better-auth 1.7.0-beta.2 → 1.7.0-beta.4

package/dist/api/routes/callback.mjs

@@ -1,9 +1,11 @@
+import { isAPIError } from "../../utils/is-api-error.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
 import { getAwaitableValue } from "../../context/helpers.mjs";
-import { parseState } from "../../oauth2/state.mjs";
+import { missingEmailLogMessage } from "../../oauth2/errors.mjs";
 import { setTokenUtil } from "../../oauth2/utils.mjs";
+import { applyUpdateUserInfoOnLink, handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
+import { generateState, parseState } from "../../oauth2/state.mjs";
 import { OAUTH_CALLBACK_ERROR_CODES } from "../../oauth2/error-codes.mjs";
-import { handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
 import { HIDE_METADATA } from "../../utils/hide-metadata.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
 import { createAuthEndpoint } from "@better-auth/core/api";
@@ -51,9 +53,21 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 		throw c.redirect(`${defaultErrorURL}?error=invalid_callback_request`);
 	}
 	const { code, error, state, error_description, device_id, user: userData, iss } = queryOrBody;
+	if (state === void 0 && code) {
+		const provider = await getAwaitableValue(c.context.socialProviders, { value: c.params.id });
+		if (provider?.allowIdpInitiated) {
+			const { state: freshState, codeVerifier } = await generateState(c, void 0, void 0);
+			const authUrl = await provider.createAuthorizationURL({
+				state: freshState,
+				codeVerifier,
+				redirectURI: `${c.context.baseURL}/callback/${provider.id}`
+			});
+			throw c.redirect(authUrl.toString());
+		}
+	}
 	if (!state) {
 		c.context.logger.error("State not found", error);
-		const url = `${defaultErrorURL}${defaultErrorURL.includes("?") ? "&" : "?"}state=state_not_found`;
+		const url = `${defaultErrorURL}${defaultErrorURL.includes("?") ? "&" : "?"}error=state_not_found`;
 		throw c.redirect(url);
 	}
 	const { codeVerifier, callbackURL, link, errorURL, newUserURL, requestSignUp } = await parseState(c);
@@ -99,10 +113,11 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 		...tokens,
 		user: parsedUserData ?? void 0
 	}).then((res) => res?.user);
-	if (!userInfo) {
+	if (!userInfo || userInfo.id === void 0 || userInfo.id === null) {
 		c.context.logger.error("Unable to get user info");
 		return redirectOnError(OAUTH_CALLBACK_ERROR_CODES.UNABLE_TO_GET_USER_INFO);
 	}
+	const providerAccountId = String(userInfo.id);
 	if (!callbackURL) {
 		c.context.logger.error("No callback URL found");
 		throw redirectOnError(OAUTH_CALLBACK_ERROR_CODES.NO_CALLBACK_URL);
@@ -113,7 +128,7 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 			return redirectOnError(OAUTH_CALLBACK_ERROR_CODES.UNABLE_TO_LINK_ACCOUNT);
 		}
 		if (userInfo.email?.toLowerCase() !== link.email.toLowerCase() && c.context.options.account?.accountLinking?.allowDifferentEmails !== true) return redirectOnError(OAUTH_CALLBACK_ERROR_CODES.EMAIL_DOES_NOT_MATCH);
-		const existingAccount = await c.context.internalAdapter.findAccountByProviderId(String(userInfo.id), provider.id);
+		const existingAccount = await c.context.internalAdapter.findAccountByProviderId(providerAccountId, provider.id);
 		if (existingAccount) {
 			if (existingAccount.userId.toString() !== link.userId.toString()) return redirectOnError(OAUTH_CALLBACK_ERROR_CODES.ACCOUNT_ALREADY_LINKED_TO_DIFFERENT_USER);
 			const updateData = Object.fromEntries(Object.entries({
@@ -128,12 +143,13 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 		} else if (!await c.context.internalAdapter.createAccount({
 			userId: link.userId,
 			providerId: provider.id,
-			accountId: String(userInfo.id),
+			accountId: providerAccountId,
 			...tokens,
 			accessToken: await setTokenUtil(tokens.accessToken, c.context),
 			refreshToken: await setTokenUtil(tokens.refreshToken, c.context),
 			scope: tokens.scopes?.join(",")
 		})) return redirectOnError(OAUTH_CALLBACK_ERROR_CODES.UNABLE_TO_LINK_ACCOUNT);
+		await applyUpdateUserInfoOnLink(c, link.userId, userInfo);
 		let toRedirectTo;
 		try {
 			toRedirectTo = callbackURL.toString();
@@ -143,27 +159,33 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 		throw c.redirect(toRedirectTo);
 	}
 	if (!userInfo.email) {
-		c.context.logger.error("Provider did not return email. This could be due to misconfiguration in the provider settings.");
+		c.context.logger.error(missingEmailLogMessage(provider.id));
 		return redirectOnError(OAUTH_CALLBACK_ERROR_CODES.EMAIL_NOT_FOUND);
 	}
 	const accountData = {
 		providerId: provider.id,
-		accountId: String(userInfo.id),
+		accountId: providerAccountId,
 		...tokens,
 		scope: tokens.scopes?.join(",")
 	};
-	const result = await handleOAuthUserInfo(c, {
-		userInfo: {
-			...userInfo,
-			id: String(userInfo.id),
-			email: userInfo.email,
-			name: userInfo.name || ""
-		},
-		account: accountData,
-		callbackURL,
-		disableSignUp: provider.disableImplicitSignUp && !requestSignUp || provider.options?.disableSignUp,
-		overrideUserInfo: provider.options?.overrideUserInfoOnSignIn
-	});
+	let result;
+	try {
+		result = await handleOAuthUserInfo(c, {
+			userInfo: {
+				...userInfo,
+				id: providerAccountId,
+				email: userInfo.email,
+				name: userInfo.name || ""
+			},
+			account: accountData,
+			callbackURL,
+			disableSignUp: provider.disableImplicitSignUp && !requestSignUp || provider.options?.disableSignUp,
+			overrideUserInfo: provider.options?.overrideUserInfoOnSignIn
+		});
+	} catch (e) {
+		if (isAPIError(e) && e.body?.code) redirectOnError(e.body.code, e.body.message);
+		throw e;
+	}
 	if (result.error) {
 		c.context.logger.error(result.error.split(" ").join("_"));
 		return redirectOnError(result.error.split(" ").join("_"));

package/dist/api/routes/email-verification.d.mts

@@ -27,6 +27,7 @@ declare function sendVerificationEmailFn(ctx: GenericEndpointContext, user: User
 declare const sendVerificationEmail: better_call0.StrictEndpoint<"/send-verification-email", {
   method: "POST";
   operationId: string;
+  cloneRequest: true;
   body: z.ZodObject<{
     email: z.ZodEmail;
     callbackURL: z.ZodOptional<z.ZodString>;

package/dist/api/routes/email-verification.mjs

@@ -12,7 +12,7 @@ import { JWTExpired } from "jose/errors";
 async function createEmailVerificationToken(secret, email, updateTo, expiresIn = 3600, extraPayload) {
 	return await signJWT({
 		email: email.toLowerCase(),
-		updateTo,
+		updateTo: updateTo?.toLowerCase(),
 		...extraPayload
 	}, secret, expiresIn);
 }
@@ -31,11 +31,12 @@ async function sendVerificationEmailFn(ctx, user) {
 		user,
 		url,
 		token
-	}, ctx.request));
+	}, ctx.request?.clone()));
 }
 const sendVerificationEmail = createAuthEndpoint("/send-verification-email", {
 	method: "POST",
 	operationId: "sendVerificationEmail",
+	cloneRequest: true,
 	body: z.object({
 		email: z.email().meta({ description: "The email to send the verification email to" }),
 		callbackURL: z.string().meta({ description: "The URL to use for email verification callback" }).optional()
@@ -101,7 +102,7 @@ const sendVerificationEmail = createAuthEndpoint("/send-verification-email", {
 		await sendVerificationEmailFn(ctx, user.user);
 		return ctx.json({ status: true });
 	}
-	if (session?.user.email !== email) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.EMAIL_MISMATCH);
+	if (session?.user.email.toLowerCase() !== email.toLowerCase()) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.EMAIL_MISMATCH);
 	if (session?.user.emailVerified) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.EMAIL_ALREADY_VERIFIED);
 	await sendVerificationEmailFn(ctx, session.user);
 	return ctx.json({ status: true });
@@ -185,7 +186,7 @@ const verifyEmail = createAuthEndpoint("/verify-email", {
 					},
 					url,
 					token: newToken
-				}, ctx.request));
+				}, ctx.request?.clone()));
 				if (ctx.query.callbackURL) throw ctx.redirect(ctx.query.callbackURL);
 				return ctx.json({ status: true });
 			}
@@ -238,7 +239,7 @@ const verifyEmail = createAuthEndpoint("/verify-email", {
 					user: updatedUser,
 					url: `${ctx.context.baseURL}/verify-email?token=${newToken}&callbackURL=${updateCallbackURL}`,
 					token: newToken
-				}, ctx.request));
+				}, ctx.request?.clone()));
 				await setSessionCookie(ctx, {
 					session: activeSession.session,
 					user: {

package/dist/api/routes/error.mjs

@@ -282,7 +282,7 @@ ${custom?.disableBackgroundGrid ? "" : `
               text-wrap: pretty;
             "
           >
-            ${!description ? `We encountered an unexpected error. Please try again or return to the home page. If you're a developer, you can find more information about the error <a href='https://better-auth.com/docs/reference/errors/${encodeURIComponent(code)}' target='_blank' rel="noopener noreferrer" style='color: var(--foreground); text-decoration: underline;'>here</a>.` : description}
+            ${!description ? `We encountered an unexpected error. Please try again or return to the home page. If you're a developer, you can find <a href='https://better-auth.com/docs/reference/errors/${encodeURIComponent(code)}' target='_blank' rel="noopener noreferrer" style='color: var(--foreground); text-decoration: underline;'>more information about the error</a>.` : description}
           </p>
         </div>
 

package/dist/api/routes/password.mjs

@@ -161,7 +161,7 @@ const resetPassword = createAuthEndpoint("/reset-password", {
 		const user = await ctx.context.internalAdapter.findUserById(userId);
 		if (user) await ctx.context.options.emailAndPassword.onPasswordReset({ user }, ctx.request);
 	}
-	if (ctx.context.options.emailAndPassword?.revokeSessionsOnPasswordReset) await ctx.context.internalAdapter.deleteSessions(userId);
+	if (ctx.context.options.emailAndPassword?.revokeSessionsOnPasswordReset) await ctx.context.internalAdapter.deleteUserSessions(userId);
 	return ctx.json({ status: true });
 });
 const verifyPassword = createAuthEndpoint("/verify-password", {

package/dist/api/routes/session.mjs

@@ -129,12 +129,8 @@ const getSession = () => createAuthEndpoint("/get-session", {
 					const updateAge = cookieRefreshCache.updateAge * 1e3;
 					const shouldSkipSessionRefresh = await getShouldSkipSessionRefresh();
 					if (timeUntilExpiry < updateAge && !shouldSkipSessionRefresh) {
-						const newExpiresAt = getDate(ctx.context.options.session?.cookieCache?.maxAge || 300, "sec");
 						const refreshedSession = {
-							session: {
-								...session.session,
-								expiresAt: newExpiresAt
-							},
+							session: { ...session.session },
 							user: session.user,
 							updatedAt: Date.now()
 						};
@@ -276,17 +272,26 @@ const getSessionFromCtx = async (ctx, config) => {
 		method: "GET",
 		asResponse: false,
 		headers: ctx.headers,
-		returnHeaders: false,
+		returnHeaders: true,
 		returnStatus: false,
 		query: {
 			...config,
 			...ctx.query
 		}
-	}).catch((e) => {
+	}).catch(() => {
 		return null;
 	});
-	ctx.context.session = session;
-	return session;
+	if (!session) {
+		ctx.context.session = null;
+		return null;
+	}
+	if (session.headers) session.headers.forEach((value, key) => {
+		if (!ctx.context.responseHeaders) ctx.context.responseHeaders = new Headers({ [key]: value });
+		else if (key.toLowerCase() === "set-cookie") ctx.context.responseHeaders.append(key, value);
+		else ctx.context.responseHeaders.set(key, value);
+	});
+	ctx.context.session = session.response;
+	return session.response;
 };
 /**
 * The middleware forces the endpoint to require a valid session.
@@ -440,7 +445,7 @@ const revokeSessions = createAuthEndpoint("/revoke-sessions", {
 	} }
 }, async (ctx) => {
 	try {
-		await ctx.context.internalAdapter.deleteSessions(ctx.context.session.user.id);
+		await ctx.context.internalAdapter.deleteUserSessions(ctx.context.session.user.id);
 	} catch (error) {
 		ctx.context.logger.error(error && typeof error === "object" && "name" in error ? error.name : "", error);
 		throw APIError.from("INTERNAL_SERVER_ERROR", {

package/dist/api/routes/sign-in.d.mts

@@ -27,6 +27,7 @@ declare const socialSignInBodySchema: z.ZodObject<{
   scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
   requestSignUp: z.ZodOptional<z.ZodBoolean>;
   loginHint: z.ZodOptional<z.ZodString>;
+  additionalParams: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
   additionalData: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
 }, z.core.$strip>;
 declare const signInSocial: <O extends BetterAuthOptions>() => better_call0.StrictEndpoint<"/sign-in/social", {
@@ -55,6 +56,7 @@ declare const signInSocial: <O extends BetterAuthOptions>() => better_call0.Stri
     scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
     requestSignUp: z.ZodOptional<z.ZodBoolean>;
     loginHint: z.ZodOptional<z.ZodString>;
+    additionalParams: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
     additionalData: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
   }, z.core.$strip>;
   metadata: {
@@ -91,7 +93,6 @@ declare const signInSocial: <O extends BetterAuthOptions>() => better_call0.Stri
                   };
                   redirect: {
                     type: string;
-                    enum: boolean[];
                   };
                 };
                 required: string[];
@@ -115,6 +116,7 @@ declare const signInEmail: <O extends BetterAuthOptions>() => better_call0.Stric
   method: "POST";
   operationId: string;
   use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<void>)[];
+  cloneRequest: true;
   body: z.ZodObject<{
     email: z.ZodString;
     password: z.ZodString;

package/dist/api/routes/sign-in.mjs

@@ -2,10 +2,12 @@ import { formCsrfMiddleware } from "../middlewares/origin-check.mjs";
 import { parseUserOutput } from "../../db/schema.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
 import { getAwaitableValue } from "../../context/helpers.mjs";
-import { generateState } from "../../oauth2/state.mjs";
+import { missingEmailLogMessage } from "../../oauth2/errors.mjs";
 import { handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
+import { generateState } from "../../oauth2/state.mjs";
 import { createEmailVerificationToken } from "./email-verification.mjs";
 import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
+import { additionalAuthorizationParamsSchema } from "@better-auth/core/oauth2";
 import { SocialProviderListEnum } from "@better-auth/core/social-providers";
 import { createAuthEndpoint } from "@better-auth/core/api";
 import * as z from "zod";
@@ -33,6 +35,7 @@ const socialSignInBodySchema = z.object({
 	scopes: z.array(z.string()).meta({ description: "Array of scopes to request from the provider. This will override the default scopes passed." }).optional(),
 	requestSignUp: z.boolean().meta({ description: "Explicitly request sign-up. Useful when disableImplicitSignUp is true for this provider" }).optional(),
 	loginHint: z.string().meta({ description: "The login hint to use for the authorization code request" }).optional(),
+	additionalParams: additionalAuthorizationParamsSchema,
 	additionalData: z.record(z.string(), z.any()).optional().meta({ description: "Additional data to be passed through the OAuth flow" })
 });
 const signInSocial = () => createAuthEndpoint("/sign-in/social", {
@@ -48,10 +51,10 @@ const signInSocial = () => createAuthEndpoint("/sign-in/social", {
 			description: "Sign in with a social provider",
 			operationId: "socialSignIn",
 			responses: { "200": {
-				description: "Success - Returns either session details or redirect URL",
+				description: "Success - Returns session details (idToken branch) or an authorize URL (redirect branch)",
 				content: { "application/json": { schema: {
 					type: "object",
-					description: "Session response when idToken is provided",
+					description: "Returns session details when idToken is provided, or an authorize URL otherwise",
 					properties: {
 						token: { type: "string" },
 						user: {
@@ -59,16 +62,9 @@ const signInSocial = () => createAuthEndpoint("/sign-in/social", {
 							$ref: "#/components/schemas/User"
 						},
 						url: { type: "string" },
-						redirect: {
-							type: "boolean",
-							enum: [false]
-						}
+						redirect: { type: "boolean" }
 					},
-					required: [
-						"redirect",
-						"token",
-						"user"
-					]
+					required: ["redirect"]
 				} } }
 			} }
 		}
@@ -100,7 +96,7 @@ const signInSocial = () => createAuthEndpoint("/sign-in/social", {
 			throw APIError.from("UNAUTHORIZED", BASE_ERROR_CODES.FAILED_TO_GET_USER_INFO);
 		}
 		if (!userInfo.user.email) {
-			c.context.logger.error("User email not found", { provider: c.body.provider });
+			c.context.logger.error(missingEmailLogMessage(c.body.provider, { source: "id_token" }), { provider: c.body.provider });
 			throw APIError.from("UNAUTHORIZED", BASE_ERROR_CODES.USER_EMAIL_NOT_FOUND);
 		}
 		const data = await handleOAuthUserInfo(c, {
@@ -138,7 +134,8 @@ const signInSocial = () => createAuthEndpoint("/sign-in/social", {
 		codeVerifier,
 		redirectURI: `${c.context.baseURL}/callback/${provider.id}`,
 		scopes: c.body.scopes,
-		loginHint: c.body.loginHint
+		loginHint: c.body.loginHint,
+		additionalParams: c.body.additionalParams
 	});
 	if (!c.body.disableRedirect) c.setHeader("Location", url.toString());
 	return c.json({
@@ -150,6 +147,7 @@ const signInEmail = () => createAuthEndpoint("/sign-in/email", {
 	method: "POST",
 	operationId: "signInEmail",
 	use: [formCsrfMiddleware],
+	cloneRequest: true,
 	body: z.object({
 		email: z.string().meta({ description: "Email of the user" }),
 		password: z.string().meta({ description: "Password of the user" }),
@@ -242,7 +240,7 @@ const signInEmail = () => createAuthEndpoint("/sign-in/email", {
 				user: user.user,
 				url,
 				token
-			}, ctx.request));
+			}, ctx.request?.clone()));
 		}
 		throw APIError.from("FORBIDDEN", BASE_ERROR_CODES.EMAIL_NOT_VERIFIED);
 	}

package/dist/api/routes/sign-up.d.mts

@@ -16,6 +16,7 @@ declare const signUpEmail: <O extends BetterAuthOptions>() => better_call0.Stric
     callbackURL: z.ZodOptional<z.ZodString>;
     rememberMe: z.ZodOptional<z.ZodBoolean>;
   }, z.core.$strip>, z.ZodRecord<z.ZodString, z.ZodAny>>;
+  cloneRequest: true;
   metadata: {
     allowedMediaTypes: string[];
     $Infer: {

package/dist/api/routes/sign-up.mjs

@@ -1,6 +1,6 @@
 import { isAPIError } from "../../utils/is-api-error.mjs";
 import { formCsrfMiddleware } from "../middlewares/origin-check.mjs";
-import { parseUserInput, parseUserOutput } from "../../db/schema.mjs";
+import { buildSyntheticUserOutput, parseUserInput, parseUserOutput } from "../../db/schema.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
 import { createEmailVerificationToken } from "./email-verification.mjs";
 import { runWithTransaction } from "@better-auth/core/context";
@@ -23,6 +23,7 @@ const signUpEmail = () => createAuthEndpoint("/sign-up/email", {
 	operationId: "signUpWithEmailAndPassword",
 	use: [formCsrfMiddleware],
 	body: signUpEmailBodySchema,
+	cloneRequest: true,
 	metadata: {
 		allowedMediaTypes: ["application/x-www-form-urlencoded", "application/json"],
 		$Infer: {
@@ -157,7 +158,7 @@ const signUpEmail = () => createAuthEndpoint("/sign-up/email", {
 			ctx.context.logger.error("Password is too long");
 			throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.PASSWORD_TOO_LONG);
 		}
-		const shouldReturnGenericDuplicateResponse = ctx.context.options.emailAndPassword.requireEmailVerification;
+		const shouldReturnGenericDuplicateResponse = ctx.context.options.emailAndPassword.requireEmailVerification || ctx.context.options.emailAndPassword.autoSignIn === false;
 		const shouldSkipAutoSignIn = ctx.context.options.emailAndPassword.autoSignIn === false || shouldReturnGenericDuplicateResponse;
 		const additionalUserFields = parseUserInput(ctx.context.options, rest, "create");
 		const normalizedEmail = email.toLowerCase();
@@ -170,14 +171,14 @@ const signUpEmail = () => createAuthEndpoint("/sign-up/email", {
 				* between existing and non-existing emails.
 				*/
 				await ctx.context.password.hash(password);
-				if (ctx.context.options.emailAndPassword?.onExistingUserSignUp) await ctx.context.runInBackgroundOrAwait(ctx.context.options.emailAndPassword.onExistingUserSignUp({ user: dbUser.user }, ctx.request));
+				if (ctx.context.options.emailAndPassword?.onExistingUserSignUp) await ctx.context.runInBackgroundOrAwait(ctx.context.options.emailAndPassword.onExistingUserSignUp({ user: dbUser.user }, ctx.request?.clone()));
 				const now = /* @__PURE__ */ new Date();
 				const generatedId = ctx.context.generateId({ model: "user" }) || generateId();
 				const coreFields = {
 					name,
 					email: normalizedEmail,
 					emailVerified: false,
-					image: image || null,
+					image: image ?? null,
 					createdAt: now,
 					updatedAt: now
 				};
@@ -187,16 +188,17 @@ const signUpEmail = () => createAuthEndpoint("/sign-up/email", {
 					const additionalFieldKeys = Object.keys(ctx.context.options.user?.additionalFields ?? {});
 					const additionalFields = {};
 					for (const key of additionalFieldKeys) if (key in additionalUserFields) additionalFields[key] = additionalUserFields[key];
-					syntheticUser = customSyntheticUser({
+					const customResult = customSyntheticUser({
 						coreFields,
 						additionalFields,
 						id: generatedId
 					});
-				} else syntheticUser = {
+					syntheticUser = buildSyntheticUserOutput(ctx.context.options, customResult);
+				} else syntheticUser = buildSyntheticUserOutput(ctx.context.options, {
 					...coreFields,
 					...additionalUserFields,
 					id: generatedId
-				};
+				});
 				return ctx.json({
 					token: null,
 					user: parseUserOutput(ctx.context.options, syntheticUser)
@@ -244,7 +246,7 @@ const signUpEmail = () => createAuthEndpoint("/sign-up/email", {
 				user: createdUser,
 				url,
 				token
-			}, ctx.request));
+			}, ctx.request?.clone()));
 		}
 		if (shouldSkipAutoSignIn) return ctx.json({
 			token: null,

package/dist/api/routes/update-user.mjs

@@ -168,7 +168,7 @@ const changePassword = createAuthEndpoint("/change-password", {
 	await ctx.context.internalAdapter.updateAccount(account.id, { password: passwordHash });
 	let token = null;
 	if (revokeOtherSessions) {
-		await ctx.context.internalAdapter.deleteSessions(session.user.id);
+		await ctx.context.internalAdapter.deleteUserSessions(session.user.id);
 		const newSession = await ctx.context.internalAdapter.createSession(session.user.id);
 		if (!newSession) throw APIError.from("INTERNAL_SERVER_ERROR", BASE_ERROR_CODES.FAILED_TO_GET_SESSION);
 		await setSessionCookie(ctx, {
@@ -309,7 +309,7 @@ const deleteUser = createAuthEndpoint("/delete-user", {
 	const beforeDelete = ctx.context.options.user.deleteUser?.beforeDelete;
 	if (beforeDelete) await beforeDelete(session.user, ctx.request);
 	await ctx.context.internalAdapter.deleteUser(session.user.id);
-	await ctx.context.internalAdapter.deleteSessions(session.user.id);
+	await ctx.context.internalAdapter.deleteUserSessions(session.user.id);
 	deleteSessionCookie(ctx);
 	const afterDelete = ctx.context.options.user.deleteUser?.afterDelete;
 	if (afterDelete) await afterDelete(session.user, ctx.request);
@@ -362,7 +362,7 @@ const deleteUserCallback = createAuthEndpoint("/delete-user/callback", {
 	const beforeDelete = ctx.context.options.user.deleteUser?.beforeDelete;
 	if (beforeDelete) await beforeDelete(session.user, ctx.request);
 	await ctx.context.internalAdapter.deleteUser(session.user.id);
-	await ctx.context.internalAdapter.deleteSessions(session.user.id);
+	await ctx.context.internalAdapter.deleteUserSessions(session.user.id);
 	await ctx.context.internalAdapter.deleteAccounts(session.user.id);
 	await ctx.context.internalAdapter.deleteVerificationByIdentifier(`delete-account-${ctx.query.token}`);
 	deleteSessionCookie(ctx);
@@ -410,7 +410,7 @@ const changeEmail = createAuthEndpoint("/change-email", {
 }, async (ctx) => {
 	if (!ctx.context.options.user?.changeEmail?.enabled) {
 		ctx.context.logger.error("Change email is disabled.");
-		throw APIError.fromStatus("BAD_REQUEST", { message: "Change email is disabled" });
+		throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.CHANGE_EMAIL_DISABLED);
 	}
 	const newEmail = ctx.body.newEmail.toLowerCase();
 	if (newEmail === ctx.context.session.user.email) {
@@ -424,8 +424,8 @@ const changeEmail = createAuthEndpoint("/change-email", {
 	* email would later throw 400, leaking email existence.
 	*/
 	const canUpdateWithoutVerification = ctx.context.session.user.emailVerified !== true && ctx.context.options.user.changeEmail.updateEmailWithoutVerification;
-	const canSendConfirmation = ctx.context.session.user.emailVerified && ctx.context.options.user.changeEmail.sendChangeEmailConfirmation;
 	const canSendVerification = ctx.context.options.emailVerification?.sendVerificationEmail;
+	const canSendConfirmation = canSendVerification && ctx.context.session.user.emailVerified && ctx.context.options.user.changeEmail.sendChangeEmailConfirmation;
 	if (!canUpdateWithoutVerification && !canSendConfirmation && !canSendVerification) {
 		ctx.context.logger.error("Verification email isn't enabled.");
 		throw APIError.fromStatus("BAD_REQUEST", { message: "Verification email isn't enabled" });
@@ -449,7 +449,7 @@ const changeEmail = createAuthEndpoint("/change-email", {
 		});
 		if (canSendVerification) {
 			const token = await createEmailVerificationToken(ctx.context.secret, newEmail, void 0, ctx.context.options.emailVerification?.expiresIn);
-			const url = `${ctx.context.baseURL}/verify-email?token=${token}&callbackURL=${ctx.body.callbackURL || "/"}`;
+			const url = `${ctx.context.baseURL}/verify-email?token=${token}&callbackURL=${encodeURIComponent(ctx.body.callbackURL || "/")}`;
 			await ctx.context.runInBackgroundOrAwait(canSendVerification({
 				user: {
 					...ctx.context.session.user,
@@ -466,7 +466,7 @@ const changeEmail = createAuthEndpoint("/change-email", {
 	*/
 	if (canSendConfirmation) {
 		const token = await createEmailVerificationToken(ctx.context.secret, ctx.context.session.user.email, newEmail, ctx.context.options.emailVerification?.expiresIn, { requestType: "change-email-confirmation" });
-		const url = `${ctx.context.baseURL}/verify-email?token=${token}&callbackURL=${ctx.body.callbackURL || "/"}`;
+		const url = `${ctx.context.baseURL}/verify-email?token=${token}&callbackURL=${encodeURIComponent(ctx.body.callbackURL || "/")}`;
 		await ctx.context.runInBackgroundOrAwait(canSendConfirmation({
 			user: ctx.context.session.user,
 			newEmail,
@@ -480,7 +480,7 @@ const changeEmail = createAuthEndpoint("/change-email", {
 		throw APIError.fromStatus("BAD_REQUEST", { message: "Verification email isn't enabled" });
 	}
 	const token = await createEmailVerificationToken(ctx.context.secret, ctx.context.session.user.email, newEmail, ctx.context.options.emailVerification?.expiresIn, { requestType: "change-email-verification" });
-	const url = `${ctx.context.baseURL}/verify-email?token=${token}&callbackURL=${ctx.body.callbackURL || "/"}`;
+	const url = `${ctx.context.baseURL}/verify-email?token=${token}&callbackURL=${encodeURIComponent(ctx.body.callbackURL || "/")}`;
 	await ctx.context.runInBackgroundOrAwait(canSendVerification({
 		user: {
 			...ctx.context.session.user,

package/dist/api/to-auth-endpoints.mjs

@@ -117,7 +117,13 @@ function toAuthEndpoints(endpoints, ctx) {
 							* headers override while cookies accumulate.
 							*/
 							const ctxHeaders = e[kAPIErrorHeaderSymbol];
-							const errHeaders = e.headers ? new Headers(e.headers) : null;
+							/**
+							* `c.redirect()` (and similar APIError throws) reuse
+							* `ctx.responseHeaders` as `e.headers`, so when both sources
+							* reference the same Headers, iterating both duplicates every
+							* `set-cookie`. Skip the `errHeaders` copy in that case.
+							*/
+							const errHeaders = e.headers && e.headers !== ctxHeaders ? new Headers(e.headers) : null;
 							let headers = null;
 							if (ctxHeaders || errHeaders) {
 								headers = new Headers();

package/dist/auth/base.mjs

@@ -7,38 +7,41 @@ import { BASE_ERROR_CODES, BetterAuthError } from "@better-auth/core/error";
 const createBetterAuth = (options, initFn) => {
 	const authContext = initFn(options);
 	const { api } = getEndpoints(authContext, options);
-	return {
-		handler: async (request) => {
-			const ctx = await authContext;
-			const basePath = ctx.options.basePath || "/api/auth";
-			let handlerCtx;
-			if (isDynamicBaseURLConfig(options.baseURL)) handlerCtx = await resolveRequestContext(ctx, request, resolveDynamicTrustedProxyHeaders(ctx.options));
-			else {
-				handlerCtx = ctx;
-				if (!ctx.options.baseURL) {
-					const baseURL = getBaseURL(void 0, basePath, request, void 0, ctx.options.advanced?.trustedProxyHeaders);
-					if (baseURL) {
-						ctx.baseURL = baseURL;
-						ctx.options.baseURL = getOrigin(ctx.baseURL) || void 0;
-					} else throw new BetterAuthError("Could not get base URL from request. Please provide a valid base URL.");
-				}
-				handlerCtx.trustedOrigins = await getTrustedOrigins(ctx.options, request);
-				handlerCtx.trustedProviders = await getTrustedProviders(ctx.options, request);
+	const errorCodes = options.plugins?.reduce((acc, plugin) => {
+		if (plugin.$ERROR_CODES) return {
+			...acc,
+			...plugin.$ERROR_CODES
+		};
+		return acc;
+	}, {});
+	const handler = async (request) => {
+		const ctx = await authContext;
+		const basePath = ctx.options.basePath || "/api/auth";
+		let handlerCtx;
+		if (isDynamicBaseURLConfig(options.baseURL)) handlerCtx = await resolveRequestContext(ctx, request, resolveDynamicTrustedProxyHeaders(ctx.options));
+		else {
+			handlerCtx = ctx;
+			if (!ctx.options.baseURL) {
+				const baseURL = getBaseURL(void 0, basePath, request, void 0, ctx.options.advanced?.trustedProxyHeaders);
+				if (baseURL) {
+					ctx.baseURL = baseURL;
+					ctx.options.baseURL = getOrigin(ctx.baseURL) || void 0;
+				} else throw new BetterAuthError("Could not get base URL from request. Please provide a valid base URL.");
 			}
-			const { handler } = router(handlerCtx, options);
-			return runWithAdapter(handlerCtx.adapter, () => handler(request));
-		},
+			handlerCtx.trustedOrigins = await getTrustedOrigins(ctx.options, request);
+			handlerCtx.trustedProviders = await getTrustedProviders(ctx.options, request);
+		}
+		const { handler } = router(handlerCtx, options);
+		return runWithAdapter(handlerCtx.adapter, () => handler(request));
+	};
+	return {
+		handler,
+		fetch: handler,
 		api,
 		options,
 		$context: authContext,
 		$ERROR_CODES: {
-			...options.plugins?.reduce((acc, plugin) => {
-				if (plugin.$ERROR_CODES) return {
-					...acc,
-					...plugin.$ERROR_CODES
-				};
-				return acc;
-			}, {}),
+			...errorCodes,
 			...BASE_ERROR_CODES
 		}
 	};

package/dist/client/config.mjs

@@ -1,7 +1,7 @@
 import { getBaseURL } from "../utils/url.mjs";
 import { parseJSON } from "./parser.mjs";
 import { redirectPlugin } from "./fetch-plugins.mjs";
-import { getSessionAtom } from "./session-atom.mjs";
+import { getSessionAtom, hydrateSessionAtom } from "./session-atom.mjs";
 import { defu } from "defu";
 import { createFetch } from "@better-fetch/fetch";
 //#region src/client/config.ts
@@ -52,6 +52,12 @@ const getClientConfig = (options, loadEnv) => {
 		]
 	});
 	const { $sessionSignal, session, broadcastSessionUpdate } = getSessionAtom($fetch, options);
+	let hasHydrated = false;
+	const hydrateSession = (sessionData) => {
+		if (hasHydrated || sessionData === null) return;
+		hasHydrated = true;
+		hydrateSessionAtom(session, sessionData);
+	};
 	const plugins = options?.plugins || [];
 	let pluginsActions = {};
 	const pluginsAtoms = {
@@ -97,6 +103,7 @@ const getClientConfig = (options, loadEnv) => {
 		pluginsAtoms,
 		pluginPathMethods,
 		atomListeners,
+		hydrateSession,
 		$fetch,
 		$store
 	};