });
+		return ctx.json(teams.filter((t) => t.organizationId === organizationId));
+	}
+	const teams = await adapter.listTeamsByUser({ userId: session.user.id });
 	return ctx.json(teams);
 });
 const listTeamMembersQuerySchema = z.optional(z.object({ teamId: z.string().optional().meta({ description: "The team whose members we should return. If this is not provided the members of the current active team get returned." }) }));

package/dist/plugins/phone-number/index.d.mts

@@ -16,6 +16,36 @@ declare module "@better-auth/core" {
 declare const phoneNumber: (options?: PhoneNumberOptions | undefined) => {
   id: "phone-number";
   version: string;
+  init(): {
+    options: {
+      databaseHooks: {
+        user: {
+          update: {
+            before(data: Partial<{
+              id: string;
+              createdAt: Date;
+              updatedAt: Date;
+              email: string;
+              emailVerified: boolean;
+              name: string;
+              image?: string | null | undefined;
+            }> & Record<string, unknown>): Promise<{
+              data: {
+                [x: string]: unknown;
+                id?: string | undefined;
+                createdAt?: Date | undefined;
+                updatedAt?: Date | undefined;
+                email?: string | undefined;
+                emailVerified?: boolean | undefined;
+                name?: string | undefined;
+                image?: string | null | undefined;
+              };
+            } | undefined>;
+          };
+        };
+      };
+    };
+  };
   hooks: {
     before: {
       matcher: (ctx: _better_auth_core0.HookEndpointContext) => boolean;

package/dist/plugins/phone-number/index.mjs

@@ -19,8 +19,16 @@ const phoneNumber = (options) => {
 	return {
 		id: "phone-number",
 		version: PACKAGE_VERSION,
+		init() {
+			return { options: { databaseHooks: { user: { update: { async before(data) {
+				if (opts.phoneNumber in data && data[opts.phoneNumber] === null) return { data: {
+					...data,
+					[opts.phoneNumberVerified]: false
+				} };
+			} } } } } };
+		},
 		hooks: { before: [{
-			matcher: (ctx) => ctx.path === "/update-user" && "phoneNumber" in ctx.body,
+			matcher: (ctx) => ctx.path === "/update-user" && "phoneNumber" in ctx.body && ctx.body.phoneNumber !== null,
 			handler: createAuthMiddleware(async (_ctx) => {
 				throw APIError.from("BAD_REQUEST", PHONE_NUMBER_ERROR_CODES.PHONE_NUMBER_CANNOT_BE_UPDATED);
 			})

package/dist/plugins/phone-number/routes.mjs

@@ -312,6 +312,11 @@ const verifyPhoneNumber = (opts) => createAuthEndpoint("/phone-number/verify", {
 			[opts.phoneNumber]: ctx.body.phoneNumber,
 			[opts.phoneNumberVerified]: true
 		});
+		if (!user) throw APIError.from("INTERNAL_SERVER_ERROR", BASE_ERROR_CODES.FAILED_TO_UPDATE_USER);
+		await opts?.callbackOnVerification?.({
+			phoneNumber: ctx.body.phoneNumber,
+			user
+		}, ctx);
 		return ctx.json({
 			status: true,
 			token: session.session.token,

package/dist/plugins/test-utils/index.d.mts

@@ -18,19 +18,28 @@ declare module "@better-auth/core" {
  * - Auth helpers (login, getAuthHeaders, getCookies)
  * - OTP capture (when captureOTP: true)
  *
+ * This plugin does not register public HTTP routes or API endpoints, but it does
+ * expose privileged helpers on `ctx.test` for creating sessions and mutating data.
+ * Prefer including it in a test-only auth instance such as `auth.test.ts` instead
+ * of a production auth config.
+ *
+ * If you conditionally spread it into `plugins`, TypeScript may stop inferring
+ * `ctx.test` correctly. A separate test-only auth instance keeps the helpers
+ * typed without adding the plugin to your production auth config.
+ *
  * @example
  * ```ts
  * import { betterAuth } from "better-auth";
  * import { testUtils } from "better-auth/plugins";
  *
- * export const auth = betterAuth({
+ * export const testAuth = betterAuth({
  *   plugins: [
  *     testUtils({ captureOTP: true }),
  *   ],
  * });
  *
  * // In tests, access helpers via context:
- * const ctx = await auth.$context;
+ * const ctx = await testAuth.$context;
  * const test = ctx.test;
  *
  * const user = test.createUser({ email: "test@example.com" });

package/dist/plugins/test-utils/index.mjs

@@ -13,19 +13,28 @@ import { createOTPStore } from "./otp-sink.mjs";
 * - Auth helpers (login, getAuthHeaders, getCookies)
 * - OTP capture (when captureOTP: true)
 *
+* This plugin does not register public HTTP routes or API endpoints, but it does
+* expose privileged helpers on `ctx.test` for creating sessions and mutating data.
+* Prefer including it in a test-only auth instance such as `auth.test.ts` instead
+* of a production auth config.
+*
+* If you conditionally spread it into `plugins`, TypeScript may stop inferring
+* `ctx.test` correctly. A separate test-only auth instance keeps the helpers
+* typed without adding the plugin to your production auth config.
+*
 * @example
 * ```ts
 * import { betterAuth } from "better-auth";
 * import { testUtils } from "better-auth/plugins";
 *
-* export const auth = betterAuth({
+* export const testAuth = betterAuth({
 *   plugins: [
 *     testUtils({ captureOTP: true }),
 *   ],
 * });
 *
 * // In tests, access helpers via context:
-* const ctx = await auth.$context;
+* const ctx = await testAuth.$context;
 * const test = ctx.test;
 *
 * const user = test.createUser({ email: "test@example.com" });

package/dist/plugins/two-factor/index.mjs

@@ -212,13 +212,12 @@ const twoFactor = (options) => {
 		options,
 		hooks: { after: [{
 			matcher(context) {
-				return context.context.newSession != null && !context.path?.startsWith("/two-factor/");
+				return context.path === "/sign-in/email" || context.path === "/sign-in/username" || context.path === "/sign-in/phone-number";
 			},
 			handler: createAuthMiddleware(async (ctx) => {
 				const data = ctx.context.newSession;
 				if (!data) return;
 				if (!data?.user.twoFactorEnabled) return;
-				if (ctx.context.session) return;
 				const trustDeviceCookieAttrs = ctx.context.createAuthCookie(TRUST_DEVICE_COOKIE_NAME, { maxAge: trustDeviceMaxAge });
 				const trustDeviceCookie = await ctx.getSignedCookie(trustDeviceCookieAttrs.name, ctx.context.secret);
 				if (trustDeviceCookie) {

package/dist/utils/is-api-error.d.mts

@@ -1,6 +1,2 @@
-import { APIError } from "@better-auth/core/error";
-
-//#region src/utils/is-api-error.d.ts
-declare function isAPIError(error: unknown): error is APIError;
-//#endregion
+import { isAPIError } from "@better-auth/core/utils/is-api-error";
 export { isAPIError };

package/dist/utils/is-api-error.mjs

@@ -1,8 +1,2 @@
-import { APIError } from "@better-auth/core/error";
-import { APIError as APIError$1 } from "better-call";
-//#region src/utils/is-api-error.ts
-function isAPIError(error) {
-	return error instanceof APIError$1 || error instanceof APIError || error?.name === "APIError";
-}
-//#endregion
+import { isAPIError } from "@better-auth/core/utils/is-api-error";
 export { isAPIError };

package/dist/utils/url.mjs

@@ -2,6 +2,21 @@ import { wildcardMatch } from "./wildcard.mjs";
 import { env } from "@better-auth/core/env";
 import { BetterAuthError } from "@better-auth/core/error";
 //#region src/utils/url.ts
+/**
+* Minimal loopback check for dev scheme inference only. Reachable from
+* `client/config.ts` via `getBaseURL`, so we MUST NOT import the full
+* `@better-auth/core/utils/host` classifier here: its `utils/ip` dependency
+* on zod would leak into the client bundle (see `e2e/smoke/test/vite.spec.ts`).
+*
+* Server-side SSRF/loopback checks (oauth redirect matching, trusted-origin
+* resolution, electron fetch gate) continue to use the authoritative
+* `isLoopbackHost` from `@better-auth/core/utils/host`. This helper's only
+* job is picking `http` vs `https` for dev ergonomics.
+*/
+function isLoopbackForDevScheme(host) {
+	const hostname = host.replace(/:\d+$/, "").replace(/^\[|\]$/g, "").toLowerCase();
+	return hostname === "localhost" || hostname.endsWith(".localhost") || hostname === "::1" || hostname.startsWith("127.");
+}
 function checkHasPath(url) {
 	try {
 		return (new URL(url).pathname.replace(/\/+$/, "") || "/") !== "/";
@@ -146,13 +161,9 @@ function getProtocolFromSource(source, configProtocol, trustedProxyHeaders) {
 		if (url.protocol === "http:" || url.protocol === "https:") return url.protocol.slice(0, -1);
 	} catch {}
 	const host = getHostFromSource(source, trustedProxyHeaders);
-	if (host && isLoopbackHost(host)) return "http";
+	if (host && isLoopbackForDevScheme(host)) return "http";
 	return "https";
 }
-function isLoopbackHost(host) {
-	const h = host.toLowerCase();
-	return h === "localhost" || h.startsWith("localhost:") || h === "127.0.0.1" || h.startsWith("127.0.0.1:") || h === "[::1]" || h.startsWith("[::1]:") || h === "0.0.0.0" || h.startsWith("0.0.0.0:");
-}
 /**
 * Matches a hostname against a host pattern.
 * Supports wildcard patterns like `*.vercel.app` or `preview-*.myapp.com`.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "better-auth",
-  "version": "1.7.0-beta.1",
+  "version": "1.7.0-beta.2",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "license": "MIT",
@@ -489,13 +489,13 @@
     "kysely": "^0.28.14",
     "nanostores": "^1.1.1",
     "zod": "^4.3.6",
-    "@better-auth/core": "1.7.0-beta.1",
-    "@better-auth/drizzle-adapter": "1.7.0-beta.1",
-    "@better-auth/kysely-adapter": "1.7.0-beta.1",
-    "@better-auth/memory-adapter": "1.7.0-beta.1",
-    "@better-auth/mongo-adapter": "1.7.0-beta.1",
-    "@better-auth/prisma-adapter": "1.7.0-beta.1",
-    "@better-auth/telemetry": "1.7.0-beta.1"
+    "@better-auth/core": "1.7.0-beta.2",
+    "@better-auth/drizzle-adapter": "1.7.0-beta.2",
+    "@better-auth/kysely-adapter": "1.7.0-beta.2",
+    "@better-auth/memory-adapter": "1.7.0-beta.2",
+    "@better-auth/mongo-adapter": "1.7.0-beta.2",
+    "@better-auth/prisma-adapter": "1.7.0-beta.2",
+    "@better-auth/telemetry": "1.7.0-beta.2"
   },
   "devDependencies": {
     "@lynx-js/react": "^0.116.3",
@@ -512,7 +512,7 @@
     "happy-dom": "^20.8.9",
     "listhen": "^1.9.0",
     "msw": "^2.12.10",
-    "next": "^16.2.0",
+    "next": "^16.2.3",
     "oauth2-mock-server": "^8.2.2",
     "react": "^19.2.4",
     "react-dom": "^19.2.4",
@@ -531,7 +531,7 @@
     "@tanstack/solid-start": "^1.0.0",
     "better-sqlite3": "^12.0.0",
     "drizzle-kit": ">=0.31.4",
-    "drizzle-orm": ">=0.41.0",
+    "drizzle-orm": "^0.45.2",
     "mongodb": "^6.0.0 || ^7.0.0",
     "mysql2": "^3.0.0",
     "next": "^14.0.0 || ^15.0.0 || ^16.0.0",