better-auth 1.7.0-beta.2 → 1.7.0-beta.4

package/dist/client/fetch-plugins.mjs

@@ -1,9 +1,10 @@
+import { isSafeUrlScheme } from "@better-auth/core/utils/url";
 //#region src/client/fetch-plugins.ts
 const redirectPlugin = {
 	id: "redirect",
 	name: "Redirect",
 	hooks: { onSuccess(context) {
-		if (context.data?.url && context.data?.redirect) {
+		if (context.data?.url && context.data?.redirect && isSafeUrlScheme(context.data.url)) {
 			if (typeof window !== "undefined" && window.location) {
 				if (window.location) try {
 					window.location.href = context.data.url;

package/dist/client/index.d.mts

@@ -8,7 +8,7 @@ import { parseJSON } from "./parser.mjs";
 import { AuthQueryAtom, useAuthQuery } from "./query.mjs";
 import { SessionRefreshOptions, SessionResponse, createSessionRefreshManager } from "./session-refresh.mjs";
 import { AuthClient, createAuthClient } from "./vanilla.mjs";
-import { AccessControl, ArrayElement, Role, Statements, SubArray, Subset } from "../plugins/access/types.mjs";
+import { AccessControl, ArrayElement, ExactRoleStatements, Role, RoleAuthorizeRequest, RoleInput, RoleStatements, Statements, SubArray, Subset } from "../plugins/access/types.mjs";
 import { AuthorizeResponse, createAccessControl, role } from "../plugins/access/access.mjs";
 import { OrganizationOptions } from "../plugins/organization/types.mjs";
 import { InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferTeam, Invitation, InvitationInput, InvitationStatus, Member, MemberInput, Organization, OrganizationInput, OrganizationRole, OrganizationSchema, Team, TeamInput, TeamMember, TeamMemberInput, defaultRolesSchema, invitationSchema, invitationStatus, memberSchema, organizationRoleSchema, organizationSchema, roleSchema, teamMemberSchema, teamSchema } from "../plugins/organization/schema.mjs";
@@ -31,4 +31,4 @@ declare function InferAuth<O extends {
   options: BetterAuthOptions;
 }>(): O["options"];
 //#endregion
-export { AccessControl, ArrayElement, AuthClient, AuthQueryAtom, AuthorizeResponse, BetterAuthClientOptions, BetterAuthClientPlugin, BroadcastChannel, BroadcastListener, BroadcastMessage, CamelCase, ClientAtomListener, ClientStore, type DBPrimitive, DefaultOrganizationPlugin, DynamicAccessControlEndpoints, ExtractPluginField, type FocusListener, type FocusManager, HasRequiredKeys, InferActions, InferAdditionalFromClient, InferAuth, InferClientAPI, InferCtx, InferErrorCodes, InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPlugin, InferPluginFieldFromTuple, InferRoute, InferRoutes, InferSessionFromClient, InferSignUpEmailCtx, InferTeam, InferUserFromClient, InferUserUpdateCtx, Invitation, InvitationInput, InvitationStatus, IsAny, IsSignal, Member, MemberInput, MergeRoutes, type OnlineListener, type OnlineManager, Organization, OrganizationCreator, OrganizationEndpoints, OrganizationInput, OrganizationOptions, OrganizationPlugin, OrganizationRole, OrganizationSchema, OverrideMerge, PathToObject, Prettify, PrettifyDeep, ProxyRequest, RequiredKeysOf, Role, SessionQueryParams, SessionRefreshOptions, SessionResponse, Statements, StripEmptyObjects, SubArray, Subset, Team, TeamEndpoints, TeamInput, TeamMember, TeamMemberInput, type UnionToIntersection, createAccessControl, createAuthClient, createSessionRefreshManager, defaultRolesSchema, getGlobalBroadcastChannel, getOrgAdapter, hasPermission, invitationSchema, invitationStatus, kBroadcastChannel, kFocusManager, kOnlineManager, memberSchema, organization, organizationRoleSchema, organizationSchema, parseJSON, parseRoles, role, roleSchema, teamMemberSchema, teamSchema, useAuthQuery };
+export { AccessControl, ArrayElement, AuthClient, AuthQueryAtom, AuthorizeResponse, BetterAuthClientOptions, BetterAuthClientPlugin, BroadcastChannel, BroadcastListener, BroadcastMessage, CamelCase, ClientAtomListener, ClientStore, type DBPrimitive, DefaultOrganizationPlugin, DynamicAccessControlEndpoints, ExactRoleStatements, ExtractPluginField, type FocusListener, type FocusManager, HasRequiredKeys, InferActions, InferAdditionalFromClient, InferAuth, InferClientAPI, InferCtx, InferErrorCodes, InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPlugin, InferPluginFieldFromTuple, InferRoute, InferRoutes, InferSessionFromClient, InferSignUpEmailCtx, InferTeam, InferUserFromClient, InferUserUpdateCtx, Invitation, InvitationInput, InvitationStatus, IsAny, IsSignal, Member, MemberInput, MergeRoutes, type OnlineListener, type OnlineManager, Organization, OrganizationCreator, OrganizationEndpoints, OrganizationInput, OrganizationOptions, OrganizationPlugin, OrganizationRole, OrganizationSchema, OverrideMerge, PathToObject, Prettify, PrettifyDeep, ProxyRequest, RequiredKeysOf, Role, RoleAuthorizeRequest, RoleInput, RoleStatements, SessionQueryParams, SessionRefreshOptions, SessionResponse, Statements, StripEmptyObjects, SubArray, Subset, Team, TeamEndpoints, TeamInput, TeamMember, TeamMemberInput, type UnionToIntersection, createAccessControl, createAuthClient, createSessionRefreshManager, defaultRolesSchema, getGlobalBroadcastChannel, getOrgAdapter, hasPermission, invitationSchema, invitationStatus, kBroadcastChannel, kFocusManager, kOnlineManager, memberSchema, organization, organizationRoleSchema, organizationSchema, parseJSON, parseRoles, role, roleSchema, teamMemberSchema, teamSchema, useAuthQuery };

package/dist/client/lynx/index.d.mts

@@ -14,6 +14,19 @@ type InferResolvedHooks<O extends BetterAuthClientOptions> = O extends {
   plugins: Array<infer Plugin>;
 } ? UnionToIntersection<Plugin extends BetterAuthClientPlugin ? Plugin["getAtoms"] extends ((fetch: any) => infer Atoms) ? Atoms extends Record<string, any> ? { [key in keyof Atoms as IsSignal<key> extends true ? never : key extends string ? `use${Capitalize<key>}` : never]: () => ReturnType<Atoms[key]["get"]> } : {} : {} : {}> : {};
 declare function createAuthClient<Option extends BetterAuthClientOptions>(options?: Option | undefined): UnionToIntersection<InferResolvedHooks<Option>> & InferClientAPI<Option> & InferActions<Option> & {
+  hydrateSession: (session: NonNullable<InferClientAPI<Option> extends {
+    getSession: () => Promise<infer Res>;
+  } ? Res extends {
+    data: null;
+    error: {
+      message?: string | undefined;
+      status: number;
+      statusText: string;
+    };
+  } | {
+    data: infer S;
+    error: null;
+  } ? S : Res : never> | null) => void;
   useSession: () => {
     data: InferClientAPI<Option> extends {
       getSession: () => Promise<infer Res>;

package/dist/client/lynx/index.mjs

@@ -7,12 +7,13 @@ function getAtomKey(str) {
 	return `use${capitalizeFirstLetter(str)}`;
 }
 function createAuthClient(options) {
-	const { pluginPathMethods, pluginsActions, pluginsAtoms, $fetch, $store, atomListeners } = getClientConfig(options);
+	const { pluginPathMethods, pluginsActions, pluginsAtoms, hydrateSession, $fetch, $store, atomListeners } = getClientConfig(options);
 	const resolvedHooks = {};
 	for (const [key, value] of Object.entries(pluginsAtoms)) resolvedHooks[getAtomKey(key)] = () => useStore(value);
 	return createDynamicPathProxy({
 		...pluginsActions,
 		...resolvedHooks,
+		hydrateSession,
 		$fetch,
 		$store
 	}, $fetch, pluginPathMethods, pluginsAtoms, atomListeners);

package/dist/client/parser.mjs

@@ -34,7 +34,6 @@ function betterJSONParse(value, options = {}) {
 	const { strict = false, warnings = false, reviver, parseDates = true } = options;
 	if (typeof value !== "string") return value;
 	const trimmed = value.trim();
-	if (trimmed.length > 0 && trimmed[0] === "\"" && trimmed.endsWith("\"") && !trimmed.slice(1, -1).includes("\"")) return trimmed.slice(1, -1);
 	const lowerValue = trimmed.toLowerCase();
 	if (lowerValue.length <= 9 && lowerValue in SPECIAL_VALUES) return SPECIAL_VALUES[lowerValue];
 	if (!JSON_SIGNATURE.test(trimmed)) {

package/dist/client/plugins/index.d.mts

@@ -1,19 +1,9 @@
+import { FieldAttributeToObject, RemoveFieldsWithReturnedFalse } from "../../db/field.mjs";
 import { ExtractPluginField, HasRequiredKeys, InferPluginFieldFromTuple, IsAny, OverrideMerge, Prettify, PrettifyDeep, RequiredKeysOf, StripEmptyObjects, UnionToIntersection } from "../../types/helper.mjs";
 import { InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferTeam, Invitation, InvitationInput, InvitationStatus, Member, MemberInput, Organization, OrganizationInput, OrganizationRole, OrganizationSchema, Team, TeamInput, TeamMember, TeamMemberInput, defaultRolesSchema, invitationSchema, invitationStatus, memberSchema, organizationRoleSchema, organizationSchema, roleSchema, teamMemberSchema, teamSchema } from "../../plugins/organization/schema.mjs";
 import { AdminOptions, InferAdminRolesFromOption, SessionWithImpersonatedBy, UserWithRole } from "../../plugins/admin/types.mjs";
 import { schema } from "../../plugins/anonymous/schema.mjs";
 import { AnonymousOptions, AnonymousSession, UserWithAnonymous } from "../../plugins/anonymous/types.mjs";
-import { GenericOAuthConfig, GenericOAuthOptions } from "../../plugins/generic-oauth/types.mjs";
-import { Auth0Options, auth0 } from "../../plugins/generic-oauth/providers/auth0.mjs";
-import { GumroadOptions, gumroad } from "../../plugins/generic-oauth/providers/gumroad.mjs";
-import { HubSpotOptions, hubspot } from "../../plugins/generic-oauth/providers/hubspot.mjs";
-import { KeycloakOptions, keycloak } from "../../plugins/generic-oauth/providers/keycloak.mjs";
-import { LineOptions, line } from "../../plugins/generic-oauth/providers/line.mjs";
-import { MicrosoftEntraIdOptions, microsoftEntraId } from "../../plugins/generic-oauth/providers/microsoft-entra-id.mjs";
-import { OktaOptions, okta } from "../../plugins/generic-oauth/providers/okta.mjs";
-import { PatreonOptions, patreon } from "../../plugins/generic-oauth/providers/patreon.mjs";
-import { SlackOptions, slack } from "../../plugins/generic-oauth/providers/slack.mjs";
-import { BaseOAuthProviderOptions } from "../../plugins/generic-oauth/index.mjs";
 import { JWKOptions, JWSAlgorithms, Jwk, JwtOptions, ResolvedSigningKey } from "../../plugins/jwt/types.mjs";
 import { AuthorizationQuery, Client, CodeVerificationValue, OAuthAccessToken, OIDCMetadata, OIDCOptions, TokenBody } from "../../plugins/oidc-provider/types.mjs";
 import { MULTI_SESSION_ERROR_CODES } from "../../plugins/multi-session/error-codes.mjs";
@@ -30,16 +20,13 @@ import { USERNAME_ERROR_CODES } from "../../plugins/username/error-codes.mjs";
 import { ORGANIZATION_ERROR_CODES } from "../../plugins/organization/error-codes.mjs";
 import { inferAdditionalFields } from "../../plugins/additional-fields/client.mjs";
 import { ADMIN_ERROR_CODES } from "../../plugins/admin/error-codes.mjs";
-import { adminClient } from "../../plugins/admin/client.mjs";
+import { AdminClientOptions, adminClient } from "../../plugins/admin/client.mjs";
 import { ANONYMOUS_ERROR_CODES } from "../../plugins/anonymous/error-codes.mjs";
 import { anonymousClient } from "../../plugins/anonymous/client.mjs";
 import { customSessionClient } from "../../plugins/custom-session/client.mjs";
 import { deviceAuthorizationClient } from "../../plugins/device-authorization/client.mjs";
 import { EMAIL_OTP_ERROR_CODES } from "../../plugins/email-otp/error-codes.mjs";
 import { emailOTPClient } from "../../plugins/email-otp/client.mjs";
-import { OAUTH_CALLBACK_ERROR_CODES } from "../../oauth2/error-codes.mjs";
-import { GENERIC_OAUTH_ERROR_CODES } from "../../plugins/generic-oauth/error-codes.mjs";
-import { genericOAuthClient } from "../../plugins/generic-oauth/client.mjs";
 import { jwtClient } from "../../plugins/jwt/client.mjs";
 import { LastLoginMethodClientConfig, lastLoginMethodClient } from "../../plugins/last-login-method/client.mjs";
 import { magicLinkClient } from "../../plugins/magic-link/client.mjs";
@@ -47,10 +34,10 @@ import { multiSessionClient } from "../../plugins/multi-session/client.mjs";
 import { OidcClientPlugin, oidcClient } from "../../plugins/oidc-provider/client.mjs";
 import { GoogleOneTapActionOptions, GoogleOneTapOptions, GsiButtonConfiguration, oneTapClient } from "../../plugins/one-tap/client.mjs";
 import { oneTimeTokenClient } from "../../plugins/one-time-token/client.mjs";
-import { clientSideHasPermission, inferOrgAdditionalFields, organizationClient } from "../../plugins/organization/client.mjs";
+import { OrganizationClientOptions, clientSideHasPermission, inferOrgAdditionalFields, organizationClient } from "../../plugins/organization/client.mjs";
 import { PHONE_NUMBER_ERROR_CODES } from "../../plugins/phone-number/error-codes.mjs";
 import { phoneNumberClient } from "../../plugins/phone-number/client.mjs";
 import { siweClient } from "../../plugins/siwe/client.mjs";
 import { usernameClient } from "../../plugins/username/client.mjs";
 import { InferServerPlugin } from "./infer-plugin.mjs";
-export { ADMIN_ERROR_CODES, ANONYMOUS_ERROR_CODES, AdminOptions, AnonymousOptions, AnonymousSession, Auth0Options, AuthorizationQuery, BackupCodeOptions, BaseOAuthProviderOptions, Client, CodeVerificationValue, EMAIL_OTP_ERROR_CODES, ExtractPluginField, GENERIC_OAUTH_ERROR_CODES, GenericOAuthConfig, GenericOAuthOptions, GoogleOneTapActionOptions, GoogleOneTapOptions, GsiButtonConfiguration, GumroadOptions, HasRequiredKeys, HubSpotOptions, InferAdminRolesFromOption, InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginFieldFromTuple, InferServerPlugin, InferTeam, Invitation, InvitationInput, InvitationStatus, IsAny, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, KeycloakOptions, LastLoginMethodClientConfig, LineOptions, MULTI_SESSION_ERROR_CODES, Member, MemberInput, MicrosoftEntraIdOptions, MultiSessionConfig, OAUTH_CALLBACK_ERROR_CODES, OAuthAccessToken, OIDCMetadata, OIDCOptions, ORGANIZATION_ERROR_CODES, OTPOptions, OidcClientPlugin, OktaOptions, OneTimeTokenOptions, Organization, OrganizationInput, OrganizationRole, OrganizationSchema, OverrideMerge, PHONE_NUMBER_ERROR_CODES, PatreonOptions, PhoneNumberOptions, Prettify, PrettifyDeep, RequiredKeysOf, ResolvedSigningKey, SessionWithImpersonatedBy, SlackOptions, StripEmptyObjects, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamInput, TeamMember, TeamMemberInput, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UnionToIntersection, UserWithAnonymous, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, adminClient, anonymousClient, auth0, backupCode2fa, clientSideHasPermission, customSessionClient, defaultRolesSchema, deviceAuthorizationClient, emailOTPClient, encodeBackupCodes, generateBackupCodes, genericOAuthClient, getBackupCodes, gumroad, hubspot, inferAdditionalFields, inferOrgAdditionalFields, invitationSchema, invitationStatus, jwtClient, keycloak, lastLoginMethodClient, line, magicLinkClient, memberSchema, microsoftEntraId, multiSessionClient, oidcClient, okta, oneTapClient, oneTimeTokenClient, organizationClient, organizationRoleSchema, organizationSchema, otp2fa, patreon, phoneNumberClient, roleSchema, schema, siweClient, slack, teamMemberSchema, teamSchema, totp2fa, twoFactorClient, usernameClient, verifyBackupCode };
+export { ADMIN_ERROR_CODES, ANONYMOUS_ERROR_CODES, AdminClientOptions, AdminOptions, AnonymousOptions, AnonymousSession, AuthorizationQuery, BackupCodeOptions, Client, CodeVerificationValue, EMAIL_OTP_ERROR_CODES, ExtractPluginField, type FieldAttributeToObject, GoogleOneTapActionOptions, GoogleOneTapOptions, GsiButtonConfiguration, HasRequiredKeys, InferAdminRolesFromOption, InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginFieldFromTuple, InferServerPlugin, InferTeam, Invitation, InvitationInput, InvitationStatus, IsAny, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, LastLoginMethodClientConfig, MULTI_SESSION_ERROR_CODES, Member, MemberInput, MultiSessionConfig, OAuthAccessToken, OIDCMetadata, OIDCOptions, ORGANIZATION_ERROR_CODES, OTPOptions, OidcClientPlugin, OneTimeTokenOptions, Organization, OrganizationClientOptions, OrganizationInput, OrganizationRole, OrganizationSchema, OverrideMerge, PHONE_NUMBER_ERROR_CODES, PhoneNumberOptions, Prettify, PrettifyDeep, type RemoveFieldsWithReturnedFalse, RequiredKeysOf, ResolvedSigningKey, SessionWithImpersonatedBy, StripEmptyObjects, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamInput, TeamMember, TeamMemberInput, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UnionToIntersection, UserWithAnonymous, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, adminClient, anonymousClient, backupCode2fa, clientSideHasPermission, customSessionClient, defaultRolesSchema, deviceAuthorizationClient, emailOTPClient, encodeBackupCodes, generateBackupCodes, getBackupCodes, inferAdditionalFields, inferOrgAdditionalFields, invitationSchema, invitationStatus, jwtClient, lastLoginMethodClient, magicLinkClient, memberSchema, multiSessionClient, oidcClient, oneTapClient, oneTimeTokenClient, organizationClient, organizationRoleSchema, organizationSchema, otp2fa, phoneNumberClient, roleSchema, schema, siweClient, teamMemberSchema, teamSchema, totp2fa, twoFactorClient, usernameClient, verifyBackupCode };

package/dist/client/plugins/index.mjs

@@ -1,4 +1,3 @@
-import { OAUTH_CALLBACK_ERROR_CODES } from "../../oauth2/error-codes.mjs";
 import { inferAdditionalFields } from "../../plugins/additional-fields/client.mjs";
 import { ADMIN_ERROR_CODES } from "../../plugins/admin/error-codes.mjs";
 import { adminClient } from "../../plugins/admin/client.mjs";
@@ -8,8 +7,6 @@ import { customSessionClient } from "../../plugins/custom-session/client.mjs";
 import { deviceAuthorizationClient } from "../../plugins/device-authorization/client.mjs";
 import { EMAIL_OTP_ERROR_CODES } from "../../plugins/email-otp/error-codes.mjs";
 import { emailOTPClient } from "../../plugins/email-otp/client.mjs";
-import { GENERIC_OAUTH_ERROR_CODES } from "../../plugins/generic-oauth/error-codes.mjs";
-import { genericOAuthClient } from "../../plugins/generic-oauth/client.mjs";
 import { jwtClient } from "../../plugins/jwt/client.mjs";
 import { lastLoginMethodClient } from "../../plugins/last-login-method/client.mjs";
 import { magicLinkClient } from "../../plugins/magic-link/client.mjs";
@@ -28,4 +25,4 @@ import { twoFactorClient } from "../../plugins/two-factor/client.mjs";
 import { USERNAME_ERROR_CODES } from "../../plugins/username/error-codes.mjs";
 import { usernameClient } from "../../plugins/username/client.mjs";
 import { InferServerPlugin } from "./infer-plugin.mjs";
-export { ADMIN_ERROR_CODES, ANONYMOUS_ERROR_CODES, EMAIL_OTP_ERROR_CODES, GENERIC_OAUTH_ERROR_CODES, InferServerPlugin, MULTI_SESSION_ERROR_CODES, OAUTH_CALLBACK_ERROR_CODES, ORGANIZATION_ERROR_CODES, PHONE_NUMBER_ERROR_CODES, TWO_FACTOR_ERROR_CODES, USERNAME_ERROR_CODES, adminClient, anonymousClient, clientSideHasPermission, customSessionClient, deviceAuthorizationClient, emailOTPClient, genericOAuthClient, inferAdditionalFields, inferOrgAdditionalFields, jwtClient, lastLoginMethodClient, magicLinkClient, multiSessionClient, oidcClient, oneTapClient, oneTimeTokenClient, organizationClient, phoneNumberClient, siweClient, twoFactorClient, usernameClient };
+export { ADMIN_ERROR_CODES, ANONYMOUS_ERROR_CODES, EMAIL_OTP_ERROR_CODES, InferServerPlugin, MULTI_SESSION_ERROR_CODES, ORGANIZATION_ERROR_CODES, PHONE_NUMBER_ERROR_CODES, TWO_FACTOR_ERROR_CODES, USERNAME_ERROR_CODES, adminClient, anonymousClient, clientSideHasPermission, customSessionClient, deviceAuthorizationClient, emailOTPClient, inferAdditionalFields, inferOrgAdditionalFields, jwtClient, lastLoginMethodClient, magicLinkClient, multiSessionClient, oidcClient, oneTapClient, oneTimeTokenClient, organizationClient, phoneNumberClient, siweClient, twoFactorClient, usernameClient };

package/dist/client/proxy.mjs

@@ -1,4 +1,5 @@
 import { isAtom } from "../utils/is-atom.mjs";
+import { toKebabCase } from "@better-auth/core/utils/string";
 //#region src/client/proxy.ts
 function getMethod(path, knownPathMethods, args) {
 	const method = knownPathMethods[path];
@@ -26,7 +27,7 @@ function createDynamicPathProxy(routes, client, knownPathMethods, atoms, atomLis
 				return createProxy(fullPath);
 			},
 			apply: async (_, __, args) => {
-				const routePath = "/" + path.map((segment) => segment.replace(/[A-Z]/g, (letter) => `-${letter.toLowerCase()}`)).join("/");
+				const routePath = "/" + path.map(toKebabCase).join("/");
 				const arg = args[0] || {};
 				const fetchOptions = args[1] || {};
 				const { query, fetchOptions: argFetchOptions, ...body } = arg;

package/dist/client/react/index.d.mts

@@ -14,6 +14,19 @@ type InferResolvedHooks<O extends BetterAuthClientOptions> = O extends {
   plugins: Array<infer Plugin>;
 } ? UnionToIntersection<Plugin extends BetterAuthClientPlugin ? Plugin["getAtoms"] extends ((fetch: any) => infer Atoms) ? Atoms extends Record<string, any> ? { [key in keyof Atoms as IsSignal<key> extends true ? never : key extends string ? `use${Capitalize<key>}` : never]: () => ReturnType<Atoms[key]["get"]> } : {} : {} : {}> : {};
 declare function createAuthClient<Option extends BetterAuthClientOptions>(options?: Option | undefined): UnionToIntersection<InferResolvedHooks<Option>> & InferClientAPI<Option> & InferActions<Option> & {
+  hydrateSession: (session: NonNullable<InferClientAPI<Option> extends {
+    getSession: () => Promise<infer Res>;
+  } ? Res extends {
+    data: null;
+    error: {
+      message?: string | undefined;
+      status: number;
+      statusText: string;
+    };
+  } | {
+    data: infer S;
+    error: null;
+  } ? S : Res : never> | null) => void;
   useSession: () => {
     data: InferClientAPI<Option> extends {
       getSession: () => Promise<infer Res>;

package/dist/client/react/index.mjs

@@ -7,12 +7,13 @@ function getAtomKey(str) {
 	return `use${capitalizeFirstLetter(str)}`;
 }
 function createAuthClient(options) {
-	const { pluginPathMethods, pluginsActions, pluginsAtoms, $fetch, $store, atomListeners } = getClientConfig(options);
+	const { pluginPathMethods, pluginsActions, pluginsAtoms, hydrateSession, $fetch, $store, atomListeners } = getClientConfig(options);
 	const resolvedHooks = {};
 	for (const [key, value] of Object.entries(pluginsAtoms)) resolvedHooks[getAtomKey(key)] = () => useStore(value);
 	return createDynamicPathProxy({
 		...pluginsActions,
 		...resolvedHooks,
+		hydrateSession,
 		$fetch,
 		$store
 	}, $fetch, pluginPathMethods, pluginsAtoms, atomListeners);

package/dist/client/session-atom.mjs

@@ -2,6 +2,17 @@ import { useAuthQuery } from "./query.mjs";
 import { createSessionRefreshManager } from "./session-refresh.mjs";
 import { atom, onMount } from "nanostores";
 //#region src/client/session-atom.ts
+function hydrateSessionAtom(sessionAtom, session) {
+	if (typeof window === "undefined") return;
+	const currentSession = sessionAtom.get();
+	if (currentSession.data !== null || session === null) return;
+	sessionAtom.set({
+		...currentSession,
+		data: session,
+		error: null,
+		isPending: false
+	});
+}
 function getSessionAtom($fetch, options) {
 	const $signal = atom(false);
 	const session = useAuthQuery($signal, "/get-session", $fetch, { method: "GET" });
@@ -26,4 +37,4 @@ function getSessionAtom($fetch, options) {
 	};
 }
 //#endregion
-export { getSessionAtom };
+export { getSessionAtom, hydrateSessionAtom };

package/dist/client/solid/index.d.mts

@@ -13,6 +13,19 @@ type InferResolvedHooks<O extends BetterAuthClientOptions> = O extends {
   plugins: Array<infer Plugin>;
 } ? UnionToIntersection<Plugin extends BetterAuthClientPlugin ? Plugin["getAtoms"] extends ((fetch: any) => infer Atoms) ? Atoms extends Record<string, any> ? { [key in keyof Atoms as IsSignal<key> extends true ? never : key extends string ? `use${Capitalize<key>}` : never]: () => Accessor<ReturnType<Atoms[key]["get"]>> } : {} : {} : {}> : {};
 declare function createAuthClient<Option extends BetterAuthClientOptions>(options?: Option | undefined): UnionToIntersection<InferResolvedHooks<Option>> & InferClientAPI<Option> & InferActions<Option> & {
+  hydrateSession: (session: NonNullable<InferClientAPI<Option> extends {
+    getSession: () => Promise<infer Res>;
+  } ? Res extends {
+    data: null;
+    error: {
+      message?: string | undefined;
+      status: number;
+      statusText: string;
+    };
+  } | {
+    data: infer S;
+    error: null;
+  } ? S : Res extends Record<string, any> ? Res : never : never> | null) => void;
   useSession: () => Accessor<{
     data: InferClientAPI<Option> extends {
       getSession: () => Promise<infer Res>;

package/dist/client/solid/index.mjs

@@ -7,12 +7,13 @@ function getAtomKey(str) {
 	return `use${capitalizeFirstLetter(str)}`;
 }
 function createAuthClient(options) {
-	const { pluginPathMethods, pluginsActions, pluginsAtoms, $fetch, atomListeners } = getClientConfig(options);
+	const { pluginPathMethods, pluginsActions, pluginsAtoms, hydrateSession, $fetch, atomListeners } = getClientConfig(options);
 	const resolvedHooks = {};
 	for (const [key, value] of Object.entries(pluginsAtoms)) resolvedHooks[getAtomKey(key)] = () => useStore(value);
 	return createDynamicPathProxy({
 		...pluginsActions,
-		...resolvedHooks
+		...resolvedHooks,
+		hydrateSession
 	}, $fetch, pluginPathMethods, pluginsAtoms, atomListeners);
 }
 //#endregion

package/dist/client/svelte/index.d.mts

@@ -14,6 +14,19 @@ type InferResolvedHooks<O extends BetterAuthClientOptions> = O extends {
   plugins: Array<infer Plugin>;
 } ? UnionToIntersection<Plugin extends BetterAuthClientPlugin ? Plugin["getAtoms"] extends ((fetch: any) => infer Atoms) ? Atoms extends Record<string, any> ? { [key in keyof Atoms as IsSignal<key> extends true ? never : key extends string ? `use${Capitalize<key>}` : never]: () => Atoms[key] } : {} : {} : {}> : {};
 declare function createAuthClient<Option extends BetterAuthClientOptions>(options?: Option | undefined): UnionToIntersection<InferResolvedHooks<Option>> & InferClientAPI<Option> & InferActions<Option> & {
+  hydrateSession: (session: NonNullable<InferClientAPI<Option> extends {
+    getSession: () => Promise<infer Res>;
+  } ? Res extends {
+    data: null;
+    error: {
+      message?: string | undefined;
+      status: number;
+      statusText: string;
+    };
+  } | {
+    data: infer S;
+    error: null;
+  } ? S : Res extends Record<string, any> ? Res : never : never> | null) => void;
   useSession: () => Atom<{
     data: InferClientAPI<Option> extends {
       getSession: () => Promise<infer Res>;

package/dist/client/svelte/index.mjs

@@ -3,12 +3,13 @@ import { createDynamicPathProxy } from "../proxy.mjs";
 import { capitalizeFirstLetter } from "@better-auth/core/utils/string";
 //#region src/client/svelte/index.ts
 function createAuthClient(options) {
-	const { pluginPathMethods, pluginsActions, pluginsAtoms, $fetch, atomListeners, $store } = getClientConfig(options);
+	const { pluginPathMethods, pluginsActions, pluginsAtoms, hydrateSession, $fetch, atomListeners, $store } = getClientConfig(options);
 	const resolvedHooks = {};
 	for (const [key, value] of Object.entries(pluginsAtoms)) resolvedHooks[`use${capitalizeFirstLetter(key)}`] = () => value;
 	return createDynamicPathProxy({
 		...pluginsActions,
 		...resolvedHooks,
+		hydrateSession,
 		$fetch,
 		$store
 	}, $fetch, pluginPathMethods, pluginsAtoms, atomListeners);

package/dist/client/vanilla.d.mts

@@ -12,6 +12,19 @@ type InferResolvedHooks<O extends BetterAuthClientOptions> = O extends {
   plugins: Array<infer Plugin>;
 } ? UnionToIntersection<Plugin extends BetterAuthClientPlugin ? Plugin["getAtoms"] extends ((fetch: any) => infer Atoms) ? Atoms extends Record<string, any> ? { [key in keyof Atoms as IsSignal<key> extends true ? never : key extends string ? `use${Capitalize<key>}` : never]: Atoms[key] } : {} : {} : {}> : {};
 declare function createAuthClient<Option extends BetterAuthClientOptions>(options?: Option | undefined): UnionToIntersection<InferResolvedHooks<Option>> & InferClientAPI<Option> & InferActions<Option> & {
+  hydrateSession: (session: NonNullable<InferClientAPI<Option> extends {
+    getSession: () => Promise<infer Res>;
+  } ? Res extends {
+    data: null;
+    error: {
+      message?: string | undefined;
+      status: number;
+      statusText: string;
+    };
+  } | {
+    data: infer S;
+    error: null;
+  } ? S : Res extends Record<string, any> ? Res : never : never> | null) => void;
   useSession: Atom<{
     data: InferClientAPI<Option> extends {
       getSession: () => Promise<infer Res>;

package/dist/client/vanilla.mjs

@@ -3,12 +3,13 @@ import { createDynamicPathProxy } from "./proxy.mjs";
 import { capitalizeFirstLetter } from "@better-auth/core/utils/string";
 //#region src/client/vanilla.ts
 function createAuthClient(options) {
-	const { pluginPathMethods, pluginsActions, pluginsAtoms, $fetch, atomListeners, $store } = getClientConfig(options);
+	const { pluginPathMethods, pluginsActions, pluginsAtoms, hydrateSession, $fetch, atomListeners, $store } = getClientConfig(options);
 	const resolvedHooks = {};
 	for (const [key, value] of Object.entries(pluginsAtoms)) resolvedHooks[`use${capitalizeFirstLetter(key)}`] = value;
 	return createDynamicPathProxy({
 		...pluginsActions,
 		...resolvedHooks,
+		hydrateSession,
 		$fetch,
 		$store
 	}, $fetch, pluginPathMethods, pluginsAtoms, atomListeners);

package/dist/client/vue/index.d.mts

@@ -14,6 +14,19 @@ type InferResolvedHooks<O extends BetterAuthClientOptions> = O extends {
   plugins: Array<infer Plugin>;
 } ? UnionToIntersection<Plugin extends BetterAuthClientPlugin ? Plugin["getAtoms"] extends ((fetch: any) => infer Atoms) ? Atoms extends Record<string, any> ? { [key in keyof Atoms as IsSignal<key> extends true ? never : key extends string ? `use${Capitalize<key>}` : never]: () => DeepReadonly<Ref<ReturnType<Atoms[key]["get"]>>> } : {} : {} : {}> : {};
 declare function createAuthClient<Option extends BetterAuthClientOptions>(options?: Option | undefined): UnionToIntersection<InferResolvedHooks<Option>> & InferClientAPI<Option> & InferActions<Option> & {
+  hydrateSession: (session: NonNullable<InferClientAPI<Option> extends {
+    getSession: () => Promise<infer Res>;
+  } ? Res extends {
+    data: null;
+    error: {
+      message?: string | undefined;
+      status: number;
+      statusText: string;
+    };
+  } | {
+    data: infer S;
+    error: null;
+  } ? S : Res extends Record<string, any> ? Res : never : never> | null) => void;
   useSession: {
     (): DeepReadonly<Ref<{
       data: InferClientAPI<Option> extends {

package/dist/client/vue/index.mjs

@@ -7,7 +7,7 @@ function getAtomKey(str) {
 	return `use${capitalizeFirstLetter(str)}`;
 }
 function createAuthClient(options) {
-	const { baseURL, pluginPathMethods, pluginsActions, pluginsAtoms, $fetch, $store, atomListeners } = getClientConfig(options, false);
+	const { baseURL, pluginPathMethods, pluginsActions, pluginsAtoms, hydrateSession, $fetch, $store, atomListeners } = getClientConfig(options, false);
 	const resolvedHooks = {};
 	for (const [key, value] of Object.entries(pluginsAtoms)) resolvedHooks[getAtomKey(key)] = () => useStore(value);
 	function useSession(useFetch) {
@@ -26,6 +26,7 @@ function createAuthClient(options) {
 	return createDynamicPathProxy({
 		...pluginsActions,
 		...resolvedHooks,
+		hydrateSession,
 		useSession,
 		$fetch,
 		$store

package/dist/context/create-context.mjs

@@ -42,18 +42,14 @@ function validateSecret(secret, logger) {
 	if (estimateEntropy(secret) < 120) logger.warn("[better-auth] Warning: your BETTER_AUTH_SECRET appears low-entropy. Use a randomly generated secret for production.");
 }
 async function createAuthContext(adapter, options, getDatabaseType) {
-	if (!options.database) options = defu$1(options, {
-		session: { cookieCache: {
-			enabled: true,
-			strategy: "jwe",
-			refreshCache: true,
-			maxAge: options.session?.expiresIn || 3600 * 24 * 7
-		} },
-		account: {
-			storeStateStrategy: "cookie",
-			storeAccountCookie: true
-		}
-	});
+	const isStateful = !!options.database || !!options.secondaryStorage;
+	if (!isStateful) options = defu$1(options, { session: { cookieCache: {
+		enabled: true,
+		strategy: "jwe",
+		refreshCache: true,
+		maxAge: options.session?.expiresIn || 3600 * 24 * 7
+	} } });
+	if (!options.database) options = defu$1(options, { account: { storeAccountCookie: true } });
 	const plugins = options.plugins || [];
 	const internalPlugins = getInternalPlugins(options);
 	const logger = createLogger(options.logger);
@@ -130,7 +126,7 @@ Most of the features of Better Auth will not work correctly.`);
 		socialProviders: providers,
 		options,
 		oauthConfig: {
-			storeStateStrategy: options.account?.storeStateStrategy || (options.database ? "database" : "cookie"),
+			storeStateStrategy: options.account?.storeStateStrategy || (isStateful ? "database" : "cookie"),
 			skipStateCookieCheck: !!options.account?.skipStateCookieCheck
 		},
 		tables,
@@ -146,7 +142,7 @@ Most of the features of Better Auth will not work correctly.`);
 			cookieRefreshCache: (() => {
 				const refreshCache = options.session?.cookieCache?.refreshCache;
 				const maxAge = options.session?.cookieCache?.maxAge || 300;
-				if ((!!options.database || !!options.secondaryStorage) && refreshCache) {
+				if (isStateful && refreshCache) {
 					logger.warn("[better-auth] `session.cookieCache.refreshCache` is enabled while `database` or `secondaryStorage` is configured. `refreshCache` is meant for stateless (DB-less) setups. Disabling `refreshCache` — remove it from your config to silence this warning.");
 					return false;
 				}

package/dist/context/helpers.mjs

@@ -61,9 +61,10 @@ async function getTrustedOrigins(options, request) {
 	const trustedOrigins = [];
 	if (isDynamicBaseURLConfig(options.baseURL)) {
 		const allowedHosts = options.baseURL.allowedHosts;
+		const proto = options.baseURL.protocol;
 		for (const host of allowedHosts) if (!host.includes("://")) {
-			trustedOrigins.push(`https://${host}`);
-			if (isLoopbackHost(host)) trustedOrigins.push(`http://${host}`);
+			if (!proto || proto === "https" || proto === "auto") trustedOrigins.push(`https://${host}`);
+			if (proto === "http" || proto === "auto" || isLoopbackHost(host)) trustedOrigins.push(`http://${host}`);
 		} else trustedOrigins.push(host);
 		if (options.baseURL.fallback) try {
 			trustedOrigins.push(new URL(options.baseURL.fallback).origin);

package/dist/cookies/cookie-utils.d.mts

@@ -33,8 +33,40 @@ declare function stripSecureCookiePrefix(cookieName: string): string;
 declare function splitSetCookieHeader(setCookie: string): string[];
 declare function parseSetCookieHeader(setCookie: string): Map<string, CookieAttributes>;
 declare function toCookieOptions(attributes: CookieAttributes): ParsedCookieOptions;
+/**
+ * Cookie-name token char set per RFC 7230 §3.2.6.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6
+ */
+declare const cookieNameRegex: RegExp;
+/**
+ * Tolerates `;` separators without the SP that RFC 6265 §4.2.1 mandates,
+ * since proxies and runtimes commonly strip it. Silently drops entries
+ * whose name violates RFC 7230 token or whose value violates RFC 6265
+ * cookie-octet (plus space and comma). Strips optional surrounding
+ * double-quotes per RFC 6265 §4.1.1.
+ */
+declare function parseCookies(cookie: string): Map<string, string>;
+/**
+ * Add or replace a cookie in the request `Cookie` header.
+ *
+ * Cookie pairs are joined with `; `, but `headers.append("cookie", ...)`
+ * joins with `, ` in some runtimes (e.g. Deno, Cloudflare Workers) and
+ * breaks downstream cookie parsing. This builds the header value via
+ * parse-mutate-serialize.
+ */
+declare function setRequestCookie(headers: Headers, name: string, value: string): void;
+/**
+ * Merge `Set-Cookie` header values into the target's `Cookie` header.
+ * Mutates `target`.
+ *
+ * Name/value-level merge only. RFC 6265 §5 user-agent semantics
+ * (expiration, domain/path scoping, ordering) are out of scope. Suitable
+ * for single-request proxy, middleware, and test contexts.
+ */
+declare function applySetCookies(target: Headers, setCookieValues: Iterable<string>): void;
 declare function setCookieToHeader(headers: Headers): (context: {
   response: Response;
 }) => void;
 //#endregion
-export { CookieAttributes, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };
+export { CookieAttributes, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, applySetCookies, cookieNameRegex, parseCookies, parseSetCookieHeader, setCookieToHeader, setRequestCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };

package/dist/cookies/cookie-utils.mjs

@@ -1,5 +1,6 @@
 //#region src/cookies/cookie-utils.ts
 function tryDecode(str) {
+	if (str.indexOf("%") === -1) return str;
 	try {
 		return decodeURIComponent(str);
 	} catch {
@@ -49,9 +50,9 @@ function parseSetCookieHeader(setCookie) {
 	splitSetCookieHeader(setCookie).forEach((cookieString) => {
 		const [nameValue, ...attributes] = cookieString.split(";").map((part) => part.trim());
 		const [name, ...valueParts] = (nameValue || "").split("=");
-		const value = valueParts.join("=");
-		if (!name || value === void 0) return;
-		const attrObj = { value: value.includes("%") ? tryDecode(value) : value };
+		const value = unquoteCookieValue(valueParts.join("="));
+		if (!name) return;
+		const attrObj = { value: tryDecode(value) };
 		attributes.forEach((attribute) => {
 			const [attrName, ...attrValueParts] = attribute.split("=");
 			const attrValue = attrValueParts.join("=");
@@ -102,21 +103,101 @@ function toCookieOptions(attributes) {
 		partitioned: attributes.partitioned
 	};
 }
+/**
+* Cookie-name token char set per RFC 7230 §3.2.6.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6
+*/
+const cookieNameRegex = /^[\w!#$%&'*.^`|~+-]+$/;
+/**
+* Cookie-value char set per RFC 6265 §4.1.1, plus space and comma.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.1
+* @see https://github.com/golang/go/issues/7243
+*/
+const cookieValueRegex = /^[ !#-:<-[\]-~]*$/;
+/**
+* Strip surrounding double-quotes per RFC 6265 §4.1.1 quoted-string form.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.1
+*/
+function unquoteCookieValue(value) {
+	if (value.length < 2 || !value.startsWith("\"") || !value.endsWith("\"")) return value;
+	return value.slice(1, -1);
+}
+/**
+* Trim leading/trailing OWS (space / horizontal tab) per RFC 7230 §3.2.3.
+* Narrower than `String.prototype.trim()`, which strips CR/LF and other
+* whitespace and would let CTLs escape `cookieValueRegex`.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.3
+*/
+function trimOWS(s) {
+	let start = 0;
+	let end = s.length;
+	while (start < end) {
+		const c = s.charCodeAt(start);
+		if (c !== 32 && c !== 9) break;
+		start++;
+	}
+	while (end > start) {
+		const c = s.charCodeAt(end - 1);
+		if (c !== 32 && c !== 9) break;
+		end--;
+	}
+	return start === 0 && end === s.length ? s : s.slice(start, end);
+}
+/**
+* Tolerates `;` separators without the SP that RFC 6265 §4.2.1 mandates,
+* since proxies and runtimes commonly strip it. Silently drops entries
+* whose name violates RFC 7230 token or whose value violates RFC 6265
+* cookie-octet (plus space and comma). Strips optional surrounding
+* double-quotes per RFC 6265 §4.1.1.
+*/
+function parseCookies(cookie) {
+	const cookieMap = /* @__PURE__ */ new Map();
+	if (cookie.length < 2) return cookieMap;
+	for (const chunk of cookie.split(";")) {
+		const eq = chunk.indexOf("=");
+		if (eq === -1) continue;
+		const key = trimOWS(chunk.slice(0, eq));
+		const val = unquoteCookieValue(trimOWS(chunk.slice(eq + 1)));
+		if (cookieNameRegex.test(key) && cookieValueRegex.test(val)) cookieMap.set(key, tryDecode(val));
+	}
+	return cookieMap;
+}
+/**
+* Add or replace a cookie in the request `Cookie` header.
+*
+* Cookie pairs are joined with `; `, but `headers.append("cookie", ...)`
+* joins with `, ` in some runtimes (e.g. Deno, Cloudflare Workers) and
+* breaks downstream cookie parsing. This builds the header value via
+* parse-mutate-serialize.
+*/
+function setRequestCookie(headers, name, value) {
+	const cookieMap = parseCookies(headers.get("cookie") || "");
+	if (cookieNameRegex.test(name)) cookieMap.set(name, value);
+	headers.set("cookie", Array.from(cookieMap, ([k, v]) => `${k}=${encodeURIComponent(v)}`).join("; "));
+}
+/**
+* Merge `Set-Cookie` header values into the target's `Cookie` header.
+* Mutates `target`.
+*
+* Name/value-level merge only. RFC 6265 §5 user-agent semantics
+* (expiration, domain/path scoping, ordering) are out of scope. Suitable
+* for single-request proxy, middleware, and test contexts.
+*/
+function applySetCookies(target, setCookieValues) {
+	const cookieMap = parseCookies(target.get("cookie") || "");
+	for (const setCookie of setCookieValues) for (const [name, attr] of parseSetCookieHeader(setCookie)) if (cookieNameRegex.test(name)) cookieMap.set(name, attr.value);
+	target.set("cookie", Array.from(cookieMap, ([k, v]) => `${k}=${encodeURIComponent(v)}`).join("; "));
+}
 function setCookieToHeader(headers) {
 	return (context) => {
 		const setCookieHeader = context.response.headers.get("set-cookie");
 		if (!setCookieHeader) return;
-		const cookieMap = /* @__PURE__ */ new Map();
-		(headers.get("cookie") || "").split(";").forEach((cookie) => {
-			const [name, ...rest] = cookie.trim().split("=");
-			if (name && rest.length > 0) cookieMap.set(name, rest.join("="));
-		});
-		parseSetCookieHeader(setCookieHeader).forEach((value, name) => {
-			cookieMap.set(name, value.value);
-		});
-		const updatedCookies = Array.from(cookieMap.entries()).map(([name, value]) => `${name}=${value}`).join("; ");
-		headers.set("cookie", updatedCookies);
+		applySetCookies(headers, [setCookieHeader]);
 	};
 }
 //#endregion
-export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };
+export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, applySetCookies, cookieNameRegex, parseCookies, parseSetCookieHeader, setCookieToHeader, setRequestCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };