npm - better-auth - Versions diffs - 1.7.0-beta.2 → 1.7.0-beta.4 - Mend

better-auth 1.7.0-beta.2 → 1.7.0-beta.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (282) hide show

package/dist/plugins/anonymous/index.mjs CHANGED Viewed

@@ -101,6 +101,12 @@ const anonymous = (options) => {
 				const session = ctx.context.session;
 				if (options?.disableDeleteAnonymousUser) throw APIError.from("BAD_REQUEST", ANONYMOUS_ERROR_CODES.DELETE_ANONYMOUS_USER_DISABLED);
 				if (!session.user.isAnonymous) throw APIError.from("FORBIDDEN", ANONYMOUS_ERROR_CODES.USER_IS_NOT_ANONYMOUS);
+				try {
+					await ctx.context.internalAdapter.deleteUserSessions(session.user.id);
+				} catch (error) {
+					ctx.context.logger.error("Failed to delete anonymous user sessions", error);
+					throw APIError.from("INTERNAL_SERVER_ERROR", ANONYMOUS_ERROR_CODES.FAILED_TO_DELETE_ANONYMOUS_USER_SESSIONS);
+				}
 				try {
 					await ctx.context.internalAdapter.deleteUser(session.user.id);
 				} catch (error) {
@@ -113,7 +119,7 @@ const anonymous = (options) => {
 		},
 		hooks: { after: [{
 			matcher(ctx) {
-				return ctx.path?.startsWith("/sign-in") || ctx.path?.startsWith("/sign-up") || ctx.path?.startsWith("/callback") || ctx.path?.startsWith("/magic-link/verify") || ctx.path?.startsWith("/email-otp/verify-email") || ctx.path?.startsWith("/one-tap/callback") || ctx.path?.startsWith("/passkey/verify-authentication") || ctx.path?.startsWith("/phone-number/verify") || false;
+				return ctx.path?.startsWith("/sign-in") || ctx.path?.startsWith("/sign-up") || ctx.path?.startsWith("/callback") || ctx.path?.startsWith("/magic-link/verify") || ctx.path?.startsWith("/email-otp/verify-email") || ctx.path?.startsWith("/one-tap/callback") || ctx.path?.startsWith("/passkey/verify-authentication") || ctx.path?.startsWith("/phone-number/verify") || ctx.path?.startsWith("/verify-email") || false;
 			},
 			handler: createAuthMiddleware(async (ctx) => {
 				const setCookie = ctx.context.responseHeaders?.get("set-cookie");
@@ -147,7 +153,15 @@ const anonymous = (options) => {
 				const isSameUser = newSessionUser?.id === session.user.id;
 				const newSessionIsAnonymous = Boolean(newSessionUser?.isAnonymous);
 				if (options?.disableDeleteAnonymousUser || isSameUser || newSessionIsAnonymous) return;
-				await ctx.context.internalAdapter.deleteUser(session.user.id);
+				try {
+					await ctx.context.internalAdapter.deleteUserSessions(session.user.id);
+					await ctx.context.internalAdapter.deleteUser(session.user.id);
+				} catch (error) {
+					ctx.context.logger.error("Failed to clean up anonymous user during post-link cleanup", {
+						anonymousUserId: session.user.id,
+						error
+					});
+				}
 			})
 		}] },
 		options,

package/dist/plugins/bearer/index.mjs CHANGED Viewed

@@ -1,4 +1,4 @@
-import { parseSetCookieHeader } from "../../cookies/cookie-utils.mjs";
+import { parseSetCookieHeader, setRequestCookie } from "../../cookies/cookie-utils.mjs";
 import { PACKAGE_VERSION } from "../../version.mjs";
 import { serializeSignedCookie } from "better-call";
 import { createAuthMiddleware } from "@better-auth/core/api";
@@ -30,16 +30,11 @@ const bearer = (options) => {
 					if (authHeader.slice(0, 7).toLowerCase() !== BEARER_SCHEME) return;
 					const token = authHeader.slice(7).trim();
 					if (!token) return;
-					let signedToken;
 					let decodedToken;
-					if (token.includes(".")) {
-						const isEncoded = token.includes("%");
-						signedToken = isEncoded ? token : encodeURIComponent(token);
-						decodedToken = isEncoded ? tryDecode(token) : token;
-					} else {
+					if (token.includes(".")) decodedToken = token.includes("%") ? tryDecode(token) : token;
+					else {
 						if (options?.requireSignature) return;
-						signedToken = (await serializeSignedCookie("", token, c.context.secret)).replace("=", "");
-						decodedToken = tryDecode(signedToken);
+						decodedToken = tryDecode((await serializeSignedCookie("", token, c.context.secret)).replace("=", ""));
 					}
 					try {
 						if (!await createHMAC("SHA-256", "base64urlnopad").verify(c.context.secret, decodedToken.split(".")[0], decodedToken.split(".")[1])) return;
@@ -48,9 +43,7 @@ const bearer = (options) => {
 					}
 					const existingHeaders = c.request?.headers || c.headers;
 					const headers = new Headers({ ...Object.fromEntries(existingHeaders?.entries()) });
-					const existingCookie = headers.get("cookie");
-					const newCookie = `${c.context.authCookies.sessionToken.name}=${signedToken}`;
-					headers.set("cookie", existingCookie ? `${existingCookie}; ${newCookie}` : newCookie);
+					setRequestCookie(headers, c.context.authCookies.sessionToken.name, decodedToken);
 					return { context: { headers } };
 				})
 			}],

package/dist/plugins/captcha/index.mjs CHANGED Viewed

@@ -14,7 +14,20 @@ const captcha = (options) => ({
 	$ERROR_CODES: EXTERNAL_ERROR_CODES,
 	onRequest: async (request, ctx) => {
 		try {
-			if (!(options.endpoints?.length ? options.endpoints : defaultEndpoints).some((endpoint) => request.url.includes(endpoint))) return void 0;
+			const endpoints = options.endpoints?.length ? options.endpoints : defaultEndpoints;
+			const url = new URL(request.url);
+			const basePath = ctx.options.basePath ?? "/api/auth";
+			let pathname = url.pathname.replace(basePath, "");
+			if (pathname.endsWith("//")) pathname = pathname.slice(0, -1);
+			if (pathname.startsWith("//")) pathname = pathname.slice(1);
+			if (!pathname.startsWith("/")) pathname = "/" + pathname;
+			const exemptPaths = ["/sign-in/email-otp"].reduce((acc, curr) => {
+				if (options.endpoints?.length && options.endpoints.includes(curr)) return acc;
+				return [...acc, curr];
+			}, []);
+			if (!endpoints.some((endpoint) => {
+				return pathname.includes(endpoint) && !exemptPaths.some((p) => pathname.includes(p));
+			})) return;
 			if (!options.secretKey) throw new Error(INTERNAL_ERROR_CODES.MISSING_SECRET_KEY.message);
 			const captchaResponse = request.headers.get("x-captcha-response");
 			const remoteUserIP = getIp(request, ctx.options) ?? void 0;

package/dist/plugins/device-authorization/error-codes.mjs CHANGED Viewed

@@ -8,6 +8,7 @@ const DEVICE_AUTHORIZATION_ERROR_CODES = defineErrorCodes({
 	ACCESS_DENIED: "Access denied",
 	INVALID_USER_CODE: "Invalid user code",
 	DEVICE_CODE_ALREADY_PROCESSED: "Device code already processed",
+	DEVICE_CODE_NOT_CLAIMED: "Device code has not been claimed by a verifying session; call `GET /device` with the `user_code` while signed in before approving or denying",
 	POLLING_TOO_FREQUENTLY: "Polling too frequently",
 	USER_NOT_FOUND: "User not found",
 	FAILED_TO_CREATE_SESSION: "Failed to create session",

package/dist/plugins/device-authorization/index.d.mts CHANGED Viewed

@@ -388,6 +388,7 @@ declare const deviceAuthorization: (options?: Partial<DeviceAuthorizationOptions
     ACCESS_DENIED: _better_auth_core_utils_error_codes0.RawError<"ACCESS_DENIED">;
     INVALID_USER_CODE: _better_auth_core_utils_error_codes0.RawError<"INVALID_USER_CODE">;
     DEVICE_CODE_ALREADY_PROCESSED: _better_auth_core_utils_error_codes0.RawError<"DEVICE_CODE_ALREADY_PROCESSED">;
+    DEVICE_CODE_NOT_CLAIMED: _better_auth_core_utils_error_codes0.RawError<"DEVICE_CODE_NOT_CLAIMED">;
     POLLING_TOO_FREQUENTLY: _better_auth_core_utils_error_codes0.RawError<"POLLING_TOO_FREQUENTLY">;
     INVALID_DEVICE_CODE_STATUS: _better_auth_core_utils_error_codes0.RawError<"INVALID_DEVICE_CODE_STATUS">;
     AUTHENTICATION_REQUIRED: _better_auth_core_utils_error_codes0.RawError<"AUTHENTICATION_REQUIRED">;

package/dist/plugins/device-authorization/routes.mjs CHANGED Viewed

@@ -99,6 +99,7 @@ Follow [rfc8628#section-3.2](https://datatracker.ietf.org/doc/html/rfc8628#secti
 			data: {
 				deviceCode,
 				userCode,
+				userId: null,
 				expiresAt,
 				status: "pending",
 				pollingInterval: ms(opts.interval),
@@ -331,6 +332,28 @@ const deviceVerify = createAuthEndpoint("/device", {
 		error: "expired_token",
 		error_description: DEVICE_AUTHORIZATION_ERROR_CODES.EXPIRED_USER_CODE.message
 	});
+	const session = await getSessionFromCtx(ctx);
+	if (session?.user?.id && !deviceCodeRecord.userId && deviceCodeRecord.status === "pending") {
+		if (await ctx.context.adapter.update({
+			model: "deviceCode",
+			where: [
+				{
+					field: "id",
+					value: deviceCodeRecord.id
+				},
+				{
+					field: "status",
+					value: "pending"
+				},
+				{
+					field: "userId",
+					operator: "eq",
+					value: null
+				}
+			],
+			update: { userId: session.user.id }
+		})) deviceCodeRecord.userId = session.user.id;
+	}
 	return ctx.json({
 		user_code,
 		status: deviceCodeRecord.status
@@ -387,7 +410,11 @@ const deviceApprove = createAuthEndpoint("/device/approve", {
 		error: "invalid_request",
 		error_description: DEVICE_AUTHORIZATION_ERROR_CODES.DEVICE_CODE_ALREADY_PROCESSED.message
 	});
-	if (deviceCodeRecord.userId && deviceCodeRecord.userId !== session.user.id) throw new APIError("FORBIDDEN", {
+	if (!deviceCodeRecord.userId) throw new APIError("BAD_REQUEST", {
+		error: "invalid_request",
+		error_description: DEVICE_AUTHORIZATION_ERROR_CODES.DEVICE_CODE_NOT_CLAIMED.message
+	});
+	if (deviceCodeRecord.userId !== session.user.id) throw new APIError("FORBIDDEN", {
 		error: "access_denied",
 		error_description: "You are not authorized to approve this device authorization"
 	});
@@ -454,7 +481,11 @@ const deviceDeny = createAuthEndpoint("/device/deny", {
 		error: "invalid_request",
 		error_description: DEVICE_AUTHORIZATION_ERROR_CODES.DEVICE_CODE_ALREADY_PROCESSED.message
 	});
-	if (deviceCodeRecord.userId && deviceCodeRecord.userId !== session.user.id) throw new APIError("FORBIDDEN", {
+	if (!deviceCodeRecord.userId) throw new APIError("BAD_REQUEST", {
+		error: "invalid_request",
+		error_description: DEVICE_AUTHORIZATION_ERROR_CODES.DEVICE_CODE_NOT_CLAIMED.message
+	});
+	if (deviceCodeRecord.userId !== session.user.id) throw new APIError("FORBIDDEN", {
 		error: "access_denied",
 		error_description: "You are not authorized to deny this device authorization"
 	});
@@ -466,7 +497,7 @@ const deviceDeny = createAuthEndpoint("/device/deny", {
 		}],
 		update: {
 			status: "denied",
-			userId: deviceCodeRecord.userId || session.user.id
+			userId: session.user.id
 		}
 	});
 	return ctx.json({ success: true });

package/dist/plugins/email-otp/routes.mjs CHANGED Viewed

@@ -465,7 +465,7 @@ const requestPasswordResetEmailOTP = (opts) => createAuthEndpoint("/email-otp/re
 		} }
 	} }
 }, async (ctx) => {
-	const email = ctx.body.email;
+	const email = ctx.body.email.toLowerCase();
 	const identifier = toOTPIdentifier("forget-password", email);
 	const otp = await resolveOTP(ctx, opts, email, "forget-password");
 	if (!await ctx.context.internalAdapter.findUserByEmail(email)) {
@@ -517,7 +517,7 @@ const forgetPasswordEmailOTP = (opts) => {
 		} }
 	}, async (ctx) => {
 		warnDeprecation();
-		const email = ctx.body.email;
+		const email = ctx.body.email.toLowerCase();
 		const identifier = toOTPIdentifier("forget-password", email);
 		const otp = await resolveOTP(ctx, opts, email, "forget-password");
 		if (!await ctx.context.internalAdapter.findUserByEmail(email)) {
@@ -567,7 +567,7 @@ const resetPasswordEmailOTP = (opts) => createAuthEndpoint("/email-otp/reset-pas
 		} }
 	} }
 }, async (ctx) => {
-	const email = ctx.body.email;
+	const email = ctx.body.email.toLowerCase();
 	await atomicVerifyOTP(ctx, opts, toOTPIdentifier("forget-password", email), ctx.body.otp);
 	const user = await ctx.context.internalAdapter.findUserByEmail(email, { includeAccounts: true });
 	if (!user) throw APIError$1.from("BAD_REQUEST", BASE_ERROR_CODES.USER_NOT_FOUND);
@@ -585,7 +585,7 @@ const resetPasswordEmailOTP = (opts) => createAuthEndpoint("/email-otp/reset-pas
 	else await ctx.context.internalAdapter.updatePassword(user.user.id, passwordHash);
 	if (ctx.context.options.emailAndPassword?.onPasswordReset) await ctx.context.options.emailAndPassword.onPasswordReset({ user: user.user }, ctx.request);
 	if (!user.user.emailVerified) await ctx.context.internalAdapter.updateUser(user.user.id, { emailVerified: true });
-	if (ctx.context.options.emailAndPassword?.revokeSessionsOnPasswordReset) await ctx.context.internalAdapter.deleteSessions(user.user.id);
+	if (ctx.context.options.emailAndPassword?.revokeSessionsOnPasswordReset) await ctx.context.internalAdapter.deleteUserSessions(user.user.id);
 	return ctx.json({ success: true });
 });
 const requestEmailChangeEmailOTPBodySchema = z.object({

package/dist/plugins/generic-oauth/error-codes.mjs CHANGED Viewed

@@ -1,4 +1,3 @@
-import "../../oauth2/error-codes.mjs";
 import { defineErrorCodes } from "@better-auth/core/utils/error-codes";
 //#region src/plugins/generic-oauth/error-codes.ts
 const GENERIC_OAUTH_ERROR_CODES = defineErrorCodes({

package/dist/plugins/generic-oauth/index.d.mts CHANGED Viewed

@@ -23,11 +23,9 @@ declare module "@better-auth/core" {
 }
 /**
  * Base type for OAuth provider options.
- * Extracts common fields from GenericOAuthConfig and makes clientSecret required.
+ * Extracts common fields from GenericOAuthConfig for provider helpers.
  */
-type BaseOAuthProviderOptions = Omit<Pick<GenericOAuthConfig, "clientId" | "clientSecret" | "scopes" | "redirectURI" | "pkce" | "disableImplicitSignUp" | "disableSignUp" | "overrideUserInfo">, "clientSecret"> & {
-  /** OAuth client secret (required for provider options) */clientSecret: string;
-};
+type BaseOAuthProviderOptions = Pick<GenericOAuthConfig, "clientId" | "clientSecret" | "tokenEndpointAuth" | "scopes" | "redirectURI" | "pkce" | "disableImplicitSignUp" | "disableSignUp" | "overrideUserInfo">;
 /**
  * A generic OAuth plugin that registers any OAuth/OIDC provider
  * as a first-class social provider.

package/dist/plugins/generic-oauth/index.mjs CHANGED Viewed

@@ -10,16 +10,15 @@ import { okta } from "./providers/okta.mjs";
 import { patreon } from "./providers/patreon.mjs";
 import { slack } from "./providers/slack.mjs";
 import { APIError } from "@better-auth/core/error";
-import { createAuthorizationURL, refreshAccessToken, validateAuthorizationCode } from "@better-auth/core/oauth2";
+import { applyDefaultAccessTokenExpiry, createAuthorizationURL, refreshAccessToken, validateAuthorizationCode } from "@better-auth/core/oauth2";
 import { decodeJwt } from "jose";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/plugins/generic-oauth/index.ts
-function buildClientAssertion(config, tokenEndpoint) {
-	if (config.authentication !== "private_key_jwt" || !config.clientAssertion) return;
-	return {
-		...config.clientAssertion,
-		tokenEndpoint
-	};
+function isSecretlessTokenEndpointAuth(tokenEndpointAuth) {
+	return tokenEndpointAuth?.method === "private_key_jwt" || tokenEndpointAuth?.method === "none";
+}
+function isClientSecretTokenEndpointAuth(tokenEndpointAuth) {
+	return tokenEndpointAuth?.method === "client_secret_basic" || tokenEndpointAuth?.method === "client_secret_post";
 }
 async function fetchDiscovery(url, headers) {
 	const result = await betterFetch(url, {
@@ -100,11 +99,15 @@ const genericOAuth = (options) => {
 						isOidc = Array.isArray(discovered.id_token_signing_alg_values_supported) && discovered.id_token_signing_alg_values_supported.length > 0;
 					} else if (!authorizationUrl || !tokenUrl) ctx.logger.error(`Provider "${c.providerId}": discovery returned no data and no explicit endpoints configured. OAuth sign-in will fail for this provider.`);
 				}
-				if (!c.clientSecret && !c.clientAssertion && c.authentication !== "private_key_jwt") ctx.logger.warn(`Provider "${c.providerId}": no clientSecret or clientAssertion configured. Token exchange will fail unless this is a public client.`);
+				const tokenEndpointAuth = c.tokenEndpointAuth;
+				if (c.clientSecret && isSecretlessTokenEndpointAuth(tokenEndpointAuth)) throw new Error(`Provider "${c.providerId}": tokenEndpointAuth.method "${tokenEndpointAuth?.method}" cannot be combined with clientSecret`);
+				if (!c.clientSecret && isClientSecretTokenEndpointAuth(tokenEndpointAuth)) throw new Error(`Provider "${c.providerId}": tokenEndpointAuth.method "${tokenEndpointAuth?.method}" requires clientSecret`);
+				if (!c.clientSecret && !tokenEndpointAuth && c.authentication === "basic") throw new Error(`Provider "${c.providerId}": authentication "basic" requires clientSecret`);
 				genericProviders.push({
 					id: c.providerId,
 					name: c.name ?? c.providerId,
 					issuer,
+					allowIdpInitiated: c.allowIdpInitiated,
 					createAuthorizationURL(data) {
 						if (!authorizationUrl) throw APIError.from("BAD_REQUEST", GENERIC_OAUTH_ERROR_CODES.INVALID_OAUTH_CONFIGURATION);
 						return createAuthorizationURL({
@@ -127,14 +130,17 @@ const genericOAuth = (options) => {
 							accessType: c.accessType,
 							responseType: c.responseType,
 							responseMode: c.responseMode,
-							additionalParams: c.authorizationUrlParams,
+							additionalParams: {
+								...c.authorizationUrlParams ?? {},
+								...data.additionalParams ?? {}
+							},
 							loginHint: data.loginHint
 						});
 					},
 					async validateAuthorizationCode(data) {
-						if (c.getToken) return c.getToken(data);
+						if (c.getToken) return applyDefaultAccessTokenExpiry(await c.getToken(data), c.accessTokenExpiresIn);
 						if (!tokenUrl) throw APIError.from("BAD_REQUEST", GENERIC_OAUTH_ERROR_CODES.TOKEN_URL_NOT_FOUND);
-						return validateAuthorizationCode({
+						return applyDefaultAccessTokenExpiry(await validateAuthorizationCode({
 							headers: c.authorizationHeaders,
 							code: data.code,
 							codeVerifier: c.pkce ?? true ? data.codeVerifier : void 0,
@@ -146,9 +152,9 @@ const genericOAuth = (options) => {
 							},
 							tokenEndpoint: tokenUrl,
 							authentication: c.authentication,
-							additionalParams: c.tokenUrlParams,
-							clientAssertion: buildClientAssertion(c, tokenUrl)
-						});
+							tokenEndpointAuth,
+							additionalParams: c.tokenUrlParams
+						}), c.accessTokenExpiresIn);
 					},
 					async getUserInfo(tokens) {
 						const raw = c.getUserInfo ? await c.getUserInfo(tokens) : await fetchUserInfo(tokens, userInfoUrl);
@@ -172,16 +178,16 @@ const genericOAuth = (options) => {
 					},
 					async refreshAccessToken(refreshToken) {
 						if (!tokenUrl) throw APIError.from("BAD_REQUEST", GENERIC_OAUTH_ERROR_CODES.TOKEN_URL_NOT_FOUND);
-						return refreshAccessToken({
+						return applyDefaultAccessTokenExpiry(await refreshAccessToken({
 							refreshToken,
 							options: {
 								clientId: c.clientId,
 								clientSecret: c.clientSecret
 							},
 							authentication: c.authentication,
-							clientAssertion: buildClientAssertion(c, tokenUrl),
+							tokenEndpointAuth,
 							tokenEndpoint: tokenUrl
-						});
+						}), c.accessTokenExpiresIn);
 					},
 					disableImplicitSignUp: c.disableImplicitSignUp,
 					disableSignUp: c.disableSignUp,

package/dist/plugins/generic-oauth/providers/auth0.mjs CHANGED Viewed

@@ -27,6 +27,7 @@ function auth0(options) {
 		discoveryUrl: `https://${options.domain.replace(/^https?:\/\//, "")}/.well-known/openid-configuration`,
 		clientId: options.clientId,
 		clientSecret: options.clientSecret,
+		tokenEndpointAuth: options.tokenEndpointAuth,
 		scopes: options.scopes ?? [
 			"openid",
 			"profile",

package/dist/plugins/generic-oauth/providers/gumroad.mjs CHANGED Viewed

@@ -44,6 +44,7 @@ function gumroad(options) {
 		tokenUrl: "https://api.gumroad.com/oauth/token",
 		clientId: options.clientId,
 		clientSecret: options.clientSecret,
+		tokenEndpointAuth: options.tokenEndpointAuth,
 		scopes: options.scopes ?? ["view_profile"],
 		redirectURI: options.redirectURI,
 		pkce: options.pkce,

package/dist/plugins/generic-oauth/providers/hubspot.mjs CHANGED Viewed

@@ -43,6 +43,7 @@ function hubspot(options) {
 		tokenUrl: "https://api.hubapi.com/oauth/v1/token",
 		clientId: options.clientId,
 		clientSecret: options.clientSecret,
+		tokenEndpointAuth: options.tokenEndpointAuth,
 		scopes: options.scopes ?? defaultScopes,
 		redirectURI: options.redirectURI,
 		authentication: "post",

package/dist/plugins/generic-oauth/providers/keycloak.mjs CHANGED Viewed

@@ -27,6 +27,7 @@ function keycloak(options) {
 		discoveryUrl: `${options.issuer.replace(/\/$/, "")}/.well-known/openid-configuration`,
 		clientId: options.clientId,
 		clientSecret: options.clientSecret,
+		tokenEndpointAuth: options.tokenEndpointAuth,
 		scopes: options.scopes ?? [
 			"openid",
 			"profile",

package/dist/plugins/generic-oauth/providers/line.mjs CHANGED Viewed

@@ -75,6 +75,7 @@ function line(options) {
 		userInfoUrl,
 		clientId: options.clientId,
 		clientSecret: options.clientSecret,
+		tokenEndpointAuth: options.tokenEndpointAuth,
 		scopes: options.scopes ?? defaultScopes,
 		redirectURI: options.redirectURI,
 		pkce: options.pkce,

package/dist/plugins/generic-oauth/providers/microsoft-entra-id.mjs CHANGED Viewed

@@ -50,6 +50,7 @@ function microsoftEntraId(options) {
 		userInfoUrl,
 		clientId: options.clientId,
 		clientSecret: options.clientSecret,
+		tokenEndpointAuth: options.tokenEndpointAuth,
 		scopes: options.scopes ?? defaultScopes,
 		redirectURI: options.redirectURI,
 		pkce: options.pkce,

package/dist/plugins/generic-oauth/providers/okta.mjs CHANGED Viewed

@@ -27,6 +27,7 @@ function okta(options) {
 		discoveryUrl: `${options.issuer.replace(/\/$/, "")}/.well-known/openid-configuration`,
 		clientId: options.clientId,
 		clientSecret: options.clientSecret,
+		tokenEndpointAuth: options.tokenEndpointAuth,
 		scopes: options.scopes ?? [
 			"openid",
 			"profile",

package/dist/plugins/generic-oauth/providers/patreon.mjs CHANGED Viewed

@@ -43,6 +43,7 @@ function patreon(options) {
 		tokenUrl: "https://www.patreon.com/api/oauth2/token",
 		clientId: options.clientId,
 		clientSecret: options.clientSecret,
+		tokenEndpointAuth: options.tokenEndpointAuth,
 		scopes: options.scopes ?? defaultScopes,
 		redirectURI: options.redirectURI,
 		pkce: options.pkce,

package/dist/plugins/generic-oauth/providers/slack.mjs CHANGED Viewed

@@ -45,6 +45,7 @@ function slack(options) {
 		userInfoUrl: "https://slack.com/api/openid.connect.userInfo",
 		clientId: options.clientId,
 		clientSecret: options.clientSecret,
+		tokenEndpointAuth: options.tokenEndpointAuth,
 		scopes: options.scopes ?? defaultScopes,
 		redirectURI: options.redirectURI,
 		pkce: options.pkce,

package/dist/plugins/generic-oauth/types.d.mts CHANGED Viewed

@@ -1,5 +1,5 @@
 import { User } from "@better-auth/core/db";
-import { ClientAssertionConfig, OAuth2Tokens, OAuth2UserInfo } from "@better-auth/core/oauth2";
+import { OAuth2Tokens, OAuth2UserInfo, TokenEndpointAuth } from "@better-auth/core/oauth2";
 //#region src/plugins/generic-oauth/types.d.ts
 interface GenericOAuthOptions<ID extends string = string> {
@@ -43,6 +43,14 @@ interface GenericOAuthConfig<ID extends string = string> {
   clientId: string;
   /** OAuth client secret */
   clientSecret?: string | undefined;
+  /**
+   * Token endpoint client authentication method.
+   *
+   * Use `private_key_jwt` for IdPs that authenticate clients with RFC 7523
+   * client assertions instead of a client secret. Secret-based methods require
+   * clientSecret.
+   */
+  tokenEndpointAuth?: TokenEndpointAuth | undefined;
   /**
    * Array of OAuth scopes to request.
    * @default []
@@ -79,6 +87,13 @@ interface GenericOAuthConfig<ID extends string = string> {
    * Use "offline" to request a refresh token.
    */
   accessType?: string | undefined;
+  /**
+   * Fallback access-token lifetime, in seconds, used only when the provider's
+   * token response omits `expires_in`. Set this so `getAccessToken` can track
+   * expiry and refresh the token; leave unset if the provider returns
+   * `expires_in`.
+   */
+  accessTokenExpiresIn?: number | undefined;
   /**
    * Custom function to exchange authorization code for tokens.
    * If provided, this function will be used instead of the default token exchange logic.
@@ -111,7 +126,9 @@ interface GenericOAuthConfig<ID extends string = string> {
   authorizationUrlParams?: Record<string, string> | undefined;
   /**
    * Additional search-params to add to the tokenUrl.
-   * Warning: Search-params added here overwrite any default params.
+   * Parameters already set by Better Auth are preserved. Configure token
+   * endpoint client authentication with clientId, clientSecret, and
+   * tokenEndpointAuth.
    */
   tokenUrlParams?: Record<string, string> | undefined;
   /**
@@ -125,14 +142,10 @@ interface GenericOAuthConfig<ID extends string = string> {
   disableSignUp?: boolean | undefined;
   /**
    * Authentication method for token requests.
+   * "basic" requires clientSecret.
    * @default "post"
    */
-  authentication?: ("basic" | "post" | "private_key_jwt") | undefined;
-  /**
-   * Client assertion config for `private_key_jwt` authentication.
-   * Required when `authentication` is `"private_key_jwt"`.
-   */
-  clientAssertion?: ClientAssertionConfig | undefined;
+  authentication?: ("basic" | "post") | undefined;
   /**
    * Custom headers to include in the discovery request.
    * Useful for providers like Epic that require specific headers (e.g., Epic-Client-ID).
@@ -151,6 +164,15 @@ interface GenericOAuthConfig<ID extends string = string> {
    * @default false
    */
   overrideUserInfo?: boolean | undefined;
+  /**
+   * Accept callbacks from providers that initiate the OAuth flow without
+   * sending a `state` parameter (e.g. Clever). When enabled, stateless
+   * callbacks restart the OAuth flow server-side with a fresh `state` and
+   * PKCE verifier. See the generic-oauth docs for details.
+   *
+   * @default false
+   */
+  allowIdpInitiated?: boolean | undefined;
 }
 //#endregion
 export { GenericOAuthConfig, GenericOAuthOptions };

package/dist/plugins/index.d.mts CHANGED Viewed

@@ -1,6 +1,6 @@
 import { InferOptionSchema, InferPluginContext, InferPluginErrorCodes, InferPluginIDs } from "../types/plugins.mjs";
 import { HIDE_METADATA } from "../utils/hide-metadata.mjs";
-import { AccessControl, ArrayElement, Role, Statements, SubArray, Subset } from "./access/types.mjs";
+import { AccessControl, ArrayElement, ExactRoleStatements, Role, RoleAuthorizeRequest, RoleInput, RoleStatements, Statements, SubArray, Subset } from "./access/types.mjs";
 import { AuthorizeResponse, createAccessControl, role } from "./access/access.mjs";
 import { OrganizationOptions } from "./organization/types.mjs";
 import { InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferTeam, Invitation, InvitationInput, InvitationStatus, Member, MemberInput, Organization, OrganizationInput, OrganizationRole, OrganizationSchema, Team, TeamInput, TeamMember, TeamMemberInput, defaultRolesSchema, invitationSchema, invitationStatus, memberSchema, organizationRoleSchema, organizationSchema, roleSchema, teamMemberSchema, teamSchema } from "./organization/schema.mjs";
@@ -62,4 +62,4 @@ import { USERNAME_ERROR_CODES } from "./username/error-codes.mjs";
 import { UsernameOptions, username } from "./username/index.mjs";
 import { hasPermission } from "./organization/has-permission.mjs";
 import { DefaultOrganizationPlugin, DynamicAccessControlEndpoints, OrganizationCreator, OrganizationEndpoints, OrganizationPlugin, TeamEndpoints, organization, parseRoles } from "./organization/organization.mjs";
-export { AccessControl, AdminOptions, AnonymousOptions, AnonymousSession, ArrayElement, Auth0Options, AuthorizationQuery, AuthorizeResponse, BackupCodeOptions, BaseCaptchaOptions, BaseOAuthProviderOptions, BearerOptions, CaptchaFoxOptions, CaptchaOptions, Client, CloudflareTurnstileOptions, CodeVerificationValue, CustomSessionPluginOptions, DefaultOrganizationPlugin, DeviceAuthorizationOptions, DynamicAccessControlEndpoints, MULTI_SESSION_ERROR_CODES as ERROR_CODES, EmailOTPOptions, FieldSchema, GenericOAuthConfig, GenericOAuthOptions, GoogleRecaptchaOptions, GumroadOptions, HCaptchaOptions, HIDE_METADATA, HaveIBeenPwnedOptions, HubSpotOptions, InferAdminRolesFromOption, InferInvitation, InferMember, InferOptionSchema, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginContext, InferPluginErrorCodes, InferPluginIDs, InferTeam, Invitation, InvitationInput, InvitationStatus, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, KeycloakOptions, LastLoginMethodOptions, LineOptions, LoginResult, MagicLinkOptions, Member, MemberInput, MicrosoftEntraIdOptions, MultiSessionConfig, OAuthAccessToken, OAuthProxyOptions, OIDCMetadata, OIDCOptions, OTPOptions, OktaOptions, OneTapOptions, OneTimeTokenOptions, OpenAPIModelSchema, OpenAPIOptions, Organization, OrganizationCreator, OrganizationEndpoints, OrganizationInput, OrganizationOptions, OrganizationPlugin, OrganizationRole, OrganizationSchema, Path, PatreonOptions, PhoneNumberOptions, Provider, ResolvedSigningKey, Role, SIWEPluginOptions, SessionWithImpersonatedBy, SlackOptions, Statements, SubArray, Subset, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamEndpoints, TeamInput, TeamMember, TeamMemberInput, TestCookie, TestHelpers, TestUtilsOptions, TimeString, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UserWithAnonymous, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, UsernameOptions, admin, anonymous, auth0, backupCode2fa, bearer, captcha, createAccessControl, createJwk, customSession, defaultRolesSchema, deviceAuthorization, deviceAuthorizationOptionsSchema, emailOTP, encodeBackupCodes, generateBackupCodes, generateExportedKeyPair, generator, genericOAuth, getBackupCodes, getClient, getJwtToken, getMCPProtectedResourceMetadata, getMCPProviderMetadata, getMetadata, getOrgAdapter, gumroad, hasPermission, haveIBeenPwned, hubspot, invitationSchema, invitationStatus, jwt, keycloak, lastLoginMethod, line, magicLink, mcp, memberSchema, microsoftEntraId, ms, multiSession, oAuthDiscoveryMetadata, oAuthProtectedResourceMetadata, oAuthProxy, oidcProvider, okta, oneTap, oneTimeToken, openAPI, organization, organizationRoleSchema, organizationSchema, otp2fa, parseRoles, patreon, phoneNumber, resolveSigningKey, role, roleSchema, sec, signJWT, siwe, slack, teamMemberSchema, teamSchema, testUtils, toExpJWT, totp2fa, twoFactor, twoFactorClient, username, verifyBackupCode, verifyJWT, withMcpAuth };
+export { AccessControl, AdminOptions, AnonymousOptions, AnonymousSession, ArrayElement, Auth0Options, AuthorizationQuery, AuthorizeResponse, BackupCodeOptions, BaseCaptchaOptions, BaseOAuthProviderOptions, BearerOptions, CaptchaFoxOptions, CaptchaOptions, Client, CloudflareTurnstileOptions, CodeVerificationValue, CustomSessionPluginOptions, DefaultOrganizationPlugin, DeviceAuthorizationOptions, DynamicAccessControlEndpoints, MULTI_SESSION_ERROR_CODES as ERROR_CODES, EmailOTPOptions, ExactRoleStatements, FieldSchema, GenericOAuthConfig, GenericOAuthOptions, GoogleRecaptchaOptions, GumroadOptions, HCaptchaOptions, HIDE_METADATA, HaveIBeenPwnedOptions, HubSpotOptions, InferAdminRolesFromOption, InferInvitation, InferMember, InferOptionSchema, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginContext, InferPluginErrorCodes, InferPluginIDs, InferTeam, Invitation, InvitationInput, InvitationStatus, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, KeycloakOptions, LastLoginMethodOptions, LineOptions, LoginResult, MagicLinkOptions, Member, MemberInput, MicrosoftEntraIdOptions, MultiSessionConfig, OAuthAccessToken, OAuthProxyOptions, OIDCMetadata, OIDCOptions, OTPOptions, OktaOptions, OneTapOptions, OneTimeTokenOptions, OpenAPIModelSchema, OpenAPIOptions, Organization, OrganizationCreator, OrganizationEndpoints, OrganizationInput, OrganizationOptions, OrganizationPlugin, OrganizationRole, OrganizationSchema, Path, PatreonOptions, PhoneNumberOptions, Provider, ResolvedSigningKey, Role, RoleAuthorizeRequest, RoleInput, RoleStatements, SIWEPluginOptions, SessionWithImpersonatedBy, SlackOptions, Statements, SubArray, Subset, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamEndpoints, TeamInput, TeamMember, TeamMemberInput, TestCookie, TestHelpers, TestUtilsOptions, TimeString, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UserWithAnonymous, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, UsernameOptions, admin, anonymous, auth0, backupCode2fa, bearer, captcha, createAccessControl, createJwk, customSession, defaultRolesSchema, deviceAuthorization, deviceAuthorizationOptionsSchema, emailOTP, encodeBackupCodes, generateBackupCodes, generateExportedKeyPair, generator, genericOAuth, getBackupCodes, getClient, getJwtToken, getMCPProtectedResourceMetadata, getMCPProviderMetadata, getMetadata, getOrgAdapter, gumroad, hasPermission, haveIBeenPwned, hubspot, invitationSchema, invitationStatus, jwt, keycloak, lastLoginMethod, line, magicLink, mcp, memberSchema, microsoftEntraId, ms, multiSession, oAuthDiscoveryMetadata, oAuthProtectedResourceMetadata, oAuthProxy, oidcProvider, okta, oneTap, oneTimeToken, openAPI, organization, organizationRoleSchema, organizationSchema, otp2fa, parseRoles, patreon, phoneNumber, resolveSigningKey, role, roleSchema, sec, signJWT, siwe, slack, teamMemberSchema, teamSchema, testUtils, toExpJWT, totp2fa, twoFactor, twoFactorClient, username, verifyBackupCode, verifyJWT, withMcpAuth };

package/dist/plugins/jwt/utils.d.mts CHANGED Viewed

@@ -16,7 +16,7 @@ declare function toExpJWT(expirationTime: number | Date | string, iat: number):
 declare function generateExportedKeyPair(options?: JwtOptions | undefined): Promise<{
   publicWebKey: jose.JWK;
   privateWebKey: jose.JWK;
-  alg: "RS256" | "PS256" | "ES256" | "ES512" | "EdDSA";
+  alg: "EdDSA" | "ES256" | "ES512" | "PS256" | "RS256";
   cfg: {
     crv?: "Ed25519" | undefined;
   } | {

package/dist/plugins/last-login-method/client.mjs CHANGED Viewed

@@ -1,9 +1,9 @@
+import { parseCookies } from "../../cookies/cookie-utils.mjs";
 import { PACKAGE_VERSION } from "../../version.mjs";
 //#region src/plugins/last-login-method/client.ts
 function getCookieValue(name) {
 	if (typeof document === "undefined") return null;
-	const cookie = document.cookie.split("; ").find((row) => row.startsWith(`${name}=`));
-	return cookie ? cookie.split("=")[1] : null;
+	return parseCookies(document.cookie).get(name) ?? null;
 }
 /**
 * Client-side plugin to retrieve the last used login method

package/dist/plugins/magic-link/index.d.mts CHANGED Viewed

@@ -18,7 +18,14 @@ interface MagicLinkOptions {
   expiresIn?: number | undefined;
   /**
    * Allowed attempts for verifying the magic link token.
-   * Note: Passing Infinity will allow unlimited attempts.
+   *
+   * @deprecated Multi-attempt verification is no longer supported. Each
+   * magic link token is consumed atomically on the first verification call,
+   * so a given token mints at most one session regardless of this value
+   * (see GHSA-hc7v-rggr-4hvx). The option is kept for source compatibility
+   * and may be removed in a future major; any value other than `1` is
+   * ignored and emits a `console.warn` at plugin construction.
+   *
    * @default 1
    */
   allowedAttempts?: number;

package/dist/plugins/magic-link/index.mjs CHANGED Viewed

@@ -27,6 +27,7 @@ const magicLink = (options) => {
 		allowedAttempts: 1,
 		...options
 	};
+	if (options.allowedAttempts !== void 0 && options.allowedAttempts !== 1) console.warn("[better-auth/magic-link] `allowedAttempts` is ignored: tokens are consumed atomically on the first verification call (GHSA-hc7v-rggr-4hvx). Any value other than `1` has no effect; remove the option to silence this warning.");
 	async function storeToken(ctx, token) {
 		if (opts.storeToken === "hashed") return await defaultKeyHasher(token);
 		if (typeof opts.storeToken === "object" && "type" in opts.storeToken && opts.storeToken.type === "custom-hasher") return await opts.storeToken.hash(token);
@@ -59,8 +60,7 @@ const magicLink = (options) => {
 					identifier: storedToken,
 					value: JSON.stringify({
 						email,
-						name: ctx.body.name,
-						attempt: 0
+						name: ctx.body.name
 					}),
 					expiresAt: new Date(Date.now() + (opts.expiresIn || 300) * 1e3)
 				});
@@ -119,22 +119,9 @@ const magicLink = (options) => {
 				}
 				const newUserCallbackURL = new URL(ctx.query.newUserCallbackURL ? decodeURIComponent(ctx.query.newUserCallbackURL) : callbackURL, ctx.context.baseURL).toString();
 				const storedToken = await storeToken(ctx, token);
-				const tokenValue = await ctx.context.internalAdapter.findVerificationValue(storedToken);
+				const tokenValue = await ctx.context.internalAdapter.consumeVerificationValue(storedToken);
 				if (!tokenValue) redirectWithError("INVALID_TOKEN");
-				if (tokenValue.expiresAt < /* @__PURE__ */ new Date()) {
-					await ctx.context.internalAdapter.deleteVerificationByIdentifier(storedToken);
-					redirectWithError("EXPIRED_TOKEN");
-				}
-				const { email, name, attempt = 0 } = JSON.parse(tokenValue.value);
-				if (attempt >= opts.allowedAttempts) {
-					await ctx.context.internalAdapter.deleteVerificationByIdentifier(storedToken);
-					redirectWithError("ATTEMPTS_EXCEEDED");
-				}
-				await ctx.context.internalAdapter.updateVerificationByIdentifier(storedToken, { value: JSON.stringify({
-					email,
-					name,
-					attempt: attempt + 1
-				}) });
+				const { email, name } = JSON.parse(tokenValue.value);
 				let isNewUser = false;
 				let user = await ctx.context.internalAdapter.findUserByEmail(email).then((res) => res?.user);
 				if (!user) if (!opts.disableSignUp) {

package/dist/plugins/mcp/authorize.mjs CHANGED Viewed

@@ -72,8 +72,14 @@ async function authorizeMCPOAuth(ctx, options) {
 	});
 	if (invalidScopes.length) throw ctx.redirect(redirectErrorURL(query.redirect_uri, "invalid_scope", `The following scopes are invalid: ${invalidScopes.join(", ")}`));
 	if ((!query.code_challenge || !query.code_challenge_method) && options.requirePKCE) throw ctx.redirect(redirectErrorURL(query.redirect_uri, "invalid_request", "pkce is required"));
-	if (!query.code_challenge_method) query.code_challenge_method = "plain";
-	if (!["s256", options.allowPlainCodeChallengeMethod ? "plain" : "s256"].includes(query.code_challenge_method?.toLowerCase() || "")) throw ctx.redirect(redirectErrorURL(query.redirect_uri, "invalid_request", "invalid code_challenge method"));
+	if (query.code_challenge_method && !query.code_challenge) throw ctx.redirect(redirectErrorURL(query.redirect_uri, "invalid_request", "code_challenge_method requires code_challenge"));
+	if (query.code_challenge) {
+		const allowedCodeChallengeMethods = options.allowPlainCodeChallengeMethod ? ["s256", "plain"] : ["s256"];
+		let codeChallengeMethod = query.code_challenge_method?.toLowerCase();
+		if (!codeChallengeMethod && options.allowPlainCodeChallengeMethod) codeChallengeMethod = "plain";
+		if (!codeChallengeMethod || !allowedCodeChallengeMethods.includes(codeChallengeMethod)) throw ctx.redirect(redirectErrorURL(query.redirect_uri, "invalid_request", "invalid code_challenge method"));
+		query.code_challenge_method = codeChallengeMethod;
+	}
 	const code = generateRandomString(32, "a-z", "A-Z", "0-9");
 	const codeExpiresInMs = opts.codeExpiresIn * 1e3;
 	const expiresAt = new Date(Date.now() + codeExpiresInMs);