better-auth 1.7.0-beta.4 → 1.7.0-beta.6

package/dist/_virtual/_rolldown/runtime.mjs

@@ -1,12 +1,8 @@
-import { createRequire } from "node:module";
 //#region \0rolldown/runtime.js
-var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __commonJSMin = (cb, mod) => () => (mod || cb((mod = { exports: {} }).exports, mod), mod.exports);
 var __exportAll = (all, no_symbols) => {
 	let target = {};
 	for (var name in all) __defProp(target, name, {
@@ -27,10 +23,5 @@ var __copyProps = (to, from, except, desc) => {
 	return to;
 };
 var __reExport = (target, mod, secondTarget) => (__copyProps(target, mod, "default"), secondTarget && __copyProps(secondTarget, mod, "default"));
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", {
-	value: mod,
-	enumerable: true
-}) : target, mod));
-var __require = /* @__PURE__ */ createRequire(import.meta.url);
 //#endregion
-export { __commonJSMin, __exportAll, __reExport, __require, __toESM };
+export { __exportAll, __reExport };

package/dist/api/dispatch.d.mts

@@ -0,0 +1,34 @@
+import { AuthContext } from "@better-auth/core";
+import { Endpoint, EndpointContext, InputContext } from "better-call";
+
+//#region src/api/dispatch.d.ts
+/**
+ * Input accepted by {@link dispatchAuthEndpoint}. `context` must already be a
+ * resolved `AuthContext`; the caller owns `baseURL` resolution. A fresh
+ * dispatch carries no `session` (the shared context has none), while a resumed
+ * dispatch carries the in-flight request's `session` through.
+ */
+type DispatchContext = Partial<InputContext<string, any> & EndpointContext<string, any>> & {
+  context: AuthContext & {
+    returned?: unknown | undefined;
+    responseHeaders?: Headers | undefined;
+  };
+  operationId?: string | undefined;
+};
+/**
+ * Run a single endpoint through the configured `hooks.before` / `hooks.after`
+ * pipeline, normalizing the response, headers, and `APIError`s the same way a
+ * router or `auth.api.*` dispatch does.
+ *
+ * This is the canonical hook runner. The HTTP router and `auth.api.*` reach it
+ * through {@link toAuthEndpoints}. Plugins call it directly when they need to
+ * re-enter the pipeline on purpose, such as resuming `/oauth2/authorize` after
+ * a fresh sign-in. Calling an endpoint as a plain function deliberately skips
+ * hooks; `dispatchAuthEndpoint` is the supported way to opt back in.
+ *
+ * @param endpoint The endpoint to dispatch.
+ * @param input Input context whose `context` is an already-resolved `AuthContext`.
+ */
+declare function dispatchAuthEndpoint(endpoint: Endpoint, input: DispatchContext): Promise<unknown>;
+//#endregion
+export { DispatchContext, dispatchAuthEndpoint };

package/dist/api/dispatch.mjs

@@ -0,0 +1,272 @@
+import { isAPIError } from "../utils/is-api-error.mjs";
+import { isRequestLike } from "../utils/url.mjs";
+import { runWithEndpointContext } from "@better-auth/core/context";
+import { shouldPublishLog } from "@better-auth/core/env";
+import { APIError } from "@better-auth/core/error";
+import { createDefu } from "defu";
+import { ATTR_CONTEXT, ATTR_HOOK_TYPE, ATTR_HTTP_ROUTE, ATTR_OPERATION_ID, withSpan } from "@better-auth/core/instrumentation";
+import { kAPIErrorHeaderSymbol, toResponse } from "better-call";
+//#region src/api/dispatch.ts
+const defuReplaceArrays = createDefu((obj, key, value) => {
+	if (Array.isArray(obj[key]) && Array.isArray(value)) {
+		obj[key] = value;
+		return true;
+	}
+});
+const hooksSourceWeakMap = /* @__PURE__ */ new WeakMap();
+/**
+* Resolves the operation id used for spans, preferring an explicit
+* `operationId`, then the OpenAPI one, then the caller's `fallback` (the
+* `auth.api.*` map key), and finally the route path.
+*/
+function getOperationId(endpoint, fallback) {
+	const opts = endpoint.options;
+	return opts?.operationId ?? opts?.metadata?.openapi?.operationId ?? fallback ?? endpoint.path ?? "/:virtual";
+}
+/**
+* Merge a set of response headers onto the dispatch's accumulator, appending
+* `set-cookie` (multiple cookies are legal) and replacing everything else.
+*/
+function mergeResponseHeaders(context, headers) {
+	if (!headers) return;
+	headers.forEach((value, key) => {
+		if (!context.responseHeaders) context.responseHeaders = new Headers({ [key]: value });
+		else if (key.toLowerCase() === "set-cookie") context.responseHeaders.append(key, value);
+		else context.responseHeaders.set(key, value);
+	});
+}
+/**
+* Combine the two header sources an `APIError` can carry into one set:
+* - `kAPIErrorHeaderSymbol`: `ctx.responseHeaders` accumulated via
+*   `c.setCookie` / `c.setHeader` before the throw.
+* - `e.headers`: explicit headers on the error (e.g. `location` from
+*   `c.redirect`).
+*
+* `c.redirect()` reuses `ctx.responseHeaders` as `e.headers`, so when both
+* point at the same object iterating each would duplicate every `set-cookie`;
+* the identity check skips that copy. Explicit error headers override
+* accumulated ones, while cookies from both accumulate.
+*/
+function mergeAPIErrorHeaders(error) {
+	const ctxHeaders = error[kAPIErrorHeaderSymbol];
+	const errHeaders = error.headers && error.headers !== ctxHeaders ? new Headers(error.headers) : null;
+	if (!ctxHeaders && !errHeaders) return null;
+	const headers = new Headers();
+	ctxHeaders?.forEach((value, key) => {
+		headers.append(key, value);
+	});
+	errHeaders?.forEach((value, key) => {
+		if (key.toLowerCase() === "set-cookie") headers.append(key, value);
+		else headers.set(key, value);
+	});
+	return headers;
+}
+async function runBeforeHooks(context, hooks, endpoint, operationId) {
+	let modifiedContext = {};
+	for (const hook of hooks) {
+		let matched = false;
+		try {
+			matched = hook.matcher(context);
+		} catch (error) {
+			const hookSource = hooksSourceWeakMap.get(hook.handler) ?? "unknown";
+			context.context.logger.error(`An error occurred during ${hookSource} hook matcher execution:`, error);
+			throw new APIError("INTERNAL_SERVER_ERROR", { message: "An error occurred during hook matcher execution. Check the logs for more details." });
+		}
+		if (!matched) continue;
+		const hookSource = hooksSourceWeakMap.get(hook.handler) ?? "unknown";
+		const route = endpoint.path ?? "/:virtual";
+		const result = await withSpan(`hook before ${route} ${hookSource}`, {
+			[ATTR_HOOK_TYPE]: "before",
+			[ATTR_HTTP_ROUTE]: route,
+			[ATTR_CONTEXT]: hookSource,
+			[ATTR_OPERATION_ID]: operationId
+		}, () => hook.handler({
+			...context,
+			returnHeaders: true
+		})).catch((e) => {
+			if (isAPIError(e) && shouldPublishLog(context.context.logger.level, "debug")) e.stack = e.errorStack;
+			throw e;
+		});
+		mergeResponseHeaders(context.context, result?.headers);
+		const hookReturn = result?.response;
+		if (hookReturn && typeof hookReturn === "object") {
+			if ("context" in hookReturn && typeof hookReturn.context === "object") {
+				const { headers, ...rest } = hookReturn.context;
+				if (headers instanceof Headers) if (modifiedContext.headers) headers.forEach((value, key) => {
+					modifiedContext.headers?.set(key, value);
+				});
+				else modifiedContext.headers = headers;
+				modifiedContext = defuReplaceArrays(rest, modifiedContext);
+				continue;
+			}
+			return hookReturn;
+		}
+	}
+	return { context: modifiedContext };
+}
+async function runAfterHooks(context, hooks, endpoint, operationId) {
+	for (const hook of hooks) {
+		if (!hook.matcher(context)) continue;
+		const hookSource = hooksSourceWeakMap.get(hook.handler) ?? "unknown";
+		const route = endpoint.path ?? "/:virtual";
+		const result = await withSpan(`hook after ${route} ${hookSource}`, {
+			[ATTR_HOOK_TYPE]: "after",
+			[ATTR_HTTP_ROUTE]: route,
+			[ATTR_CONTEXT]: hookSource,
+			[ATTR_OPERATION_ID]: operationId
+		}, () => hook.handler(context)).catch((e) => {
+			if (isAPIError(e)) {
+				if (shouldPublishLog(context.context.logger.level, "debug")) e.stack = e.errorStack;
+				return {
+					response: e,
+					headers: mergeAPIErrorHeaders(e)
+				};
+			}
+			throw e;
+		});
+		mergeResponseHeaders(context.context, result.headers);
+		if (result.response !== void 0) context.context.returned = result.response;
+	}
+	return {
+		response: context.context.returned,
+		headers: context.context.responseHeaders
+	};
+}
+function getHooks(authContext) {
+	const plugins = authContext.options.plugins || [];
+	const beforeHooks = [];
+	const afterHooks = [];
+	const beforeHookHandler = authContext.options.hooks?.before;
+	if (beforeHookHandler) {
+		hooksSourceWeakMap.set(beforeHookHandler, "user");
+		beforeHooks.push({
+			matcher: () => true,
+			handler: beforeHookHandler
+		});
+	}
+	const afterHookHandler = authContext.options.hooks?.after;
+	if (afterHookHandler) {
+		hooksSourceWeakMap.set(afterHookHandler, "user");
+		afterHooks.push({
+			matcher: () => true,
+			handler: afterHookHandler
+		});
+	}
+	const pluginBeforeHooks = plugins.flatMap((plugin) => (plugin.hooks?.before ?? []).map((h) => {
+		hooksSourceWeakMap.set(h.handler, `plugin:${plugin.id}`);
+		return h;
+	}));
+	const pluginAfterHooks = plugins.flatMap((plugin) => (plugin.hooks?.after ?? []).map((h) => {
+		hooksSourceWeakMap.set(h.handler, `plugin:${plugin.id}`);
+		return h;
+	}));
+	if (pluginBeforeHooks.length) beforeHooks.push(...pluginBeforeHooks);
+	if (pluginAfterHooks.length) afterHooks.push(...pluginAfterHooks);
+	return {
+		beforeHooks,
+		afterHooks
+	};
+}
+/**
+* Run a single endpoint through the configured `hooks.before` / `hooks.after`
+* pipeline, normalizing the response, headers, and `APIError`s the same way a
+* router or `auth.api.*` dispatch does.
+*
+* This is the canonical hook runner. The HTTP router and `auth.api.*` reach it
+* through {@link toAuthEndpoints}. Plugins call it directly when they need to
+* re-enter the pipeline on purpose, such as resuming `/oauth2/authorize` after
+* a fresh sign-in. Calling an endpoint as a plain function deliberately skips
+* hooks; `dispatchAuthEndpoint` is the supported way to opt back in.
+*
+* @param endpoint The endpoint to dispatch.
+* @param input Input context whose `context` is an already-resolved `AuthContext`.
+*/
+async function dispatchAuthEndpoint(endpoint, input) {
+	const operationId = input.operationId ?? getOperationId(endpoint);
+	const route = endpoint.path ?? "/:virtual";
+	const endpointMethod = endpoint.options?.method;
+	const defaultMethod = Array.isArray(endpointMethod) ? endpointMethod[0] : endpointMethod;
+	const methodName = input.method ?? input.request?.method ?? defaultMethod ?? "?";
+	const shouldReturnResponse = input.asResponse ?? isRequestLike(input.request);
+	let internalContext = {
+		...input,
+		context: {
+			...input.context,
+			returned: void 0,
+			responseHeaders: void 0,
+			session: input.context.session ?? null
+		},
+		path: endpoint.path,
+		headers: input.headers ? new Headers(input.headers) : void 0
+	};
+	return withSpan(`${methodName} ${route}`, {
+		[ATTR_HTTP_ROUTE]: route,
+		[ATTR_OPERATION_ID]: operationId
+	}, async () => runWithEndpointContext(internalContext, async () => {
+		const { beforeHooks, afterHooks } = getHooks(internalContext.context);
+		const before = await runBeforeHooks(internalContext, beforeHooks, endpoint, operationId);
+		if ("context" in before && before.context && typeof before.context === "object") {
+			const { headers, ...rest } = before.context;
+			if (headers) {
+				if (!internalContext.headers) internalContext.headers = new Headers();
+				const requestHeaders = internalContext.headers;
+				headers.forEach((value, key) => {
+					requestHeaders.set(key, value);
+				});
+			}
+			internalContext = defuReplaceArrays(rest, internalContext);
+		} else if (before) {
+			const responseHeaders = internalContext.context.responseHeaders;
+			return shouldReturnResponse ? toResponse(before, { headers: responseHeaders }) : input.returnHeaders ? {
+				headers: responseHeaders,
+				response: before
+			} : before;
+		}
+		internalContext.asResponse = false;
+		internalContext.returnHeaders = true;
+		internalContext.returnStatus = true;
+		const result = await runWithEndpointContext(internalContext, () => withSpan(`handler ${route}`, {
+			[ATTR_HTTP_ROUTE]: route,
+			[ATTR_OPERATION_ID]: operationId
+		}, () => endpoint(internalContext))).catch((e) => {
+			if (isAPIError(e)) return {
+				response: e,
+				status: e.statusCode,
+				headers: mergeAPIErrorHeaders(e)
+			};
+			throw e;
+		});
+		if (result instanceof Response) return result;
+		internalContext.context.returned = result.response;
+		internalContext.context.responseHeaders = result.headers ?? void 0;
+		const after = await runAfterHooks(internalContext, afterHooks, endpoint, operationId);
+		if (after.response !== void 0) result.response = after.response;
+		result.headers = after.headers ?? result.headers;
+		if (isAPIError(result.response) && shouldPublishLog(internalContext.context.logger.level, "debug")) result.response.stack = result.response.errorStack;
+		if (isAPIError(result.response) && !shouldReturnResponse) {
+			if (result.headers) Object.defineProperty(result.response, kAPIErrorHeaderSymbol, {
+				enumerable: false,
+				configurable: true,
+				writable: false,
+				value: result.headers
+			});
+			throw result.response;
+		}
+		return shouldReturnResponse ? toResponse(result.response, {
+			headers: result.headers ?? void 0,
+			status: result.status
+		}) : input.returnHeaders ? input.returnStatus ? {
+			headers: result.headers,
+			response: result.response,
+			status: result.status
+		} : {
+			headers: result.headers,
+			response: result.response
+		} : input.returnStatus ? {
+			response: result.response,
+			status: result.status
+		} : result.response;
+	}));
+}
+//#endregion
+export { dispatchAuthEndpoint, getOperationId };

package/dist/api/index.d.mts

@@ -2,6 +2,7 @@ import { OverrideMerge, Prettify as Prettify$1, UnionToIntersection } from "../t
 import { AdditionalSessionFieldsInput, AdditionalUserFieldsInput } from "../types/models.mjs";
 import { getIp } from "../utils/get-request-ip.mjs";
 import { isAPIError } from "../utils/is-api-error.mjs";
+import { DispatchContext, dispatchAuthEndpoint } from "./dispatch.mjs";
 import { requireOrgRole, requireResourceOwnership } from "./middlewares/authorization.mjs";
 import { formCsrfMiddleware, originCheck, originCheckMiddleware } from "./middlewares/origin-check.mjs";
 import { accountInfo, getAccessToken, linkSocialAccount, listUserAccounts, refreshToken, unlinkAccount } from "./routes/account.mjs";
@@ -10,13 +11,13 @@ import { createEmailVerificationToken, sendVerificationEmail, sendVerificationEm
 import { error } from "./routes/error.mjs";
 import { ok } from "./routes/ok.mjs";
 import { requestPasswordReset, requestPasswordResetCallback, resetPassword, verifyPassword } from "./routes/password.mjs";
-import { freshSessionMiddleware, getSession, getSessionFromCtx, listSessions, requestOnlySessionMiddleware, revokeOtherSessions, revokeSession, revokeSessions, sensitiveSessionMiddleware, sessionMiddleware } from "./routes/session.mjs";
+import { freshSessionMiddleware, getSession, getSessionFromCtx, isStateful, listSessions, requestOnlySessionMiddleware, revokeOtherSessions, revokeSession, revokeSessions, sensitiveSessionMiddleware, sessionMiddleware } from "./routes/session.mjs";
 import { signInEmail, signInSocial } from "./routes/sign-in.mjs";
 import { signOut } from "./routes/sign-out.mjs";
 import { signUpEmail } from "./routes/sign-up.mjs";
 import { updateSession } from "./routes/update-session.mjs";
 import { changeEmail, changePassword, deleteUser, deleteUserCallback, setPassword, updateUser } from "./routes/update-user.mjs";
-import { getOAuthState } from "./state/oauth.mjs";
+import { addOAuthServerContext, getOAuthState } from "./state/oauth.mjs";
 import { getShouldSkipSessionRefresh, setShouldSkipSessionRefresh } from "./state/should-session-refresh.mjs";
 import { AuthContext, Awaitable, BetterAuthOptions, BetterAuthPlugin } from "@better-auth/core";
 import * as _better_auth_core_db0 from "@better-auth/core/db";
@@ -24,7 +25,7 @@ import { InternalLogger } from "@better-auth/core/env";
 import { APIError } from "@better-auth/core/error";
 import * as _better_auth_core_oauth20 from "@better-auth/core/oauth2";
 import * as better_call0 from "better-call";
-import { AuthEndpoint, AuthMiddleware, createAuthEndpoint, createAuthMiddleware, optionsMiddleware } from "@better-auth/core/api";
+import { AuthEndpoint, AuthMiddleware, NO_STORE_HEADERS, createAuthEndpoint, createAuthMiddleware, optionsMiddleware } from "@better-auth/core/api";
 import * as zod from "zod";
 import * as zod_v4_core0 from "zod/v4/core";
 
@@ -99,6 +100,7 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
           accessToken: zod.ZodOptional<zod.ZodString>;
           refreshToken: zod.ZodOptional<zod.ZodString>;
           expiresAt: zod.ZodOptional<zod.ZodNumber>;
+          scopes: zod.ZodOptional<zod.ZodArray<zod.ZodString>>;
           user: zod.ZodOptional<zod.ZodObject<{
             name: zod.ZodOptional<zod.ZodObject<{
               firstName: zod.ZodOptional<zod.ZodString>;
@@ -127,6 +129,7 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
               accessToken: zod.ZodOptional<zod.ZodString>;
               refreshToken: zod.ZodOptional<zod.ZodString>;
               expiresAt: zod.ZodOptional<zod.ZodNumber>;
+              scopes: zod.ZodOptional<zod.ZodArray<zod.ZodString>>;
               user: zod.ZodOptional<zod.ZodObject<{
                 name: zod.ZodOptional<zod.ZodObject<{
                   firstName: zod.ZodOptional<zod.ZodString>;
@@ -1709,7 +1712,7 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
                         userId: {
                           type: string;
                         };
-                        scopes: {
+                        grantedScopes: {
                           type: string;
                           items: {
                             type: string;
@@ -1726,7 +1729,7 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
         };
       };
     }, {
-      scopes: string[];
+      grantedScopes: string[];
       id: string;
       createdAt: Date;
       updatedAt: Date;
@@ -1866,6 +1869,12 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
                         type: string;
                         format: string;
                       };
+                      grantedScopes: {
+                        type: string;
+                        items: {
+                          type: string;
+                        };
+                      };
                     };
                   };
                 };
@@ -1882,7 +1891,7 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
       refreshToken: string;
       accessTokenExpiresAt: Date | undefined;
       refreshTokenExpiresAt: Date | null | undefined;
-      scope: string | null | undefined;
+      grantedScopes: string[];
       idToken: string | null | undefined;
       providerId: string;
       accountId: string;
@@ -1932,7 +1941,7 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
     }, {
       accessToken: string;
       accessTokenExpiresAt: Date | undefined;
-      scopes: string[];
+      grantedScopes: string[];
       idToken: string | undefined;
     }>;
     readonly accountInfo: better_call0.StrictEndpoint<"/account-info", {
@@ -2075,6 +2084,7 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
           accessToken: zod.ZodOptional<zod.ZodString>;
           refreshToken: zod.ZodOptional<zod.ZodString>;
           expiresAt: zod.ZodOptional<zod.ZodNumber>;
+          scopes: zod.ZodOptional<zod.ZodArray<zod.ZodString>>;
           user: zod.ZodOptional<zod.ZodObject<{
             name: zod.ZodOptional<zod.ZodObject<{
               firstName: zod.ZodOptional<zod.ZodString>;
@@ -2103,6 +2113,7 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
               accessToken: zod.ZodOptional<zod.ZodString>;
               refreshToken: zod.ZodOptional<zod.ZodString>;
               expiresAt: zod.ZodOptional<zod.ZodNumber>;
+              scopes: zod.ZodOptional<zod.ZodArray<zod.ZodString>>;
               user: zod.ZodOptional<zod.ZodObject<{
                 name: zod.ZodOptional<zod.ZodObject<{
                   firstName: zod.ZodOptional<zod.ZodString>;
@@ -3685,7 +3696,7 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
                         userId: {
                           type: string;
                         };
-                        scopes: {
+                        grantedScopes: {
                           type: string;
                           items: {
                             type: string;
@@ -3702,7 +3713,7 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
         };
       };
     }, {
-      scopes: string[];
+      grantedScopes: string[];
       id: string;
       createdAt: Date;
       updatedAt: Date;
@@ -3842,6 +3853,12 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
                         type: string;
                         format: string;
                       };
+                      grantedScopes: {
+                        type: string;
+                        items: {
+                          type: string;
+                        };
+                      };
                     };
                   };
                 };
@@ -3858,7 +3875,7 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
       refreshToken: string;
       accessTokenExpiresAt: Date | undefined;
       refreshTokenExpiresAt: Date | null | undefined;
-      scope: string | null | undefined;
+      grantedScopes: string[];
       idToken: string | null | undefined;
       providerId: string;
       accountId: string;
@@ -3908,7 +3925,7 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
     }, {
       accessToken: string;
       accessTokenExpiresAt: Date | undefined;
-      scopes: string[];
+      grantedScopes: string[];
       idToken: string | undefined;
     }>;
     readonly accountInfo: better_call0.StrictEndpoint<"/account-info", {
@@ -3972,4 +3989,4 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
   } extends infer T_2 ? { [K in keyof T_2 as K extends keyof T_1 ? never : K]: T_2[K] } : never) & T_1> : never : never : never;
 };
 //#endregion
-export { APIError, type AuthEndpoint, type AuthMiddleware, accountInfo, callbackOAuth, changeEmail, changePassword, checkEndpointConflicts, createAuthEndpoint, createAuthMiddleware, createEmailVerificationToken, deleteUser, deleteUserCallback, error, formCsrfMiddleware, freshSessionMiddleware, getAccessToken, getEndpoints, getIp, getOAuthState, getSession, getSessionFromCtx, getShouldSkipSessionRefresh, isAPIError, linkSocialAccount, listSessions, listUserAccounts, ok, optionsMiddleware, originCheck, originCheckMiddleware, refreshToken, requestOnlySessionMiddleware, requestPasswordReset, requestPasswordResetCallback, requireOrgRole, requireResourceOwnership, resetPassword, revokeOtherSessions, revokeSession, revokeSessions, router, sendVerificationEmail, sendVerificationEmailFn, sensitiveSessionMiddleware, sessionMiddleware, setPassword, setShouldSkipSessionRefresh, signInEmail, signInSocial, signOut, signUpEmail, unlinkAccount, updateSession, updateUser, verifyEmail, verifyPassword };
+export { APIError, type AuthEndpoint, type AuthMiddleware, type DispatchContext, NO_STORE_HEADERS, accountInfo, addOAuthServerContext, callbackOAuth, changeEmail, changePassword, checkEndpointConflicts, createAuthEndpoint, createAuthMiddleware, createEmailVerificationToken, deleteUser, deleteUserCallback, dispatchAuthEndpoint, error, formCsrfMiddleware, freshSessionMiddleware, getAccessToken, getEndpoints, getIp, getOAuthState, getSession, getSessionFromCtx, getShouldSkipSessionRefresh, isAPIError, isStateful, linkSocialAccount, listSessions, listUserAccounts, ok, optionsMiddleware, originCheck, originCheckMiddleware, refreshToken, requestOnlySessionMiddleware, requestPasswordReset, requestPasswordResetCallback, requireOrgRole, requireResourceOwnership, resetPassword, revokeOtherSessions, revokeSession, revokeSessions, router, sendVerificationEmail, sendVerificationEmailFn, sensitiveSessionMiddleware, sessionMiddleware, setPassword, setShouldSkipSessionRefresh, signInEmail, signInSocial, signOut, signUpEmail, unlinkAccount, updateSession, updateUser, verifyEmail, verifyPassword };

package/dist/api/index.mjs

@@ -2,10 +2,10 @@ import { isAPIError } from "../utils/is-api-error.mjs";
 import { requireOrgRole, requireResourceOwnership } from "./middlewares/authorization.mjs";
 import { formCsrfMiddleware, originCheck, originCheckMiddleware } from "./middlewares/origin-check.mjs";
 import { getIp } from "../utils/get-request-ip.mjs";
-import { onRequestRateLimit, onResponseRateLimit } from "./rate-limiter/index.mjs";
-import { getOAuthState } from "./state/oauth.mjs";
+import { onRequestRateLimit } from "./rate-limiter/index.mjs";
+import { addOAuthServerContext, getOAuthState } from "./state/oauth.mjs";
 import { getShouldSkipSessionRefresh, setShouldSkipSessionRefresh } from "./state/should-session-refresh.mjs";
-import { freshSessionMiddleware, getSession, getSessionFromCtx, listSessions, requestOnlySessionMiddleware, revokeOtherSessions, revokeSession, revokeSessions, sensitiveSessionMiddleware, sessionMiddleware } from "./routes/session.mjs";
+import { freshSessionMiddleware, getSession, getSessionFromCtx, isStateful, listSessions, requestOnlySessionMiddleware, revokeOtherSessions, revokeSession, revokeSessions, sensitiveSessionMiddleware, sessionMiddleware } from "./routes/session.mjs";
 import { accountInfo, getAccessToken, linkSocialAccount, listUserAccounts, refreshToken, unlinkAccount } from "./routes/account.mjs";
 import { callbackOAuth } from "./routes/callback.mjs";
 import { createEmailVerificationToken, sendVerificationEmail, sendVerificationEmailFn, verifyEmail } from "./routes/email-verification.mjs";
@@ -17,13 +17,14 @@ import { signOut } from "./routes/sign-out.mjs";
 import { signUpEmail } from "./routes/sign-up.mjs";
 import { updateSession } from "./routes/update-session.mjs";
 import { changeEmail, changePassword, deleteUser, deleteUserCallback, setPassword, updateUser } from "./routes/update-user.mjs";
+import { dispatchAuthEndpoint } from "./dispatch.mjs";
 import { toAuthEndpoints } from "./to-auth-endpoints.mjs";
 import { logger } from "@better-auth/core/env";
 import { APIError } from "@better-auth/core/error";
 import { ATTR_CONTEXT, ATTR_HOOK_TYPE, ATTR_HTTP_RESPONSE_STATUS_CODE, ATTR_HTTP_ROUTE, withSpan } from "@better-auth/core/instrumentation";
 import { normalizePathname } from "@better-auth/core/utils/url";
 import { createRouter } from "better-call";
-import { createAuthEndpoint, createAuthMiddleware, optionsMiddleware } from "@better-auth/core/api";
+import { NO_STORE_HEADERS, createAuthEndpoint, createAuthMiddleware, optionsMiddleware } from "@better-auth/core/api";
 //#region src/api/index.ts
 function checkEndpointConflicts(options, logger) {
 	const endpointRegistry = /* @__PURE__ */ new Map();
@@ -177,7 +178,6 @@ const router = (ctx, options) => {
 			return currentRequest;
 		},
 		async onResponse(res, req) {
-			await onResponseRateLimit(req, ctx);
 			for (const plugin of ctx.options.plugins || []) if (plugin.onResponse) {
 				const response = await withSpan(`onResponse ${plugin.id}`, {
 					[ATTR_HOOK_TYPE]: "onResponse",
@@ -213,4 +213,4 @@ const router = (ctx, options) => {
 	});
 };
 //#endregion
-export { APIError, accountInfo, callbackOAuth, changeEmail, changePassword, checkEndpointConflicts, createAuthEndpoint, createAuthMiddleware, createEmailVerificationToken, deleteUser, deleteUserCallback, error, formCsrfMiddleware, freshSessionMiddleware, getAccessToken, getEndpoints, getIp, getOAuthState, getSession, getSessionFromCtx, getShouldSkipSessionRefresh, isAPIError, linkSocialAccount, listSessions, listUserAccounts, ok, optionsMiddleware, originCheck, originCheckMiddleware, refreshToken, requestOnlySessionMiddleware, requestPasswordReset, requestPasswordResetCallback, requireOrgRole, requireResourceOwnership, resetPassword, revokeOtherSessions, revokeSession, revokeSessions, router, sendVerificationEmail, sendVerificationEmailFn, sensitiveSessionMiddleware, sessionMiddleware, setPassword, setShouldSkipSessionRefresh, signInEmail, signInSocial, signOut, signUpEmail, unlinkAccount, updateSession, updateUser, verifyEmail, verifyPassword };
+export { APIError, NO_STORE_HEADERS, accountInfo, addOAuthServerContext, callbackOAuth, changeEmail, changePassword, checkEndpointConflicts, createAuthEndpoint, createAuthMiddleware, createEmailVerificationToken, deleteUser, deleteUserCallback, dispatchAuthEndpoint, error, formCsrfMiddleware, freshSessionMiddleware, getAccessToken, getEndpoints, getIp, getOAuthState, getSession, getSessionFromCtx, getShouldSkipSessionRefresh, isAPIError, isStateful, linkSocialAccount, listSessions, listUserAccounts, ok, optionsMiddleware, originCheck, originCheckMiddleware, refreshToken, requestOnlySessionMiddleware, requestPasswordReset, requestPasswordResetCallback, requireOrgRole, requireResourceOwnership, resetPassword, revokeOtherSessions, revokeSession, revokeSessions, router, sendVerificationEmail, sendVerificationEmailFn, sensitiveSessionMiddleware, sessionMiddleware, setPassword, setShouldSkipSessionRefresh, signInEmail, signInSocial, signOut, signUpEmail, unlinkAccount, updateSession, updateUser, verifyEmail, verifyPassword };

package/dist/api/middlewares/origin-check.mjs

@@ -23,7 +23,10 @@ function shouldSkipOriginCheck(ctx) {
 	if (Array.isArray(skipOriginCheck) && ctx.request) try {
 		const basePath = new URL(ctx.context.baseURL).pathname;
 		const currentPath = normalizePathname(ctx.request.url, basePath);
-		return skipOriginCheck.some((skipPath) => currentPath.startsWith(skipPath));
+		return skipOriginCheck.some((skipPath) => {
+			const normalizedSkipPath = skipPath.replace(/\/+$/, "");
+			return currentPath === normalizedSkipPath || currentPath.startsWith(`${normalizedSkipPath}/`);
+		});
 	} catch {}
 	return false;
 }
@@ -47,6 +50,7 @@ const originCheckMiddleware = createAuthMiddleware(async (ctx) => {
 	const newUserCallbackURL = body?.newUserCallbackURL;
 	const validateURL = (url, label) => {
 		if (!url) return;
+		if (typeof url !== "string") throw APIError.fromStatus("BAD_REQUEST", { message: `Invalid ${label}: expected a string` });
 		if (!ctx.context.isTrustedOrigin(url, { allowRelativePaths: label !== "origin" })) {
 			ctx.context.logger.error(`Invalid ${label}: ${url}`);
 			ctx.context.logger.info(`If it's a valid URL, please add ${url} to trustedOrigins in your auth config\n`, `Current list of trustedOrigins: ${ctx.context.trustedOrigins}`);
@@ -141,6 +145,7 @@ async function validateFormCsrf(ctx) {
 		}
 		return await validateOrigin(ctx, true);
 	}
+	if (headers.get("origin") || headers.get("referer")) return await validateOrigin(ctx, true);
 }
 //#endregion
 export { formCsrfMiddleware, originCheck, originCheckMiddleware };