npm - better-auth - Versions diffs - 1.7.0-beta.3 → 1.7.0-beta.4 - Mend

better-auth 1.7.0-beta.3 → 1.7.0-beta.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (245) hide show

package/dist/_virtual/_rolldown/runtime.mjs CHANGED Viewed

@@ -1,8 +1,12 @@
+import { createRequire } from "node:module";
 //#region \0rolldown/runtime.js
+var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __commonJSMin = (cb, mod) => () => (mod || cb((mod = { exports: {} }).exports, mod), mod.exports);
 var __exportAll = (all, no_symbols) => {
 	let target = {};
 	for (var name in all) __defProp(target, name, {
@@ -23,5 +27,10 @@ var __copyProps = (to, from, except, desc) => {
 	return to;
 };
 var __reExport = (target, mod, secondTarget) => (__copyProps(target, mod, "default"), secondTarget && __copyProps(secondTarget, mod, "default"));
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", {
+	value: mod,
+	enumerable: true
+}) : target, mod));
+var __require = /* @__PURE__ */ createRequire(import.meta.url);
 //#endregion
-export { __exportAll, __reExport };
+export { __commonJSMin, __exportAll, __reExport, __require, __toESM };

package/dist/api/index.d.mts CHANGED Viewed

@@ -110,6 +110,7 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
         scopes: zod.ZodOptional<zod.ZodArray<zod.ZodString>>;
         requestSignUp: zod.ZodOptional<zod.ZodBoolean>;
         loginHint: zod.ZodOptional<zod.ZodString>;
+        additionalParams: zod.ZodOptional<zod.ZodRecord<zod.ZodString, zod.ZodString>>;
         additionalData: zod.ZodOptional<zod.ZodRecord<zod.ZodString, zod.ZodAny>>;
       }, zod_v4_core0.$strip>;
       metadata: {
@@ -137,6 +138,7 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
             scopes: zod.ZodOptional<zod.ZodArray<zod.ZodString>>;
             requestSignUp: zod.ZodOptional<zod.ZodBoolean>;
             loginHint: zod.ZodOptional<zod.ZodString>;
+            additionalParams: zod.ZodOptional<zod.ZodRecord<zod.ZodString, zod.ZodString>>;
             additionalData: zod.ZodOptional<zod.ZodRecord<zod.ZodString, zod.ZodAny>>;
           }, zod_v4_core0.$strip>>;
           returned: {
@@ -329,6 +331,7 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
         callbackURL: zod.ZodOptional<zod.ZodString>;
         rememberMe: zod.ZodOptional<zod.ZodBoolean>;
       }, zod_v4_core0.$strip>, zod.ZodRecord<zod.ZodString, zod.ZodAny>>;
+      cloneRequest: true;
       metadata: {
         allowedMediaTypes: string[];
         $Infer: {
@@ -495,6 +498,7 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
       method: "POST";
       operationId: string;
       use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<void>)[];
+      cloneRequest: true;
       body: zod.ZodObject<{
         email: zod.ZodString;
         password: zod.ZodString;
@@ -726,6 +730,7 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
     readonly sendVerificationEmail: better_call0.StrictEndpoint<"/send-verification-email", {
       method: "POST";
       operationId: string;
+      cloneRequest: true;
       body: zod.ZodObject<{
         email: zod.ZodEmail;
         callbackURL: zod.ZodOptional<zod.ZodString>;
@@ -1582,6 +1587,8 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
         scopes: zod.ZodOptional<zod.ZodArray<zod.ZodString>>;
         errorCallbackURL: zod.ZodOptional<zod.ZodString>;
         disableRedirect: zod.ZodOptional<zod.ZodBoolean>;
+        loginHint: zod.ZodOptional<zod.ZodString>;
+        additionalParams: zod.ZodOptional<zod.ZodRecord<zod.ZodString, zod.ZodString>>;
         additionalData: zod.ZodOptional<zod.ZodRecord<zod.ZodString, zod.ZodAny>>;
       }, zod_v4_core0.$strip>;
       use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
@@ -1930,29 +1937,6 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
     }>;
     readonly accountInfo: better_call0.StrictEndpoint<"/account-info", {
       method: "GET";
-      use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
-        session: {
-          session: Record<string, any> & {
-            id: string;
-            createdAt: Date;
-            updatedAt: Date;
-            userId: string;
-            expiresAt: Date;
-            token: string;
-            ipAddress?: string | null | undefined;
-            userAgent?: string | null | undefined;
-          };
-          user: Record<string, any> & {
-            id: string;
-            createdAt: Date;
-            updatedAt: Date;
-            email: string;
-            emailVerified: boolean;
-            name: string;
-            image?: string | null | undefined;
-          };
-        };
-      }>)[];
       metadata: {
         openapi: {
           description: string;
@@ -2002,6 +1986,8 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
       };
       query: zod.ZodOptional<zod.ZodObject<{
         accountId: zod.ZodOptional<zod.ZodString>;
+        providerId: zod.ZodOptional<zod.ZodString>;
+        userId: zod.ZodOptional<zod.ZodString>;
       }, zod_v4_core0.$strip>>;
     }, {
       user: _better_auth_core_oauth20.OAuth2UserInfo;
@@ -2100,6 +2086,7 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
         scopes: zod.ZodOptional<zod.ZodArray<zod.ZodString>>;
         requestSignUp: zod.ZodOptional<zod.ZodBoolean>;
         loginHint: zod.ZodOptional<zod.ZodString>;
+        additionalParams: zod.ZodOptional<zod.ZodRecord<zod.ZodString, zod.ZodString>>;
         additionalData: zod.ZodOptional<zod.ZodRecord<zod.ZodString, zod.ZodAny>>;
       }, zod_v4_core0.$strip>;
       metadata: {
@@ -2127,6 +2114,7 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
             scopes: zod.ZodOptional<zod.ZodArray<zod.ZodString>>;
             requestSignUp: zod.ZodOptional<zod.ZodBoolean>;
             loginHint: zod.ZodOptional<zod.ZodString>;
+            additionalParams: zod.ZodOptional<zod.ZodRecord<zod.ZodString, zod.ZodString>>;
             additionalData: zod.ZodOptional<zod.ZodRecord<zod.ZodString, zod.ZodAny>>;
           }, zod_v4_core0.$strip>>;
           returned: {
@@ -2319,6 +2307,7 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
         callbackURL: zod.ZodOptional<zod.ZodString>;
         rememberMe: zod.ZodOptional<zod.ZodBoolean>;
       }, zod_v4_core0.$strip>, zod.ZodRecord<zod.ZodString, zod.ZodAny>>;
+      cloneRequest: true;
       metadata: {
         allowedMediaTypes: string[];
         $Infer: {
@@ -2485,6 +2474,7 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
       method: "POST";
       operationId: string;
       use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<void>)[];
+      cloneRequest: true;
       body: zod.ZodObject<{
         email: zod.ZodString;
         password: zod.ZodString;
@@ -2716,6 +2706,7 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
     readonly sendVerificationEmail: better_call0.StrictEndpoint<"/send-verification-email", {
       method: "POST";
       operationId: string;
+      cloneRequest: true;
       body: zod.ZodObject<{
         email: zod.ZodEmail;
         callbackURL: zod.ZodOptional<zod.ZodString>;
@@ -3572,6 +3563,8 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
         scopes: zod.ZodOptional<zod.ZodArray<zod.ZodString>>;
         errorCallbackURL: zod.ZodOptional<zod.ZodString>;
         disableRedirect: zod.ZodOptional<zod.ZodBoolean>;
+        loginHint: zod.ZodOptional<zod.ZodString>;
+        additionalParams: zod.ZodOptional<zod.ZodRecord<zod.ZodString, zod.ZodString>>;
         additionalData: zod.ZodOptional<zod.ZodRecord<zod.ZodString, zod.ZodAny>>;
       }, zod_v4_core0.$strip>;
       use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
@@ -3920,29 +3913,6 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
     }>;
     readonly accountInfo: better_call0.StrictEndpoint<"/account-info", {
       method: "GET";
-      use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
-        session: {
-          session: Record<string, any> & {
-            id: string;
-            createdAt: Date;
-            updatedAt: Date;
-            userId: string;
-            expiresAt: Date;
-            token: string;
-            ipAddress?: string | null | undefined;
-            userAgent?: string | null | undefined;
-          };
-          user: Record<string, any> & {
-            id: string;
-            createdAt: Date;
-            updatedAt: Date;
-            email: string;
-            emailVerified: boolean;
-            name: string;
-            image?: string | null | undefined;
-          };
-        };
-      }>)[];
       metadata: {
         openapi: {
           description: string;
@@ -3992,6 +3962,8 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
       };
       query: zod.ZodOptional<zod.ZodObject<{
         accountId: zod.ZodOptional<zod.ZodString>;
+        providerId: zod.ZodOptional<zod.ZodString>;
+        userId: zod.ZodOptional<zod.ZodString>;
       }, zod_v4_core0.$strip>>;
     }, {
       user: _better_auth_core_oauth20.OAuth2UserInfo;

package/dist/api/routes/account.d.mts CHANGED Viewed

@@ -104,6 +104,8 @@ declare const linkSocialAccount: better_call0.StrictEndpoint<"/link-social", {
     scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
     errorCallbackURL: z.ZodOptional<z.ZodString>;
     disableRedirect: z.ZodOptional<z.ZodBoolean>;
+    loginHint: z.ZodOptional<z.ZodString>;
+    additionalParams: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
     additionalData: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
   }, z.core.$strip>;
   use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
@@ -328,29 +330,6 @@ declare const refreshToken: better_call0.StrictEndpoint<"/refresh-token", {
 }>;
 declare const accountInfo: better_call0.StrictEndpoint<"/account-info", {
   method: "GET";
-  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
-    session: {
-      session: Record<string, any> & {
-        id: string;
-        createdAt: Date;
-        updatedAt: Date;
-        userId: string;
-        expiresAt: Date;
-        token: string;
-        ipAddress?: string | null | undefined;
-        userAgent?: string | null | undefined;
-      };
-      user: Record<string, any> & {
-        id: string;
-        createdAt: Date;
-        updatedAt: Date;
-        email: string;
-        emailVerified: boolean;
-        name: string;
-        image?: string | null | undefined;
-      };
-    };
-  }>)[];
   metadata: {
     openapi: {
       description: string;
@@ -400,6 +379,8 @@ declare const accountInfo: better_call0.StrictEndpoint<"/account-info", {
   };
   query: z.ZodOptional<z.ZodObject<{
     accountId: z.ZodOptional<z.ZodString>;
+    providerId: z.ZodOptional<z.ZodString>;
+    userId: z.ZodOptional<z.ZodString>;
   }, z.core.$strip>>;
 }, {
   user: _better_auth_core_oauth20.OAuth2UserInfo;

package/dist/api/routes/account.mjs CHANGED Viewed

@@ -2,10 +2,12 @@ import { parseAccountOutput } from "../../db/schema.mjs";
 import { getAccountCookie, setAccountCookie } from "../../cookies/session-store.mjs";
 import { getAwaitableValue } from "../../context/helpers.mjs";
 import { missingEmailLogMessage } from "../../oauth2/errors.mjs";
-import { generateState } from "../../oauth2/state.mjs";
 import { decryptOAuthToken, setTokenUtil } from "../../oauth2/utils.mjs";
+import { applyUpdateUserInfoOnLink } from "../../oauth2/link-account.mjs";
+import { generateState } from "../../oauth2/state.mjs";
 import { freshSessionMiddleware, getSessionFromCtx, sessionMiddleware } from "./session.mjs";
 import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
+import { additionalAuthorizationParamsSchema } from "@better-auth/core/oauth2";
 import { SocialProviderListEnum } from "@better-auth/core/social-providers";
 import { createAuthEndpoint } from "@better-auth/core/api";
 import * as z from "zod";
@@ -81,6 +83,8 @@ const linkSocialAccount = createAuthEndpoint("/link-social", {
 		scopes: z.array(z.string()).meta({ description: "Additional scopes to request from the provider" }).optional(),
 		errorCallbackURL: z.string().meta({ description: "The URL to redirect to if there is an error during the link process" }).optional(),
 		disableRedirect: z.boolean().meta({ description: "Disable automatic redirection to the provider. Useful for handling the redirection yourself" }).optional(),
+		loginHint: z.string().meta({ description: "The login hint to use for the authorization code request" }).optional(),
+		additionalParams: additionalAuthorizationParamsSchema,
 		additionalData: z.record(z.string(), z.any()).optional()
 	}),
 	use: [sessionMiddleware],
@@ -166,14 +170,7 @@ const linkSocialAccount = createAuthEndpoint("/link-social", {
 				code: "LINKING_FAILED"
 			});
 		}
-		if (c.context.options.account?.accountLinking?.updateUserInfoOnLink === true) try {
-			await c.context.internalAdapter.updateUser(session.user.id, {
-				name: linkingUserInfo.user?.name,
-				image: linkingUserInfo.user?.image
-			});
-		} catch (e) {
-			console.warn("Could not update user - " + e.toString());
-		}
+		await applyUpdateUserInfoOnLink(c, session.user.id, linkingUserInfo.user);
 		return c.json({
 			url: "",
 			status: true,
@@ -188,7 +185,9 @@ const linkSocialAccount = createAuthEndpoint("/link-social", {
 		state: state.state,
 		codeVerifier: state.codeVerifier,
 		redirectURI: `${c.context.baseURL}/callback/${provider.id}`,
-		scopes: c.body.scopes
+		scopes: c.body.scopes,
+		loginHint: c.body.loginHint,
+		additionalParams: c.body.additionalParams
 	});
 	if (!c.body.disableRedirect) c.setHeader("Location", url.toString());
 	return c.json({
@@ -222,50 +221,44 @@ const unlinkAccount = createAuthEndpoint("/unlink-account", {
 	await ctx.context.internalAdapter.deleteAccount(accountExist.id);
 	return ctx.json({ status: true });
 });
-const getAccessToken = createAuthEndpoint("/get-access-token", {
-	method: "POST",
-	body: z.object({
-		providerId: z.string().meta({ description: "The provider ID for the OAuth provider" }),
-		accountId: z.string().meta({ description: "The account ID associated with the refresh token" }).optional(),
-		userId: z.string().meta({ description: "The user ID associated with the account" }).optional()
-	}),
-	metadata: { openapi: {
-		description: "Get a valid access token, doing a refresh if needed",
-		responses: {
-			200: {
-				description: "A Valid access token",
-				content: { "application/json": { schema: {
-					type: "object",
-					properties: {
-						tokenType: { type: "string" },
-						idToken: { type: "string" },
-						accessToken: { type: "string" },
-						accessTokenExpiresAt: {
-							type: "string",
-							format: "date-time"
-						}
-					}
-				} } }
-			},
-			400: { description: "Invalid refresh token or provider configuration" }
-		}
-	} }
-}, async (ctx) => {
-	const { providerId, accountId, userId } = ctx.body || {};
-	const req = ctx.request;
+/**
+* Resolves the user id an account-token operation should act on.
+*
+* A caller reaching the server over HTTP (a request or session headers are
+* present) must have a valid session, and that session's user always wins.
+* A trusted server-side `auth.api` caller with no session may instead name a
+* `userId` directly. Throws `UNAUTHORIZED` when an HTTP caller is
+* unauthenticated, and `USER_ID_OR_SESSION_REQUIRED` when neither a session
+* nor a `userId` is available.
+*/
+async function resolveUserId(ctx, userId) {
 	const session = await getSessionFromCtx(ctx);
-	if (req && !session) throw ctx.error("UNAUTHORIZED");
+	if (!session && (ctx.request || ctx.headers)) throw ctx.error("UNAUTHORIZED");
 	const resolvedUserId = session?.user?.id || userId;
-	if (!resolvedUserId) throw ctx.error("UNAUTHORIZED");
+	if (!resolvedUserId) throw APIError.from("BAD_REQUEST", {
+		message: "Either userId or session is required",
+		code: "USER_ID_OR_SESSION_REQUIRED"
+	});
+	return resolvedUserId;
+}
+/**
+* Fetches a currently-valid access token for a user's provider account,
+* refreshing and persisting it when it is within five seconds of expiry.
+* Shared by the `/get-access-token` endpoint and `/account-info` so both
+* resolve and refresh tokens through one path.
+*/
+async function getValidAccessToken(ctx, { resolvedUserId, providerId, accountId, account: resolvedAccount }) {
 	const provider = await getAwaitableValue(ctx.context.socialProviders, { value: providerId });
 	if (!provider) throw APIError.from("BAD_REQUEST", {
 		message: `Provider ${providerId} is not supported.`,
 		code: "PROVIDER_NOT_SUPPORTED"
 	});
-	const accountData = await getAccountCookie(ctx);
-	let account = void 0;
-	if (accountData && accountData.userId === resolvedUserId && providerId === accountData.providerId && (!accountId || accountData.accountId === accountId)) account = accountData;
-	else account = (await ctx.context.internalAdapter.findAccounts(resolvedUserId)).find((acc) => accountId ? acc.accountId === accountId && acc.providerId === providerId : acc.providerId === providerId);
+	let account = resolvedAccount;
+	if (!account) {
+		const accountData = await getAccountCookie(ctx);
+		if (accountData && accountData.userId === resolvedUserId && providerId === accountData.providerId && (!accountId || accountData.accountId === accountId)) account = accountData;
+		else account = (await ctx.context.internalAdapter.findAccounts(resolvedUserId)).find((acc) => accountId ? acc.accountId === accountId && acc.providerId === providerId : acc.providerId === providerId);
+	}
 	if (!account) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.ACCOUNT_NOT_FOUND);
 	try {
 		let newTokens = null;
@@ -297,19 +290,55 @@ const getAccessToken = createAuthEndpoint("/get-access-token", {
 				return account.accessTokenExpiresAt;
 			}
 		})();
-		const tokens = {
+		return {
 			accessToken: newTokens?.accessToken ?? await decryptOAuthToken(account.accessToken ?? "", ctx.context),
 			accessTokenExpiresAt,
 			scopes: account.scope?.split(",") ?? [],
 			idToken: newTokens?.idToken ?? account.idToken ?? void 0
 		};
-		return ctx.json(tokens);
 	} catch (_error) {
 		throw APIError.from("BAD_REQUEST", {
 			message: "Failed to get a valid access token",
 			code: "FAILED_TO_GET_ACCESS_TOKEN"
 		});
 	}
+}
+const getAccessToken = createAuthEndpoint("/get-access-token", {
+	method: "POST",
+	body: z.object({
+		providerId: z.string().meta({ description: "The provider ID for the OAuth provider" }),
+		accountId: z.string().meta({ description: "The account ID associated with the refresh token" }).optional(),
+		userId: z.string().meta({ description: "The user ID associated with the account" }).optional()
+	}),
+	metadata: { openapi: {
+		description: "Get a valid access token, doing a refresh if needed",
+		responses: {
+			200: {
+				description: "A Valid access token",
+				content: { "application/json": { schema: {
+					type: "object",
+					properties: {
+						tokenType: { type: "string" },
+						idToken: { type: "string" },
+						accessToken: { type: "string" },
+						accessTokenExpiresAt: {
+							type: "string",
+							format: "date-time"
+						}
+					}
+				} } }
+			},
+			400: { description: "Invalid refresh token or provider configuration" }
+		}
+	} }
+}, async (ctx) => {
+	const { providerId, accountId, userId } = ctx.body || {};
+	const tokens = await getValidAccessToken(ctx, {
+		resolvedUserId: await resolveUserId(ctx, userId),
+		providerId,
+		accountId
+	});
+	return ctx.json(tokens);
 });
 const refreshToken = createAuthEndpoint("/refresh-token", {
 	method: "POST",
@@ -346,14 +375,7 @@ const refreshToken = createAuthEndpoint("/refresh-token", {
 	} }
 }, async (ctx) => {
 	const { providerId, accountId, userId } = ctx.body;
-	const req = ctx.request;
-	const session = await getSessionFromCtx(ctx);
-	if (req && !session) throw ctx.error("UNAUTHORIZED");
-	const resolvedUserId = session?.user?.id || userId;
-	if (!resolvedUserId) throw APIError.from("BAD_REQUEST", {
-		message: `Either userId or session is required`,
-		code: "USER_ID_OR_SESSION_REQUIRED"
-	});
+	const resolvedUserId = await resolveUserId(ctx, userId);
 	const provider = await getAwaitableValue(ctx.context.socialProviders, { value: providerId });
 	if (!provider) throw APIError.from("BAD_REQUEST", {
 		message: `Provider ${providerId} is not supported.`,
@@ -418,10 +440,13 @@ const refreshToken = createAuthEndpoint("/refresh-token", {
 		});
 	}
 });
-const accountInfoQuerySchema = z.optional(z.object({ accountId: z.string().meta({ description: "The provider given account id for which to get the account info" }).optional() }));
+const accountInfoQuerySchema = z.optional(z.object({
+	accountId: z.string().meta({ description: "The provider given account id for which to get the account info" }).optional(),
+	providerId: z.string().meta({ description: "The provider ID to disambiguate provider-issued account IDs" }).optional(),
+	userId: z.string().meta({ description: "The user ID associated with the account" }).optional()
+}));
 const accountInfo = createAuthEndpoint("/account-info", {
 	method: "GET",
-	use: [sessionMiddleware],
 	metadata: { openapi: {
 		description: "Get the account info provided by the provider",
 		responses: { "200": {
@@ -453,7 +478,8 @@ const accountInfo = createAuthEndpoint("/account-info", {
 	} },
 	query: accountInfoQuerySchema
 }, async (ctx) => {
-	const providedAccountId = ctx.query?.accountId;
+	const { accountId: providedAccountId, providerId: providedProviderId, userId } = ctx.query || {};
+	const resolvedUserId = await resolveUserId(ctx, userId);
 	let account = void 0;
 	if (!providedAccountId) {
 		if (ctx.context.options.account?.storeAccountCookie) {
@@ -461,24 +487,24 @@ const accountInfo = createAuthEndpoint("/account-info", {
 			if (accountData) account = accountData;
 		}
 	} else {
-		const accountData = await ctx.context.internalAdapter.findAccount(providedAccountId);
-		if (accountData) account = accountData;
+		const matchingAccounts = (await ctx.context.internalAdapter.findAccounts(resolvedUserId)).filter((acc) => acc.accountId === providedAccountId && (!providedProviderId || acc.providerId === providedProviderId));
+		if (matchingAccounts.length > 1) throw APIError.from("BAD_REQUEST", {
+			message: "Multiple accounts share this account ID. Pass a providerId to disambiguate.",
+			code: "AMBIGUOUS_ACCOUNT"
+		});
+		account = matchingAccounts[0];
 	}
-	if (!account || account.userId !== ctx.context.session.user.id) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.ACCOUNT_NOT_FOUND);
+	if (!account || account.userId !== resolvedUserId) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.ACCOUNT_NOT_FOUND);
 	const provider = await getAwaitableValue(ctx.context.socialProviders, { value: account.providerId });
-	if (!provider) throw APIError.from("INTERNAL_SERVER_ERROR", {
-		message: `Provider account provider is ${account.providerId} but it is not configured`,
+	if (!provider) throw APIError.from("BAD_REQUEST", {
+		message: "Account is not associated with a configured social provider.",
 		code: "PROVIDER_NOT_CONFIGURED"
 	});
-	const tokens = await getAccessToken({
-		...ctx,
-		method: "POST",
-		body: {
-			accountId: account.accountId,
-			providerId: account.providerId
-		},
-		returnHeaders: false,
-		returnStatus: false
+	const tokens = await getValidAccessToken(ctx, {
+		resolvedUserId,
+		providerId: account.providerId,
+		accountId: account.accountId,
+		account
 	});
 	if (!tokens.accessToken) throw APIError.from("BAD_REQUEST", {
 		message: "Access token not found",

package/dist/api/routes/callback.mjs CHANGED Viewed

@@ -1,10 +1,11 @@
+import { isAPIError } from "../../utils/is-api-error.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
 import { getAwaitableValue } from "../../context/helpers.mjs";
 import { missingEmailLogMessage } from "../../oauth2/errors.mjs";
-import { parseState } from "../../oauth2/state.mjs";
 import { setTokenUtil } from "../../oauth2/utils.mjs";
+import { applyUpdateUserInfoOnLink, handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
+import { generateState, parseState } from "../../oauth2/state.mjs";
 import { OAUTH_CALLBACK_ERROR_CODES } from "../../oauth2/error-codes.mjs";
-import { handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
 import { HIDE_METADATA } from "../../utils/hide-metadata.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
 import { createAuthEndpoint } from "@better-auth/core/api";
@@ -52,9 +53,21 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 		throw c.redirect(`${defaultErrorURL}?error=invalid_callback_request`);
 	}
 	const { code, error, state, error_description, device_id, user: userData, iss } = queryOrBody;
+	if (state === void 0 && code) {
+		const provider = await getAwaitableValue(c.context.socialProviders, { value: c.params.id });
+		if (provider?.allowIdpInitiated) {
+			const { state: freshState, codeVerifier } = await generateState(c, void 0, void 0);
+			const authUrl = await provider.createAuthorizationURL({
+				state: freshState,
+				codeVerifier,
+				redirectURI: `${c.context.baseURL}/callback/${provider.id}`
+			});
+			throw c.redirect(authUrl.toString());
+		}
+	}
 	if (!state) {
 		c.context.logger.error("State not found", error);
-		const url = `${defaultErrorURL}${defaultErrorURL.includes("?") ? "&" : "?"}state=state_not_found`;
+		const url = `${defaultErrorURL}${defaultErrorURL.includes("?") ? "&" : "?"}error=state_not_found`;
 		throw c.redirect(url);
 	}
 	const { codeVerifier, callbackURL, link, errorURL, newUserURL, requestSignUp } = await parseState(c);
@@ -136,6 +149,7 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 			refreshToken: await setTokenUtil(tokens.refreshToken, c.context),
 			scope: tokens.scopes?.join(",")
 		})) return redirectOnError(OAUTH_CALLBACK_ERROR_CODES.UNABLE_TO_LINK_ACCOUNT);
+		await applyUpdateUserInfoOnLink(c, link.userId, userInfo);
 		let toRedirectTo;
 		try {
 			toRedirectTo = callbackURL.toString();
@@ -154,18 +168,24 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 		...tokens,
 		scope: tokens.scopes?.join(",")
 	};
-	const result = await handleOAuthUserInfo(c, {
-		userInfo: {
-			...userInfo,
-			id: providerAccountId,
-			email: userInfo.email,
-			name: userInfo.name || ""
-		},
-		account: accountData,
-		callbackURL,
-		disableSignUp: provider.disableImplicitSignUp && !requestSignUp || provider.options?.disableSignUp,
-		overrideUserInfo: provider.options?.overrideUserInfoOnSignIn
-	});
+	let result;
+	try {
+		result = await handleOAuthUserInfo(c, {
+			userInfo: {
+				...userInfo,
+				id: providerAccountId,
+				email: userInfo.email,
+				name: userInfo.name || ""
+			},
+			account: accountData,
+			callbackURL,
+			disableSignUp: provider.disableImplicitSignUp && !requestSignUp || provider.options?.disableSignUp,
+			overrideUserInfo: provider.options?.overrideUserInfoOnSignIn
+		});
+	} catch (e) {
+		if (isAPIError(e) && e.body?.code) redirectOnError(e.body.code, e.body.message);
+		throw e;
+	}
 	if (result.error) {
 		c.context.logger.error(result.error.split(" ").join("_"));
 		return redirectOnError(result.error.split(" ").join("_"));

package/dist/api/routes/email-verification.d.mts CHANGED Viewed

@@ -27,6 +27,7 @@ declare function sendVerificationEmailFn(ctx: GenericEndpointContext, user: User
 declare const sendVerificationEmail: better_call0.StrictEndpoint<"/send-verification-email", {
   method: "POST";
   operationId: string;
+  cloneRequest: true;
   body: z.ZodObject<{
     email: z.ZodEmail;
     callbackURL: z.ZodOptional<z.ZodString>;

package/dist/api/routes/email-verification.mjs CHANGED Viewed

@@ -31,11 +31,12 @@ async function sendVerificationEmailFn(ctx, user) {
 		user,
 		url,
 		token
-	}, ctx.request));
+	}, ctx.request?.clone()));
 }
 const sendVerificationEmail = createAuthEndpoint("/send-verification-email", {
 	method: "POST",
 	operationId: "sendVerificationEmail",
+	cloneRequest: true,
 	body: z.object({
 		email: z.email().meta({ description: "The email to send the verification email to" }),
 		callbackURL: z.string().meta({ description: "The URL to use for email verification callback" }).optional()
@@ -185,7 +186,7 @@ const verifyEmail = createAuthEndpoint("/verify-email", {
 					},
 					url,
 					token: newToken
-				}, ctx.request));
+				}, ctx.request?.clone()));
 				if (ctx.query.callbackURL) throw ctx.redirect(ctx.query.callbackURL);
 				return ctx.json({ status: true });
 			}
@@ -238,7 +239,7 @@ const verifyEmail = createAuthEndpoint("/verify-email", {
 					user: updatedUser,
 					url: `${ctx.context.baseURL}/verify-email?token=${newToken}&callbackURL=${updateCallbackURL}`,
 					token: newToken
-				}, ctx.request));
+				}, ctx.request?.clone()));
 				await setSessionCookie(ctx, {
 					session: activeSession.session,
 					user: {

package/dist/api/routes/password.mjs CHANGED Viewed

@@ -161,7 +161,7 @@ const resetPassword = createAuthEndpoint("/reset-password", {
 		const user = await ctx.context.internalAdapter.findUserById(userId);
 		if (user) await ctx.context.options.emailAndPassword.onPasswordReset({ user }, ctx.request);
 	}
-	if (ctx.context.options.emailAndPassword?.revokeSessionsOnPasswordReset) await ctx.context.internalAdapter.deleteSessions(userId);
+	if (ctx.context.options.emailAndPassword?.revokeSessionsOnPasswordReset) await ctx.context.internalAdapter.deleteUserSessions(userId);
 	return ctx.json({ status: true });
 });
 const verifyPassword = createAuthEndpoint("/verify-password", {