better-auth 1.7.0-beta.2 → 1.7.0-beta.4

package/dist/cookies/index.d.mts

@@ -1,5 +1,5 @@
 import { Session, User } from "../types/models.mjs";
-import { CookieAttributes, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions } from "./cookie-utils.mjs";
+import { CookieAttributes, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, applySetCookies, cookieNameRegex, parseCookies, parseSetCookieHeader, setCookieToHeader, setRequestCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions } from "./cookie-utils.mjs";
 import { createSessionStore, getAccountCookie, getChunkedCookie } from "./session-store.mjs";
 import { BetterAuthCookie, BetterAuthCookies, BetterAuthOptions, GenericEndpointContext } from "@better-auth/core";
 import * as better_call0 from "better-call";
@@ -95,7 +95,6 @@ declare function setSessionCookie(ctx: GenericEndpointContext, session: {
  */
 declare function expireCookie(ctx: GenericEndpointContext, cookie: BetterAuthCookie): void;
 declare function deleteSessionCookie(ctx: GenericEndpointContext, skipDontRememberMe?: boolean | undefined): void;
-declare function parseCookies(cookieHeader: string): Map<string, string>;
 type EligibleCookies = (string & {}) | (keyof BetterAuthCookies & {});
 declare const getSessionCookie: (request: Request | Headers, config?: {
   cookiePrefix?: string;
@@ -116,4 +115,4 @@ declare const getCookieCache: <S extends {
   version?: string | ((session: Session & Record<string, any>, user: User & Record<string, any>) => string) | ((session: Session & Record<string, any>, user: User & Record<string, any>) => Promise<string>);
 } | undefined) => Promise<S | null>;
 //#endregion
-export { CookieAttributes, EligibleCookies, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };
+export { CookieAttributes, EligibleCookies, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, applySetCookies, cookieNameRegex, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setRequestCookie, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };

package/dist/cookies/index.mjs

@@ -4,7 +4,7 @@ import { parseUserOutput } from "../db/schema.mjs";
 import { getDate } from "../utils/date.mjs";
 import { isPromise } from "../utils/is-promise.mjs";
 import { sec } from "../utils/time.mjs";
-import { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions } from "./cookie-utils.mjs";
+import { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, applySetCookies, cookieNameRegex, parseCookies, parseSetCookieHeader, setCookieToHeader, setRequestCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions } from "./cookie-utils.mjs";
 import { createAccountStore, createSessionStore, getAccountCookie, getChunkedCookie, setAccountCookie } from "./session-store.mjs";
 import { env, isProduction } from "@better-auth/core/env";
 import { BetterAuthError } from "@better-auth/core/error";
@@ -134,9 +134,46 @@ async function setSessionCookie(ctx, session, dontRememberMe, overrides) {
 	ctx.context.setNewSession(session);
 }
 /**
+* Remove any prior `Set-Cookie` entries on the current response whose cookie
+* name matches `cookieName` or any chunked variant (`${cookieName}.0`, etc.).
+*
+* Prevents a valid cookie value from leaking on the wire when the same cookie
+* is set and then expired within a single request (e.g. `/sign-in/email`
+* writes credential session cookies and the 2FA after-hook expires them).
+* Browsers honor the expiring entry, but anything reading the raw response
+* headers — proxy/LB logs, server-side SDK consumers, observability tools —
+* sees the earlier valid value and could replay it (bypassing the 2FA gate
+* when the cookie cache is enabled).
+*
+* Scrubs both the local middleware scope's `responseHeaders` and the outer
+* endpoint scope's `ctx.context.responseHeaders`, because plugin after-hooks
+* run in a fresh local scope while accumulated response headers live on the
+* outer one. `scoped.context` is required by {@link GenericEndpointContext}
+* but unit-test mocks pass a minimal object via `as any`, so we use optional
+* chaining defensively. The `Set` collapses the case where both scopes
+* reference the same `Headers`.
+*/
+function removeSetCookieEntries(ctx, cookieName) {
+	const scoped = ctx;
+	const targets = /* @__PURE__ */ new Set();
+	if (scoped.responseHeaders) targets.add(scoped.responseHeaders);
+	if (scoped.context?.responseHeaders) targets.add(scoped.context.responseHeaders);
+	const exact = `${cookieName}=`;
+	const chunk = `${cookieName}.`;
+	for (const headers of targets) {
+		const existing = typeof headers.getSetCookie === "function" ? headers.getSetCookie() : splitSetCookieHeader(headers.get("set-cookie") || "");
+		if (!existing.length) continue;
+		const survivors = existing.filter((entry) => !entry.startsWith(exact) && !entry.startsWith(chunk));
+		if (survivors.length === existing.length) continue;
+		headers.delete("set-cookie");
+		for (const entry of survivors) headers.append("set-cookie", entry);
+	}
+}
+/**
 * Expires a cookie by setting `maxAge: 0` while preserving its attributes
 */
 function expireCookie(ctx, cookie) {
+	removeSetCookieEntries(ctx, cookie.name);
 	ctx.setCookie(cookie.name, "", {
 		...cookie.attributes,
 		maxAge: 0
@@ -157,15 +194,6 @@ function deleteSessionCookie(ctx, skipDontRememberMe) {
 	sessionStore.setCookies(cleanCookies);
 	if (!skipDontRememberMe) expireCookie(ctx, ctx.context.authCookies.dontRememberToken);
 }
-function parseCookies(cookieHeader) {
-	const cookies = cookieHeader.split("; ");
-	const cookieMap = /* @__PURE__ */ new Map();
-	cookies.forEach((cookie) => {
-		const [name, value] = cookie.split(/=(.*)/s);
-		cookieMap.set(name, value);
-	});
-	return cookieMap;
-}
 const getSessionCookie = (request, config) => {
 	const cookies = (request instanceof Headers || !("headers" in request) ? request : request.headers).get("cookie");
 	if (!cookies) return null;
@@ -258,4 +286,4 @@ const getCookieCache = async (request, config) => {
 	return null;
 };
 //#endregion
-export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };
+export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, applySetCookies, cookieNameRegex, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setRequestCookie, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };

package/dist/cookies/session-store.mjs

@@ -1,4 +1,5 @@
 import { symmetricDecodeJWT, symmetricEncodeJWT } from "../crypto/jwt.mjs";
+import { parseCookies } from "./cookie-utils.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
 import * as z from "zod";
 //#region src/cookies/session-store.ts
@@ -6,20 +7,6 @@ const ALLOWED_COOKIE_SIZE = 4096;
 const ESTIMATED_EMPTY_COOKIE_SIZE = 200;
 const CHUNK_SIZE = ALLOWED_COOKIE_SIZE - ESTIMATED_EMPTY_COOKIE_SIZE;
 /**
-* Parse cookies from the request headers
-*/
-function parseCookiesFromContext(ctx) {
-	const cookieHeader = ctx.headers?.get("cookie");
-	if (!cookieHeader) return {};
-	const cookies = {};
-	const pairs = cookieHeader.split("; ");
-	for (const pair of pairs) {
-		const [name, ...valueParts] = pair.split("=");
-		if (name && valueParts.length > 0) cookies[name] = valueParts.join("=");
-	}
-	return cookies;
-}
-/**
 * Extract the chunk index from a cookie name
 */
 function getChunkIndex(cookieName) {
@@ -33,8 +20,8 @@ function getChunkIndex(cookieName) {
 */
 function readExistingChunks(cookieName, ctx) {
 	const chunks = {};
-	const cookies = parseCookiesFromContext(ctx);
-	for (const [name, value] of Object.entries(cookies)) if (name.startsWith(cookieName)) chunks[name] = value;
+	const cookies = parseCookies(ctx.headers?.get("cookie") || "");
+	for (const [name, value] of cookies) if (name.startsWith(cookieName)) chunks[name] = value;
 	return chunks;
 }
 /**
@@ -140,13 +127,7 @@ function getChunkedCookie(ctx, cookieName) {
 	const chunks = [];
 	const cookieHeader = ctx.headers?.get("cookie");
 	if (!cookieHeader) return null;
-	const cookies = {};
-	const pairs = cookieHeader.split("; ");
-	for (const pair of pairs) {
-		const [name, ...valueParts] = pair.split("=");
-		if (name && valueParts.length > 0) cookies[name] = valueParts.join("=");
-	}
-	for (const [name, val] of Object.entries(cookies)) if (name.startsWith(cookieName + ".")) {
+	for (const [name, val] of parseCookies(cookieHeader)) if (name.startsWith(cookieName + ".")) {
 		const indexStr = name.split(".").at(-1);
 		const index = parseInt(indexStr || "0", 10);
 		if (!isNaN(index)) chunks.push({

package/dist/db/get-migration.mjs

@@ -269,13 +269,14 @@ async function getMigrations(config) {
 			return `${model}.${field}`;
 		}
 	}
+	const deferredIndexes = [];
 	if (toBeAdded.length) for (const table of toBeAdded) for (const [fieldName, field] of Object.entries(table.fields)) {
 		const type = getType(field, fieldName);
 		const builder = db.schema.alterTable(table.table);
 		if (field.index) {
 			const indexName = `${table.table}_${fieldName}_${field.unique ? "uidx" : "idx"}`;
 			const indexBuilder = db.schema.createIndex(indexName).on(table.table).columns([fieldName]);
-			migrations.push(field.unique ? indexBuilder.unique() : indexBuilder);
+			deferredIndexes.push(field.unique ? indexBuilder.unique() : indexBuilder);
 		}
 		const built = builder.addColumn(fieldName, type, (col) => {
 			col = field.required !== false ? col.notNull() : col;
@@ -287,7 +288,6 @@ async function getMigrations(config) {
 		});
 		migrations.push(built);
 	}
-	const toBeIndexed = [];
 	if (toBeCreated.length) for (const table of toBeCreated) {
 		const idType = getType({ type: useNumberId ? "number" : "string" }, "id");
 		let dbT = db.schema.createTable(table.table).addColumn("id", idType, (col) => {
@@ -315,12 +315,12 @@ async function getMigrations(config) {
 			});
 			if (field.index) {
 				const builder = db.schema.createIndex(`${table.table}_${fieldName}_${field.unique ? "uidx" : "idx"}`).on(table.table).columns([fieldName]);
-				toBeIndexed.push(field.unique ? builder.unique() : builder);
+				deferredIndexes.push(field.unique ? builder.unique() : builder);
 			}
 		}
 		migrations.push(dbT);
 	}
-	if (toBeIndexed.length) for (const index of toBeIndexed) migrations.push(index);
+	for (const index of deferredIndexes) migrations.push(index);
 	async function runMigrations() {
 		for (const migration of migrations) await migration.execute();
 	}

package/dist/db/index.d.mts

@@ -3,7 +3,7 @@ import { convertFromDB, convertToDB } from "./field-converter.mjs";
 import { getSchema } from "./get-schema.mjs";
 import { DatabaseHooksEntry, getWithHooks } from "./with-hooks.mjs";
 import { createInternalAdapter } from "./internal-adapter.mjs";
-import { getSessionDefaultFields, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput } from "./schema.mjs";
+import { buildSyntheticUserOutput, getSessionDefaultFields, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput } from "./schema.mjs";
 import { FieldAttributeToSchema, toZodSchema } from "./to-zod.mjs";
 export * from "@better-auth/core/db";
-export { DatabaseHooksEntry, FieldAttributeToObject, FieldAttributeToSchema, InferAdditionalFieldsFromPluginOptions, InferFieldsInputClient, InferFieldsOutput, RemoveFieldsWithReturnedFalse, convertFromDB, convertToDB, createInternalAdapter, getSchema, getSessionDefaultFields, getWithHooks, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput, toZodSchema };
+export { DatabaseHooksEntry, FieldAttributeToObject, FieldAttributeToSchema, InferAdditionalFieldsFromPluginOptions, InferFieldsInputClient, InferFieldsOutput, RemoveFieldsWithReturnedFalse, buildSyntheticUserOutput, convertFromDB, convertToDB, createInternalAdapter, getSchema, getSessionDefaultFields, getWithHooks, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput, toZodSchema };

package/dist/db/index.mjs

@@ -1,6 +1,6 @@
 import { __exportAll, __reExport } from "../_virtual/_rolldown/runtime.mjs";
 import { getSchema } from "./get-schema.mjs";
-import { getSessionDefaultFields, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput } from "./schema.mjs";
+import { buildSyntheticUserOutput, getSessionDefaultFields, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput } from "./schema.mjs";
 import { convertFromDB, convertToDB } from "./field-converter.mjs";
 import { getWithHooks } from "./with-hooks.mjs";
 import { createInternalAdapter } from "./internal-adapter.mjs";
@@ -8,6 +8,7 @@ import { toZodSchema } from "./to-zod.mjs";
 export * from "@better-auth/core/db";
 //#region src/db/index.ts
 var db_exports = /* @__PURE__ */ __exportAll({
+	buildSyntheticUserOutput: () => buildSyntheticUserOutput,
 	convertFromDB: () => convertFromDB,
 	convertToDB: () => convertToDB,
 	createInternalAdapter: () => createInternalAdapter,
@@ -28,4 +29,4 @@ var db_exports = /* @__PURE__ */ __exportAll({
 import * as import__better_auth_core_db from "@better-auth/core/db";
 __reExport(db_exports, import__better_auth_core_db);
 //#endregion
-export { convertFromDB, convertToDB, createInternalAdapter, db_exports, getSchema, getSessionDefaultFields, getWithHooks, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput, toZodSchema };
+export { buildSyntheticUserOutput, convertFromDB, convertToDB, createInternalAdapter, db_exports, getSchema, getSessionDefaultFields, getWithHooks, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput, toZodSchema };

package/dist/db/internal-adapter.mjs

@@ -15,8 +15,9 @@ const createInternalAdapter = (adapter, ctx) => {
 	const logger = ctx.logger;
 	const options = ctx.options;
 	const secondaryStorage = options.secondaryStorage;
+	const verificationConsumeLocks = /* @__PURE__ */ new Map();
 	const sessionExpiration = options.session?.expiresIn || 3600 * 24 * 7;
-	const { createWithHooks, updateWithHooks, updateManyWithHooks, deleteWithHooks, deleteManyWithHooks } = getWithHooks(adapter, ctx);
+	const { createWithHooks, updateWithHooks, updateManyWithHooks, deleteWithHooks, deleteManyWithHooks, consumeOneWithHooks } = getWithHooks(adapter, ctx);
 	async function refreshUserSessions(user) {
 		if (!secondaryStorage) return;
 		const listRaw = await secondaryStorage.get(`active-sessions-${user.id}`);
@@ -35,13 +36,30 @@ const createInternalAdapter = (adapter, ctx) => {
 			}), Math.floor(sessionTTL));
 		}));
 	}
+	async function withVerificationConsumeLock(key, fn) {
+		const previous = verificationConsumeLocks.get(key) ?? Promise.resolve();
+		let release;
+		const current = new Promise((resolve) => {
+			release = resolve;
+		});
+		const next = previous.catch(() => {}).then(() => current);
+		verificationConsumeLocks.set(key, next);
+		await previous.catch(() => {});
+		try {
+			return await fn();
+		} finally {
+			release();
+			if (verificationConsumeLocks.get(key) === next) verificationConsumeLocks.delete(key);
+		}
+	}
 	return {
 		createOAuthUser: async (user, account) => {
 			return runWithTransaction(adapter, async () => {
 				const createdUser = await createWithHooks({
 					createdAt: /* @__PURE__ */ new Date(),
 					updatedAt: /* @__PURE__ */ new Date(),
-					...user
+					...user,
+					email: user.email?.toLowerCase()
 				}, "user", void 0);
 				return {
 					user: createdUser,
@@ -364,27 +382,35 @@ const createInternalAdapter = (adapter, ctx) => {
 				value: userId
 			}], "account", void 0);
 		},
-		deleteAccount: async (accountId) => {
+		deleteAccount: async (id) => {
 			await deleteWithHooks([{
 				field: "id",
-				value: accountId
+				value: id
 			}], "account", void 0);
 		},
-		deleteSessions: async (userIdOrSessionTokens) => {
+		deleteUserSessions: async (userId) => {
 			if (secondaryStorage) {
-				if (typeof userIdOrSessionTokens === "string") {
-					const activeSession = await secondaryStorage.get(`active-sessions-${userIdOrSessionTokens}`);
-					const sessions = activeSession ? safeJSONParse(activeSession) : [];
-					if (!sessions) return;
-					for (const session of sessions) await secondaryStorage.delete(session.token);
-					await secondaryStorage.delete(`active-sessions-${userIdOrSessionTokens}`);
-				} else for (const sessionToken of userIdOrSessionTokens) if (await secondaryStorage.get(sessionToken)) await secondaryStorage.delete(sessionToken);
+				const activeSession = await secondaryStorage.get(`active-sessions-${userId}`);
+				const sessions = activeSession ? safeJSONParse(activeSession) : [];
+				if (!sessions) return;
+				for (const session of sessions) await secondaryStorage.delete(session.token);
+				await secondaryStorage.delete(`active-sessions-${userId}`);
 				if (!options.session?.storeSessionInDatabase || ctx.options.session?.preserveSessionInDatabase) return;
 			}
 			await deleteManyWithHooks([{
-				field: Array.isArray(userIdOrSessionTokens) ? "token" : "userId",
-				value: userIdOrSessionTokens,
-				operator: Array.isArray(userIdOrSessionTokens) ? "in" : void 0
+				field: "userId",
+				value: userId
+			}], "session", void 0);
+		},
+		deleteSessions: async (sessionTokens) => {
+			if (secondaryStorage) {
+				for (const sessionToken of sessionTokens) if (await secondaryStorage.get(sessionToken)) await secondaryStorage.delete(sessionToken);
+				if (!options.session?.storeSessionInDatabase || ctx.options.session?.preserveSessionInDatabase) return;
+			}
+			await deleteManyWithHooks([{
+				field: "token",
+				value: sessionTokens,
+				operator: "in"
 			}], "session", void 0);
 		},
 		findOAuthUser: async (email, accountId, providerId) => {
@@ -475,7 +501,10 @@ const createInternalAdapter = (adapter, ctx) => {
 			}, "account", void 0);
 		},
 		updateUser: async (userId, data) => {
-			const user = await updateWithHooks(data, [{
+			const user = await updateWithHooks({
+				...data,
+				...data.email ? { email: data.email.toLowerCase() } : {}
+			}, [{
 				field: "id",
 				value: userId
 			}], "user", void 0);
@@ -483,7 +512,10 @@ const createInternalAdapter = (adapter, ctx) => {
 			return user;
 		},
 		updateUserByEmail: async (email, data) => {
-			const user = await updateWithHooks(data, [{
+			const user = await updateWithHooks({
+				...data,
+				...data.email ? { email: data.email.toLowerCase() } : {}
+			}, [{
 				field: "email",
 				value: email.toLowerCase()
 			}], "user", void 0);
@@ -508,15 +540,6 @@ const createInternalAdapter = (adapter, ctx) => {
 				}]
 			});
 		},
-		findAccount: async (accountId) => {
-			return await (await getCurrentAdapter(adapter)).findOne({
-				model: "account",
-				where: [{
-					field: "accountId",
-					value: accountId
-				}]
-			});
-		},
 		findAccountByProviderId: async (accountId, providerId) => {
 			return await (await getCurrentAdapter(adapter)).findOne({
 				model: "account",
@@ -611,6 +634,84 @@ const createInternalAdapter = (adapter, ctx) => {
 				value: storedIdentifier
 			}], "verification", void 0);
 		},
+		consumeVerificationValue: async (identifier) => {
+			const storageOption = getStorageOption(identifier, options.verification?.storeIdentifier);
+			const storedIdentifier = await processIdentifier(identifier, storageOption);
+			const identifiersToTry = storageOption && storageOption !== "plain" ? [storedIdentifier, identifier] : [storedIdentifier];
+			const hydrateCachedVerification = (raw) => {
+				if (!raw) return null;
+				const candidate = typeof raw === "string" ? safeJSONParse(raw) : typeof raw === "object" ? raw : null;
+				if (!candidate) return null;
+				const expiresAt = new Date(candidate.expiresAt);
+				if (!Number.isFinite(expiresAt.getTime())) return null;
+				return {
+					...candidate,
+					expiresAt
+				};
+			};
+			let consumed = null;
+			if (secondaryStorage && !options.verification?.storeInDatabase) {
+				const consumeCacheKey = async (key) => {
+					if (secondaryStorage.getAndDelete) return hydrateCachedVerification(await secondaryStorage.getAndDelete(key));
+					return withVerificationConsumeLock(key, async () => {
+						const parsed = hydrateCachedVerification(await secondaryStorage.get(key));
+						if (!parsed) return null;
+						await secondaryStorage.delete(key);
+						return parsed;
+					});
+				};
+				for (const stored of identifiersToTry) {
+					const cached = await consumeCacheKey(`verification:${stored}`);
+					if (!cached) continue;
+					await Promise.all(identifiersToTry.filter((candidate) => candidate !== stored).map((candidate) => secondaryStorage.delete(`verification:${candidate}`)));
+					consumed = cached;
+					break;
+				}
+			} else {
+				const consumeByIdentifier = async (id) => withVerificationConsumeLock(`verification:${id}`, () => runWithTransaction(adapter, async () => {
+					const txAdapter = await getCurrentAdapter(adapter);
+					const where = [{
+						field: "identifier",
+						value: id
+					}];
+					const latest = (await txAdapter.findMany({
+						model: "verification",
+						where,
+						sortBy: {
+							field: "createdAt",
+							direction: "desc"
+						},
+						limit: 1
+					}))[0] ?? null;
+					if (!latest) return null;
+					return consumeOneWithHooks("verification", [{
+						field: "id",
+						value: latest.id
+					}], async () => {
+						const row = await txAdapter.consumeOne({
+							model: "verification",
+							where: [{
+								field: "id",
+								value: latest.id
+							}]
+						});
+						if (!row) return null;
+						await txAdapter.deleteMany({
+							model: "verification",
+							where
+						});
+						return row;
+					}, latest);
+				}));
+				for (const stored of identifiersToTry) {
+					consumed = await consumeByIdentifier(stored);
+					if (consumed) break;
+				}
+				if (consumed && secondaryStorage) await Promise.all(identifiersToTry.map((stored) => secondaryStorage.delete(`verification:${stored}`)));
+			}
+			if (!consumed || consumed.expiresAt < /* @__PURE__ */ new Date()) return null;
+			return consumed;
+		},
 		updateVerificationByIdentifier: async (identifier, data) => {
 			const storedIdentifier = await processIdentifier(identifier, getStorageOption(identifier, options.verification?.storeIdentifier));
 			if (secondaryStorage) {
@@ -634,7 +735,8 @@ const createInternalAdapter = (adapter, ctx) => {
 				value: storedIdentifier
 			}], "verification", void 0);
 			return data;
-		}
+		},
+		refreshUserSessions
 	};
 };
 //#endregion

package/dist/db/schema.d.mts

@@ -4,6 +4,19 @@ import { BetterAuthPluginDBSchema, DBFieldAttribute } from "@better-auth/core/db
 
 //#region src/db/schema.d.ts
 declare function parseUserOutput<T extends User$1>(options: BetterAuthOptions, user: T): T;
+/**
+ * Builds a synthetic user object that matches the shape of a real user
+ * returned from the database. This ensures enumeration protection works
+ * correctly by making synthetic and real user responses indistinguishable.
+ *
+ * The function iterates over the user output schema and:
+ * - Includes all fields that should be returned (returned !== false)
+ * - Uses provided values when available
+ * - Sets optional fields to null when no value is provided
+ * - Applies default values where defined
+ * - Always includes the 'id' field (not part of schema but always present)
+ */
+declare function buildSyntheticUserOutput(options: BetterAuthOptions, data: Record<string, unknown>): Record<string, unknown>;
 declare function parseSessionOutput<T extends Session$1>(options: BetterAuthOptions, session: T): T;
 declare function parseAccountOutput<T extends Account>(options: BetterAuthOptions, account: T): Omit<T, "idToken" | "accessToken" | "refreshToken" | "accessTokenExpiresAt" | "refreshTokenExpiresAt" | "password">;
 declare function parseInputData<T extends Record<string, any>>(data: T, schema: {
@@ -45,4 +58,4 @@ declare function mergeSchema<S extends BetterAuthPluginDBSchema>(schema: S, newS
   } | undefined;
 } | undefined } | undefined): S;
 //#endregion
-export { getSessionDefaultFields, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput };
+export { buildSyntheticUserOutput, getSessionDefaultFields, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput };

package/dist/db/schema.mjs

@@ -24,6 +24,31 @@ function getFields(options, modelName, mode) {
 function parseUserOutput(options, user) {
 	return filterOutputFields(user, getFields(options, "user", "output"));
 }
+/**
+* Builds a synthetic user object that matches the shape of a real user
+* returned from the database. This ensures enumeration protection works
+* correctly by making synthetic and real user responses indistinguishable.
+*
+* The function iterates over the user output schema and:
+* - Includes all fields that should be returned (returned !== false)
+* - Uses provided values when available
+* - Sets optional fields to null when no value is provided
+* - Applies default values where defined
+* - Always includes the 'id' field (not part of schema but always present)
+*/
+function buildSyntheticUserOutput(options, data) {
+	const schema = getFields(options, "user", "output");
+	const result = {};
+	for (const key in schema) {
+		const fieldAttr = schema[key];
+		if (fieldAttr.returned === false) continue;
+		if (key in data && data[key] !== void 0) result[key] = data[key];
+		else if (fieldAttr.defaultValue !== void 0) result[key] = typeof fieldAttr.defaultValue === "function" ? fieldAttr.defaultValue() : fieldAttr.defaultValue;
+		else if (!fieldAttr.required) result[key] = null;
+	}
+	if ("id" in data) result.id = data.id;
+	return result;
+}
 function parseSessionOutput(options, session) {
 	return filterOutputFields(session, getFields(options, "session", "output"));
 }
@@ -121,4 +146,4 @@ function mergeSchema(schema, newSchema) {
 	return schema;
 }
 //#endregion
-export { getSessionDefaultFields, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput };
+export { buildSyntheticUserOutput, getSessionDefaultFields, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput };

package/dist/db/with-hooks.d.mts

@@ -31,6 +31,7 @@ declare function getWithHooks(adapter: DBAdapter<BetterAuthOptions>, ctx: {
     fn: (where: Where[]) => void | Promise<any>;
     executeMainFn?: boolean;
   } | undefined) => Promise<any>;
+  consumeOneWithHooks: <T extends Record<string, any>>(model: BaseModelNames, hookWhere: Where[], consumeFn: () => Promise<T | null>, preSnapshot?: T | null) => Promise<T | null>;
 };
 //#endregion
 export { DatabaseHooksEntry, getWithHooks };

package/dist/db/with-hooks.mjs

@@ -185,12 +185,69 @@ function getWithHooks(adapter, ctx) {
 		}
 		return deleted;
 	}
+	/**
+	* Wraps an atomic consume operation in the plugin `delete.before` and
+	* `delete.after` hook lifecycle. The caller supplies a `consumeFn` that
+	* performs the actual single-row delete-and-return (typically the
+	* adapter's `consumeOne`). The first concurrent caller wins, subsequent
+	* racers resolve to `null` without firing `delete.after` hooks.
+	*
+	* `preSnapshot` lets the caller hand in a row it already fetched so
+	* `delete.before` hooks don't trigger a second read. Without it, the
+	* helper falls back to a best-effort `findMany` against `hookWhere`.
+	* The snapshot only feeds `delete.before`; the `consumeFn` return value
+	* is the race gate.
+	*
+	* Returning `false` from a `delete.before` hook aborts the consume and
+	* the helper resolves to `null` (no `consumeFn` call, no after hooks).
+	*/
+	async function consumeOneWithHooks(model, hookWhere, consumeFn, preSnapshot) {
+		const context = await getCurrentAuthContext().catch(() => null);
+		const beforeHooks = hooksEntries.flatMap(({ source, hooks }) => {
+			const fn = hooks[model]?.delete?.before;
+			return fn ? [{
+				source,
+				fn
+			}] : [];
+		});
+		let snapshot = preSnapshot ?? null;
+		if (beforeHooks.length) {
+			if (!snapshot) try {
+				snapshot = (await (await getCurrentAdapter(adapter)).findMany({
+					model,
+					where: hookWhere,
+					limit: 1
+				}))[0] || null;
+			} catch {}
+			if (snapshot) {
+				for (const { source, fn } of beforeHooks) if (await withSpan(`db delete.before ${model}`, {
+					[ATTR_HOOK_TYPE]: "delete.before",
+					[ATTR_DB_COLLECTION_NAME]: model,
+					[ATTR_CONTEXT]: source
+				}, () => fn(snapshot, context)) === false) return null;
+			}
+		}
+		const consumed = await consumeFn();
+		if (!consumed) return null;
+		for (const { source, hooks } of hooksEntries) {
+			const toRun = hooks[model]?.delete?.after;
+			if (toRun) await queueAfterTransactionHook(async () => {
+				await withSpan(`db delete.after ${model}`, {
+					[ATTR_HOOK_TYPE]: "delete.after",
+					[ATTR_DB_COLLECTION_NAME]: model,
+					[ATTR_CONTEXT]: source
+				}, () => toRun(consumed, context));
+			});
+		}
+		return consumed;
+	}
 	return {
 		createWithHooks,
 		updateWithHooks,
 		updateManyWithHooks,
 		deleteWithHooks,
-		deleteManyWithHooks
+		deleteManyWithHooks,
+		consumeOneWithHooks
 	};
 }
 //#endregion

package/dist/index.d.mts

@@ -10,7 +10,7 @@ import { betterAuth } from "./auth/full.mjs";
 import { generateState, parseState } from "./oauth2/state.mjs";
 import { StateData, generateGenericState, parseGenericState } from "./state.mjs";
 import { HIDE_METADATA } from "./utils/hide-metadata.mjs";
-import { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL } from "./utils/url.mjs";
+import { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL, trimTrailingSlashes } from "./utils/url.mjs";
 import { APIError } from "./api/index.mjs";
 import { StandardSchemaV1 } from "@better-auth/core";
 import { getCurrentAdapter } from "@better-auth/core/context";
@@ -27,4 +27,4 @@ export * from "@better-auth/core/utils/json";
 export * from "@better-auth/core/social-providers";
 export * from "better-call";
 export * from "zod";
-export { APIError, Account, AdditionalSessionFieldsInput, AdditionalUserFieldsInput, Auth, BetterAuthAdvancedOptions, BetterAuthClientOptions, BetterAuthClientPlugin, BetterAuthCookies, BetterAuthOptions, BetterAuthPlugin, BetterAuthRateLimitOptions, ClientAtomListener, ClientStore, DBAdapter, DBAdapterInstance, DBAdapterSchemaCreation, DBTransactionAdapter, ExtractPluginField, FilteredAPI, HIDE_METADATA, HasRequiredKeys, InferAPI, InferActions, InferAdditionalFromClient, InferClientAPI, InferErrorCodes, InferOptionSchema, InferPluginContext, InferPluginErrorCodes, InferPluginFieldFromTuple, InferPluginIDs, InferPluginTypes, InferSessionAPI, InferSessionFromClient, InferUserFromClient, IsAny, IsSignal, type JSONWebKeySet, type JWTPayload, JoinConfig, JoinOption, OverrideMerge, Prettify, PrettifyDeep, RateLimit, RequiredKeysOf, Session, SessionQueryParams, type StandardSchemaV1, StateData, StoreIdentifierOption, StripEmptyObjects, type TelemetryEvent, UnionToIntersection, User, Verification, Where, betterAuth, createTelemetry, generateGenericState, generateState, getBaseURL, getCurrentAdapter, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, getTelemetryAuthConfig, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, parseGenericState, parseState, resolveBaseURL, resolveDynamicBaseURL };
+export { APIError, Account, AdditionalSessionFieldsInput, AdditionalUserFieldsInput, Auth, BetterAuthAdvancedOptions, BetterAuthClientOptions, BetterAuthClientPlugin, BetterAuthCookies, BetterAuthOptions, BetterAuthPlugin, BetterAuthRateLimitOptions, ClientAtomListener, ClientStore, DBAdapter, DBAdapterInstance, DBAdapterSchemaCreation, DBTransactionAdapter, ExtractPluginField, FilteredAPI, HIDE_METADATA, HasRequiredKeys, InferAPI, InferActions, InferAdditionalFromClient, InferClientAPI, InferErrorCodes, InferOptionSchema, InferPluginContext, InferPluginErrorCodes, InferPluginFieldFromTuple, InferPluginIDs, InferPluginTypes, InferSessionAPI, InferSessionFromClient, InferUserFromClient, IsAny, IsSignal, type JSONWebKeySet, type JWTPayload, JoinConfig, JoinOption, OverrideMerge, Prettify, PrettifyDeep, RateLimit, RequiredKeysOf, Session, SessionQueryParams, type StandardSchemaV1, StateData, StoreIdentifierOption, StripEmptyObjects, type TelemetryEvent, UnionToIntersection, User, Verification, Where, betterAuth, createTelemetry, generateGenericState, generateState, getBaseURL, getCurrentAdapter, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, getTelemetryAuthConfig, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, parseGenericState, parseState, resolveBaseURL, resolveDynamicBaseURL, trimTrailingSlashes };

package/dist/index.mjs

@@ -1,4 +1,4 @@
-import { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL } from "./utils/url.mjs";
+import { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL, trimTrailingSlashes } from "./utils/url.mjs";
 import { generateGenericState, parseGenericState } from "./state.mjs";
 import { generateState, parseState } from "./oauth2/state.mjs";
 import { HIDE_METADATA } from "./utils/hide-metadata.mjs";
@@ -14,4 +14,4 @@ export * from "@better-auth/core/oauth2";
 export * from "@better-auth/core/utils/error-codes";
 export * from "@better-auth/core/utils/id";
 export * from "@better-auth/core/utils/json";
-export { APIError, HIDE_METADATA, betterAuth, createTelemetry, generateGenericState, generateState, getBaseURL, getCurrentAdapter, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, getTelemetryAuthConfig, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, parseGenericState, parseState, resolveBaseURL, resolveDynamicBaseURL };
+export { APIError, HIDE_METADATA, betterAuth, createTelemetry, generateGenericState, generateState, getBaseURL, getCurrentAdapter, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, getTelemetryAuthConfig, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, parseGenericState, parseState, resolveBaseURL, resolveDynamicBaseURL, trimTrailingSlashes };

package/dist/integrations/cookie-plugin-guard.mjs

@@ -0,0 +1,18 @@
+//#region src/integrations/cookie-plugin-guard.ts
+/**
+* Warns when a cookie integration plugin is not effectively last.
+*
+* A plugin is considered misordered when there is at least one other plugin
+* after it in the `plugins` array that declares `hooks.after`, since those
+* hooks can set cookies that this integration will not see.
+*/
+function warnIfCookiePluginNotLast(ctx, pluginId) {
+	const plugins = ctx.options.plugins || [];
+	if (plugins.length === 0) return;
+	const index = plugins.findIndex((p) => p.id === pluginId);
+	if (index === -1) return;
+	if (!plugins.slice(index + 1).some((p) => p.hooks && Array.isArray(p.hooks.after) && p.hooks.after.length > 0)) return;
+	ctx.logger.warn(`[better-auth] Cookie integration plugin "${pluginId}" should be placed last in the plugins array. Plugins with \`hooks.after\` running after it may set cookies that are not forwarded to the framework cookie store. Move your cookie integration plugin to the end of the \`plugins\` array to avoid missing \`Set-Cookie\` headers.`);
+}
+//#endregion
+export { warnIfCookiePluginNotLast };