better-auth 1.7.0-beta.2 → 1.7.0-beta.4

package/README.md

@@ -1,32 +1,31 @@
-<p align="center">
+<div align="center">
   <picture>
-    <source media="(prefers-color-scheme: dark)" srcset="https://github.com/better-auth/better-auth/blob/main/banner-dark.png?raw=true" />
-    <source media="(prefers-color-scheme: light)" srcset="https://github.com/better-auth/better-auth/blob/main/banner.png?raw=true" />
-    <img alt="Better Auth Logo" src="https://github.com/better-auth/better-auth/blob/main/banner.png?raw=true" />
+    <source srcset="https://github.com/better-auth/better-auth/blob/main/banner-dark.png?raw=true" media="(prefers-color-scheme: dark)"/>
+    <source srcset="https://github.com/better-auth/better-auth/blob/main/banner-light.png?raw=true" media="(prefers-color-scheme: light)"/>
+    <img src="https://github.com/better-auth/better-auth/blob/main/banner-light.png?raw=true" alt="Better Auth Logo"/>
   </picture>
 
-  <h1 align="center">
-    Better Auth
-  </h1>
+  [![npm](https://img.shields.io/npm/dm/better-auth?style=flat&colorA=000000&colorB=000000)](https://npm.chart.dev/better-auth?primary=neutral&gray=neutral&theme=dark)
+  [![npm version](https://img.shields.io/npm/v/better-auth.svg?style=flat&colorA=000000&colorB=000000)](https://www.npmjs.com/package/better-auth)
+  [![GitHub stars](https://img.shields.io/github/stars/better-auth/better-auth?style=flat&colorA=000000&colorB=000000)](https://github.com/better-auth/better-auth/stargazers)
 
-  <p align="center">
-    The most comprehensive authentication framework for TypeScript
-    <br />
-    <a href="https://better-auth.com"><strong>Learn more »</strong></a>
-    <br />
-    <br />
+  <p>
     <a href="https://discord.gg/better-auth">Discord</a>
     ·
     <a href="https://better-auth.com">Website</a>
     ·
     <a href="https://github.com/better-auth/better-auth/issues">Issues</a>
   </p>
-</p>
+</div>
+
+## Better Auth
+
+Better Auth is a framework-agnostic authentication (and authorization) framework for TypeScript. It provides a comprehensive set of features out of the box and includes a plugin ecosystem that simplifies adding advanced functionalities with minimal code in a short amount of time. Whether you need 2FA, multi-tenant support, or other complex features, it lets you focus on building your actual application instead of reinventing the wheel.
 
 ## Getting Started
 
 ```bash
-pnpm install better-auth
+npm i better-auth
 ```
 
 Read the [Installation Guide](https://better-auth.com/docs/installation) to

package/dist/_virtual/_rolldown/runtime.mjs

@@ -1,8 +1,12 @@
+import { createRequire } from "node:module";
 //#region \0rolldown/runtime.js
+var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __commonJSMin = (cb, mod) => () => (mod || cb((mod = { exports: {} }).exports, mod), mod.exports);
 var __exportAll = (all, no_symbols) => {
 	let target = {};
 	for (var name in all) __defProp(target, name, {
@@ -23,5 +27,10 @@ var __copyProps = (to, from, except, desc) => {
 	return to;
 };
 var __reExport = (target, mod, secondTarget) => (__copyProps(target, mod, "default"), secondTarget && __copyProps(secondTarget, mod, "default"));
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", {
+	value: mod,
+	enumerable: true
+}) : target, mod));
+var __require = /* @__PURE__ */ createRequire(import.meta.url);
 //#endregion
-export { __exportAll, __reExport };
+export { __commonJSMin, __exportAll, __reExport, __require, __toESM };

package/dist/api/index.d.mts

@@ -110,6 +110,7 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
         scopes: zod.ZodOptional<zod.ZodArray<zod.ZodString>>;
         requestSignUp: zod.ZodOptional<zod.ZodBoolean>;
         loginHint: zod.ZodOptional<zod.ZodString>;
+        additionalParams: zod.ZodOptional<zod.ZodRecord<zod.ZodString, zod.ZodString>>;
         additionalData: zod.ZodOptional<zod.ZodRecord<zod.ZodString, zod.ZodAny>>;
       }, zod_v4_core0.$strip>;
       metadata: {
@@ -137,6 +138,7 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
             scopes: zod.ZodOptional<zod.ZodArray<zod.ZodString>>;
             requestSignUp: zod.ZodOptional<zod.ZodBoolean>;
             loginHint: zod.ZodOptional<zod.ZodString>;
+            additionalParams: zod.ZodOptional<zod.ZodRecord<zod.ZodString, zod.ZodString>>;
             additionalData: zod.ZodOptional<zod.ZodRecord<zod.ZodString, zod.ZodAny>>;
           }, zod_v4_core0.$strip>>;
           returned: {
@@ -178,7 +180,6 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
                       };
                       redirect: {
                         type: string;
-                        enum: boolean[];
                       };
                     };
                     required: string[];
@@ -330,6 +331,7 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
         callbackURL: zod.ZodOptional<zod.ZodString>;
         rememberMe: zod.ZodOptional<zod.ZodBoolean>;
       }, zod_v4_core0.$strip>, zod.ZodRecord<zod.ZodString, zod.ZodAny>>;
+      cloneRequest: true;
       metadata: {
         allowedMediaTypes: string[];
         $Infer: {
@@ -496,6 +498,7 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
       method: "POST";
       operationId: string;
       use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<void>)[];
+      cloneRequest: true;
       body: zod.ZodObject<{
         email: zod.ZodString;
         password: zod.ZodString;
@@ -727,6 +730,7 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
     readonly sendVerificationEmail: better_call0.StrictEndpoint<"/send-verification-email", {
       method: "POST";
       operationId: string;
+      cloneRequest: true;
       body: zod.ZodObject<{
         email: zod.ZodEmail;
         callbackURL: zod.ZodOptional<zod.ZodString>;
@@ -1583,6 +1587,8 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
         scopes: zod.ZodOptional<zod.ZodArray<zod.ZodString>>;
         errorCallbackURL: zod.ZodOptional<zod.ZodString>;
         disableRedirect: zod.ZodOptional<zod.ZodBoolean>;
+        loginHint: zod.ZodOptional<zod.ZodString>;
+        additionalParams: zod.ZodOptional<zod.ZodRecord<zod.ZodString, zod.ZodString>>;
         additionalData: zod.ZodOptional<zod.ZodRecord<zod.ZodString, zod.ZodAny>>;
       }, zod_v4_core0.$strip>;
       use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
@@ -1931,29 +1937,6 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
     }>;
     readonly accountInfo: better_call0.StrictEndpoint<"/account-info", {
       method: "GET";
-      use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
-        session: {
-          session: Record<string, any> & {
-            id: string;
-            createdAt: Date;
-            updatedAt: Date;
-            userId: string;
-            expiresAt: Date;
-            token: string;
-            ipAddress?: string | null | undefined;
-            userAgent?: string | null | undefined;
-          };
-          user: Record<string, any> & {
-            id: string;
-            createdAt: Date;
-            updatedAt: Date;
-            email: string;
-            emailVerified: boolean;
-            name: string;
-            image?: string | null | undefined;
-          };
-        };
-      }>)[];
       metadata: {
         openapi: {
           description: string;
@@ -2003,6 +1986,8 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
       };
       query: zod.ZodOptional<zod.ZodObject<{
         accountId: zod.ZodOptional<zod.ZodString>;
+        providerId: zod.ZodOptional<zod.ZodString>;
+        userId: zod.ZodOptional<zod.ZodString>;
       }, zod_v4_core0.$strip>>;
     }, {
       user: _better_auth_core_oauth20.OAuth2UserInfo;
@@ -2101,6 +2086,7 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
         scopes: zod.ZodOptional<zod.ZodArray<zod.ZodString>>;
         requestSignUp: zod.ZodOptional<zod.ZodBoolean>;
         loginHint: zod.ZodOptional<zod.ZodString>;
+        additionalParams: zod.ZodOptional<zod.ZodRecord<zod.ZodString, zod.ZodString>>;
         additionalData: zod.ZodOptional<zod.ZodRecord<zod.ZodString, zod.ZodAny>>;
       }, zod_v4_core0.$strip>;
       metadata: {
@@ -2128,6 +2114,7 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
             scopes: zod.ZodOptional<zod.ZodArray<zod.ZodString>>;
             requestSignUp: zod.ZodOptional<zod.ZodBoolean>;
             loginHint: zod.ZodOptional<zod.ZodString>;
+            additionalParams: zod.ZodOptional<zod.ZodRecord<zod.ZodString, zod.ZodString>>;
             additionalData: zod.ZodOptional<zod.ZodRecord<zod.ZodString, zod.ZodAny>>;
           }, zod_v4_core0.$strip>>;
           returned: {
@@ -2169,7 +2156,6 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
                       };
                       redirect: {
                         type: string;
-                        enum: boolean[];
                       };
                     };
                     required: string[];
@@ -2321,6 +2307,7 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
         callbackURL: zod.ZodOptional<zod.ZodString>;
         rememberMe: zod.ZodOptional<zod.ZodBoolean>;
       }, zod_v4_core0.$strip>, zod.ZodRecord<zod.ZodString, zod.ZodAny>>;
+      cloneRequest: true;
       metadata: {
         allowedMediaTypes: string[];
         $Infer: {
@@ -2487,6 +2474,7 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
       method: "POST";
       operationId: string;
       use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<void>)[];
+      cloneRequest: true;
       body: zod.ZodObject<{
         email: zod.ZodString;
         password: zod.ZodString;
@@ -2718,6 +2706,7 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
     readonly sendVerificationEmail: better_call0.StrictEndpoint<"/send-verification-email", {
       method: "POST";
       operationId: string;
+      cloneRequest: true;
       body: zod.ZodObject<{
         email: zod.ZodEmail;
         callbackURL: zod.ZodOptional<zod.ZodString>;
@@ -3574,6 +3563,8 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
         scopes: zod.ZodOptional<zod.ZodArray<zod.ZodString>>;
         errorCallbackURL: zod.ZodOptional<zod.ZodString>;
         disableRedirect: zod.ZodOptional<zod.ZodBoolean>;
+        loginHint: zod.ZodOptional<zod.ZodString>;
+        additionalParams: zod.ZodOptional<zod.ZodRecord<zod.ZodString, zod.ZodString>>;
         additionalData: zod.ZodOptional<zod.ZodRecord<zod.ZodString, zod.ZodAny>>;
       }, zod_v4_core0.$strip>;
       use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
@@ -3922,29 +3913,6 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
     }>;
     readonly accountInfo: better_call0.StrictEndpoint<"/account-info", {
       method: "GET";
-      use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
-        session: {
-          session: Record<string, any> & {
-            id: string;
-            createdAt: Date;
-            updatedAt: Date;
-            userId: string;
-            expiresAt: Date;
-            token: string;
-            ipAddress?: string | null | undefined;
-            userAgent?: string | null | undefined;
-          };
-          user: Record<string, any> & {
-            id: string;
-            createdAt: Date;
-            updatedAt: Date;
-            email: string;
-            emailVerified: boolean;
-            name: string;
-            image?: string | null | undefined;
-          };
-        };
-      }>)[];
       metadata: {
         openapi: {
           description: string;
@@ -3994,6 +3962,8 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
       };
       query: zod.ZodOptional<zod.ZodObject<{
         accountId: zod.ZodOptional<zod.ZodString>;
+        providerId: zod.ZodOptional<zod.ZodString>;
+        userId: zod.ZodOptional<zod.ZodString>;
       }, zod_v4_core0.$strip>>;
     }, {
       user: _better_auth_core_oauth20.OAuth2UserInfo;

package/dist/api/routes/account.d.mts

@@ -104,6 +104,8 @@ declare const linkSocialAccount: better_call0.StrictEndpoint<"/link-social", {
     scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
     errorCallbackURL: z.ZodOptional<z.ZodString>;
     disableRedirect: z.ZodOptional<z.ZodBoolean>;
+    loginHint: z.ZodOptional<z.ZodString>;
+    additionalParams: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
     additionalData: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
   }, z.core.$strip>;
   use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
@@ -328,29 +330,6 @@ declare const refreshToken: better_call0.StrictEndpoint<"/refresh-token", {
 }>;
 declare const accountInfo: better_call0.StrictEndpoint<"/account-info", {
   method: "GET";
-  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
-    session: {
-      session: Record<string, any> & {
-        id: string;
-        createdAt: Date;
-        updatedAt: Date;
-        userId: string;
-        expiresAt: Date;
-        token: string;
-        ipAddress?: string | null | undefined;
-        userAgent?: string | null | undefined;
-      };
-      user: Record<string, any> & {
-        id: string;
-        createdAt: Date;
-        updatedAt: Date;
-        email: string;
-        emailVerified: boolean;
-        name: string;
-        image?: string | null | undefined;
-      };
-    };
-  }>)[];
   metadata: {
     openapi: {
       description: string;
@@ -400,6 +379,8 @@ declare const accountInfo: better_call0.StrictEndpoint<"/account-info", {
   };
   query: z.ZodOptional<z.ZodObject<{
     accountId: z.ZodOptional<z.ZodString>;
+    providerId: z.ZodOptional<z.ZodString>;
+    userId: z.ZodOptional<z.ZodString>;
   }, z.core.$strip>>;
 }, {
   user: _better_auth_core_oauth20.OAuth2UserInfo;

package/dist/api/routes/account.mjs

@@ -1,10 +1,13 @@
 import { parseAccountOutput } from "../../db/schema.mjs";
 import { getAccountCookie, setAccountCookie } from "../../cookies/session-store.mjs";
 import { getAwaitableValue } from "../../context/helpers.mjs";
-import { generateState } from "../../oauth2/state.mjs";
+import { missingEmailLogMessage } from "../../oauth2/errors.mjs";
 import { decryptOAuthToken, setTokenUtil } from "../../oauth2/utils.mjs";
+import { applyUpdateUserInfoOnLink } from "../../oauth2/link-account.mjs";
+import { generateState } from "../../oauth2/state.mjs";
 import { freshSessionMiddleware, getSessionFromCtx, sessionMiddleware } from "./session.mjs";
 import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
+import { additionalAuthorizationParamsSchema } from "@better-auth/core/oauth2";
 import { SocialProviderListEnum } from "@better-auth/core/social-providers";
 import { createAuthEndpoint } from "@better-auth/core/api";
 import * as z from "zod";
@@ -80,6 +83,8 @@ const linkSocialAccount = createAuthEndpoint("/link-social", {
 		scopes: z.array(z.string()).meta({ description: "Additional scopes to request from the provider" }).optional(),
 		errorCallbackURL: z.string().meta({ description: "The URL to redirect to if there is an error during the link process" }).optional(),
 		disableRedirect: z.boolean().meta({ description: "Disable automatic redirection to the provider. Useful for handling the redirection yourself" }).optional(),
+		loginHint: z.string().meta({ description: "The login hint to use for the authorization code request" }).optional(),
+		additionalParams: additionalAuthorizationParamsSchema,
 		additionalData: z.record(z.string(), z.any()).optional()
 	}),
 	use: [sessionMiddleware],
@@ -133,7 +138,7 @@ const linkSocialAccount = createAuthEndpoint("/link-social", {
 		}
 		const linkingUserId = String(linkingUserInfo.user.id);
 		if (!linkingUserInfo.user.email) {
-			c.context.logger.error("User email not found", { provider: c.body.provider });
+			c.context.logger.error(missingEmailLogMessage(c.body.provider, { source: "id_token" }), { provider: c.body.provider });
 			throw APIError.from("UNAUTHORIZED", BASE_ERROR_CODES.USER_EMAIL_NOT_FOUND);
 		}
 		if ((await c.context.internalAdapter.findAccounts(session.user.id)).find((a) => a.providerId === provider.id && a.accountId === linkingUserId)) return c.json({
@@ -165,14 +170,7 @@ const linkSocialAccount = createAuthEndpoint("/link-social", {
 				code: "LINKING_FAILED"
 			});
 		}
-		if (c.context.options.account?.accountLinking?.updateUserInfoOnLink === true) try {
-			await c.context.internalAdapter.updateUser(session.user.id, {
-				name: linkingUserInfo.user?.name,
-				image: linkingUserInfo.user?.image
-			});
-		} catch (e) {
-			console.warn("Could not update user - " + e.toString());
-		}
+		await applyUpdateUserInfoOnLink(c, session.user.id, linkingUserInfo.user);
 		return c.json({
 			url: "",
 			status: true,
@@ -187,7 +185,9 @@ const linkSocialAccount = createAuthEndpoint("/link-social", {
 		state: state.state,
 		codeVerifier: state.codeVerifier,
 		redirectURI: `${c.context.baseURL}/callback/${provider.id}`,
-		scopes: c.body.scopes
+		scopes: c.body.scopes,
+		loginHint: c.body.loginHint,
+		additionalParams: c.body.additionalParams
 	});
 	if (!c.body.disableRedirect) c.setHeader("Location", url.toString());
 	return c.json({
@@ -221,50 +221,44 @@ const unlinkAccount = createAuthEndpoint("/unlink-account", {
 	await ctx.context.internalAdapter.deleteAccount(accountExist.id);
 	return ctx.json({ status: true });
 });
-const getAccessToken = createAuthEndpoint("/get-access-token", {
-	method: "POST",
-	body: z.object({
-		providerId: z.string().meta({ description: "The provider ID for the OAuth provider" }),
-		accountId: z.string().meta({ description: "The account ID associated with the refresh token" }).optional(),
-		userId: z.string().meta({ description: "The user ID associated with the account" }).optional()
-	}),
-	metadata: { openapi: {
-		description: "Get a valid access token, doing a refresh if needed",
-		responses: {
-			200: {
-				description: "A Valid access token",
-				content: { "application/json": { schema: {
-					type: "object",
-					properties: {
-						tokenType: { type: "string" },
-						idToken: { type: "string" },
-						accessToken: { type: "string" },
-						accessTokenExpiresAt: {
-							type: "string",
-							format: "date-time"
-						}
-					}
-				} } }
-			},
-			400: { description: "Invalid refresh token or provider configuration" }
-		}
-	} }
-}, async (ctx) => {
-	const { providerId, accountId, userId } = ctx.body || {};
-	const req = ctx.request;
+/**
+* Resolves the user id an account-token operation should act on.
+*
+* A caller reaching the server over HTTP (a request or session headers are
+* present) must have a valid session, and that session's user always wins.
+* A trusted server-side `auth.api` caller with no session may instead name a
+* `userId` directly. Throws `UNAUTHORIZED` when an HTTP caller is
+* unauthenticated, and `USER_ID_OR_SESSION_REQUIRED` when neither a session
+* nor a `userId` is available.
+*/
+async function resolveUserId(ctx, userId) {
 	const session = await getSessionFromCtx(ctx);
-	if (req && !session) throw ctx.error("UNAUTHORIZED");
+	if (!session && (ctx.request || ctx.headers)) throw ctx.error("UNAUTHORIZED");
 	const resolvedUserId = session?.user?.id || userId;
-	if (!resolvedUserId) throw ctx.error("UNAUTHORIZED");
+	if (!resolvedUserId) throw APIError.from("BAD_REQUEST", {
+		message: "Either userId or session is required",
+		code: "USER_ID_OR_SESSION_REQUIRED"
+	});
+	return resolvedUserId;
+}
+/**
+* Fetches a currently-valid access token for a user's provider account,
+* refreshing and persisting it when it is within five seconds of expiry.
+* Shared by the `/get-access-token` endpoint and `/account-info` so both
+* resolve and refresh tokens through one path.
+*/
+async function getValidAccessToken(ctx, { resolvedUserId, providerId, accountId, account: resolvedAccount }) {
 	const provider = await getAwaitableValue(ctx.context.socialProviders, { value: providerId });
 	if (!provider) throw APIError.from("BAD_REQUEST", {
 		message: `Provider ${providerId} is not supported.`,
 		code: "PROVIDER_NOT_SUPPORTED"
 	});
-	const accountData = await getAccountCookie(ctx);
-	let account = void 0;
-	if (accountData && accountData.userId === resolvedUserId && providerId === accountData.providerId && (!accountId || accountData.accountId === accountId)) account = accountData;
-	else account = (await ctx.context.internalAdapter.findAccounts(resolvedUserId)).find((acc) => accountId ? acc.accountId === accountId && acc.providerId === providerId : acc.providerId === providerId);
+	let account = resolvedAccount;
+	if (!account) {
+		const accountData = await getAccountCookie(ctx);
+		if (accountData && accountData.userId === resolvedUserId && providerId === accountData.providerId && (!accountId || accountData.accountId === accountId)) account = accountData;
+		else account = (await ctx.context.internalAdapter.findAccounts(resolvedUserId)).find((acc) => accountId ? acc.accountId === accountId && acc.providerId === providerId : acc.providerId === providerId);
+	}
 	if (!account) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.ACCOUNT_NOT_FOUND);
 	try {
 		let newTokens = null;
@@ -296,19 +290,55 @@ const getAccessToken = createAuthEndpoint("/get-access-token", {
 				return account.accessTokenExpiresAt;
 			}
 		})();
-		const tokens = {
+		return {
 			accessToken: newTokens?.accessToken ?? await decryptOAuthToken(account.accessToken ?? "", ctx.context),
 			accessTokenExpiresAt,
 			scopes: account.scope?.split(",") ?? [],
 			idToken: newTokens?.idToken ?? account.idToken ?? void 0
 		};
-		return ctx.json(tokens);
 	} catch (_error) {
 		throw APIError.from("BAD_REQUEST", {
 			message: "Failed to get a valid access token",
 			code: "FAILED_TO_GET_ACCESS_TOKEN"
 		});
 	}
+}
+const getAccessToken = createAuthEndpoint("/get-access-token", {
+	method: "POST",
+	body: z.object({
+		providerId: z.string().meta({ description: "The provider ID for the OAuth provider" }),
+		accountId: z.string().meta({ description: "The account ID associated with the refresh token" }).optional(),
+		userId: z.string().meta({ description: "The user ID associated with the account" }).optional()
+	}),
+	metadata: { openapi: {
+		description: "Get a valid access token, doing a refresh if needed",
+		responses: {
+			200: {
+				description: "A Valid access token",
+				content: { "application/json": { schema: {
+					type: "object",
+					properties: {
+						tokenType: { type: "string" },
+						idToken: { type: "string" },
+						accessToken: { type: "string" },
+						accessTokenExpiresAt: {
+							type: "string",
+							format: "date-time"
+						}
+					}
+				} } }
+			},
+			400: { description: "Invalid refresh token or provider configuration" }
+		}
+	} }
+}, async (ctx) => {
+	const { providerId, accountId, userId } = ctx.body || {};
+	const tokens = await getValidAccessToken(ctx, {
+		resolvedUserId: await resolveUserId(ctx, userId),
+		providerId,
+		accountId
+	});
+	return ctx.json(tokens);
 });
 const refreshToken = createAuthEndpoint("/refresh-token", {
 	method: "POST",
@@ -345,14 +375,7 @@ const refreshToken = createAuthEndpoint("/refresh-token", {
 	} }
 }, async (ctx) => {
 	const { providerId, accountId, userId } = ctx.body;
-	const req = ctx.request;
-	const session = await getSessionFromCtx(ctx);
-	if (req && !session) throw ctx.error("UNAUTHORIZED");
-	const resolvedUserId = session?.user?.id || userId;
-	if (!resolvedUserId) throw APIError.from("BAD_REQUEST", {
-		message: `Either userId or session is required`,
-		code: "USER_ID_OR_SESSION_REQUIRED"
-	});
+	const resolvedUserId = await resolveUserId(ctx, userId);
 	const provider = await getAwaitableValue(ctx.context.socialProviders, { value: providerId });
 	if (!provider) throw APIError.from("BAD_REQUEST", {
 		message: `Provider ${providerId} is not supported.`,
@@ -417,10 +440,13 @@ const refreshToken = createAuthEndpoint("/refresh-token", {
 		});
 	}
 });
-const accountInfoQuerySchema = z.optional(z.object({ accountId: z.string().meta({ description: "The provider given account id for which to get the account info" }).optional() }));
+const accountInfoQuerySchema = z.optional(z.object({
+	accountId: z.string().meta({ description: "The provider given account id for which to get the account info" }).optional(),
+	providerId: z.string().meta({ description: "The provider ID to disambiguate provider-issued account IDs" }).optional(),
+	userId: z.string().meta({ description: "The user ID associated with the account" }).optional()
+}));
 const accountInfo = createAuthEndpoint("/account-info", {
 	method: "GET",
-	use: [sessionMiddleware],
 	metadata: { openapi: {
 		description: "Get the account info provided by the provider",
 		responses: { "200": {
@@ -452,7 +478,8 @@ const accountInfo = createAuthEndpoint("/account-info", {
 	} },
 	query: accountInfoQuerySchema
 }, async (ctx) => {
-	const providedAccountId = ctx.query?.accountId;
+	const { accountId: providedAccountId, providerId: providedProviderId, userId } = ctx.query || {};
+	const resolvedUserId = await resolveUserId(ctx, userId);
 	let account = void 0;
 	if (!providedAccountId) {
 		if (ctx.context.options.account?.storeAccountCookie) {
@@ -460,24 +487,24 @@ const accountInfo = createAuthEndpoint("/account-info", {
 			if (accountData) account = accountData;
 		}
 	} else {
-		const accountData = await ctx.context.internalAdapter.findAccount(providedAccountId);
-		if (accountData) account = accountData;
+		const matchingAccounts = (await ctx.context.internalAdapter.findAccounts(resolvedUserId)).filter((acc) => acc.accountId === providedAccountId && (!providedProviderId || acc.providerId === providedProviderId));
+		if (matchingAccounts.length > 1) throw APIError.from("BAD_REQUEST", {
+			message: "Multiple accounts share this account ID. Pass a providerId to disambiguate.",
+			code: "AMBIGUOUS_ACCOUNT"
+		});
+		account = matchingAccounts[0];
 	}
-	if (!account || account.userId !== ctx.context.session.user.id) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.ACCOUNT_NOT_FOUND);
+	if (!account || account.userId !== resolvedUserId) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.ACCOUNT_NOT_FOUND);
 	const provider = await getAwaitableValue(ctx.context.socialProviders, { value: account.providerId });
-	if (!provider) throw APIError.from("INTERNAL_SERVER_ERROR", {
-		message: `Provider account provider is ${account.providerId} but it is not configured`,
+	if (!provider) throw APIError.from("BAD_REQUEST", {
+		message: "Account is not associated with a configured social provider.",
 		code: "PROVIDER_NOT_CONFIGURED"
 	});
-	const tokens = await getAccessToken({
-		...ctx,
-		method: "POST",
-		body: {
-			accountId: account.accountId,
-			providerId: account.providerId
-		},
-		returnHeaders: false,
-		returnStatus: false
+	const tokens = await getValidAccessToken(ctx, {
+		resolvedUserId,
+		providerId: account.providerId,
+		accountId: account.accountId,
+		account
 	});
 	if (!tokens.accessToken) throw APIError.from("BAD_REQUEST", {
 		message: "Access token not found",