better-auth 1.7.0-beta.5 → 1.7.0-beta.6

package/dist/_virtual/_rolldown/runtime.mjs

@@ -1,12 +1,8 @@
-import { createRequire } from "node:module";
 //#region \0rolldown/runtime.js
-var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __commonJSMin = (cb, mod) => () => (mod || cb((mod = { exports: {} }).exports, mod), mod.exports);
 var __exportAll = (all, no_symbols) => {
 	let target = {};
 	for (var name in all) __defProp(target, name, {
@@ -27,10 +23,5 @@ var __copyProps = (to, from, except, desc) => {
 	return to;
 };
 var __reExport = (target, mod, secondTarget) => (__copyProps(target, mod, "default"), secondTarget && __copyProps(secondTarget, mod, "default"));
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", {
-	value: mod,
-	enumerable: true
-}) : target, mod));
-var __require = /* @__PURE__ */ createRequire(import.meta.url);
 //#endregion
-export { __commonJSMin, __exportAll, __reExport, __require, __toESM };
+export { __exportAll, __reExport };

package/dist/api/index.d.mts

@@ -11,7 +11,7 @@ import { createEmailVerificationToken, sendVerificationEmail, sendVerificationEm
 import { error } from "./routes/error.mjs";
 import { ok } from "./routes/ok.mjs";
 import { requestPasswordReset, requestPasswordResetCallback, resetPassword, verifyPassword } from "./routes/password.mjs";
-import { freshSessionMiddleware, getSession, getSessionFromCtx, listSessions, requestOnlySessionMiddleware, revokeOtherSessions, revokeSession, revokeSessions, sensitiveSessionMiddleware, sessionMiddleware } from "./routes/session.mjs";
+import { freshSessionMiddleware, getSession, getSessionFromCtx, isStateful, listSessions, requestOnlySessionMiddleware, revokeOtherSessions, revokeSession, revokeSessions, sensitiveSessionMiddleware, sessionMiddleware } from "./routes/session.mjs";
 import { signInEmail, signInSocial } from "./routes/sign-in.mjs";
 import { signOut } from "./routes/sign-out.mjs";
 import { signUpEmail } from "./routes/sign-up.mjs";
@@ -25,7 +25,7 @@ import { InternalLogger } from "@better-auth/core/env";
 import { APIError } from "@better-auth/core/error";
 import * as _better_auth_core_oauth20 from "@better-auth/core/oauth2";
 import * as better_call0 from "better-call";
-import { AuthEndpoint, AuthMiddleware, createAuthEndpoint, createAuthMiddleware, optionsMiddleware } from "@better-auth/core/api";
+import { AuthEndpoint, AuthMiddleware, NO_STORE_HEADERS, createAuthEndpoint, createAuthMiddleware, optionsMiddleware } from "@better-auth/core/api";
 import * as zod from "zod";
 import * as zod_v4_core0 from "zod/v4/core";
 
@@ -3989,4 +3989,4 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
   } extends infer T_2 ? { [K in keyof T_2 as K extends keyof T_1 ? never : K]: T_2[K] } : never) & T_1> : never : never : never;
 };
 //#endregion
-export { APIError, type AuthEndpoint, type AuthMiddleware, type DispatchContext, accountInfo, addOAuthServerContext, callbackOAuth, changeEmail, changePassword, checkEndpointConflicts, createAuthEndpoint, createAuthMiddleware, createEmailVerificationToken, deleteUser, deleteUserCallback, dispatchAuthEndpoint, error, formCsrfMiddleware, freshSessionMiddleware, getAccessToken, getEndpoints, getIp, getOAuthState, getSession, getSessionFromCtx, getShouldSkipSessionRefresh, isAPIError, linkSocialAccount, listSessions, listUserAccounts, ok, optionsMiddleware, originCheck, originCheckMiddleware, refreshToken, requestOnlySessionMiddleware, requestPasswordReset, requestPasswordResetCallback, requireOrgRole, requireResourceOwnership, resetPassword, revokeOtherSessions, revokeSession, revokeSessions, router, sendVerificationEmail, sendVerificationEmailFn, sensitiveSessionMiddleware, sessionMiddleware, setPassword, setShouldSkipSessionRefresh, signInEmail, signInSocial, signOut, signUpEmail, unlinkAccount, updateSession, updateUser, verifyEmail, verifyPassword };
+export { APIError, type AuthEndpoint, type AuthMiddleware, type DispatchContext, NO_STORE_HEADERS, accountInfo, addOAuthServerContext, callbackOAuth, changeEmail, changePassword, checkEndpointConflicts, createAuthEndpoint, createAuthMiddleware, createEmailVerificationToken, deleteUser, deleteUserCallback, dispatchAuthEndpoint, error, formCsrfMiddleware, freshSessionMiddleware, getAccessToken, getEndpoints, getIp, getOAuthState, getSession, getSessionFromCtx, getShouldSkipSessionRefresh, isAPIError, isStateful, linkSocialAccount, listSessions, listUserAccounts, ok, optionsMiddleware, originCheck, originCheckMiddleware, refreshToken, requestOnlySessionMiddleware, requestPasswordReset, requestPasswordResetCallback, requireOrgRole, requireResourceOwnership, resetPassword, revokeOtherSessions, revokeSession, revokeSessions, router, sendVerificationEmail, sendVerificationEmailFn, sensitiveSessionMiddleware, sessionMiddleware, setPassword, setShouldSkipSessionRefresh, signInEmail, signInSocial, signOut, signUpEmail, unlinkAccount, updateSession, updateUser, verifyEmail, verifyPassword };

package/dist/api/index.mjs

@@ -2,10 +2,10 @@ import { isAPIError } from "../utils/is-api-error.mjs";
 import { requireOrgRole, requireResourceOwnership } from "./middlewares/authorization.mjs";
 import { formCsrfMiddleware, originCheck, originCheckMiddleware } from "./middlewares/origin-check.mjs";
 import { getIp } from "../utils/get-request-ip.mjs";
-import { onRequestRateLimit, onResponseRateLimit } from "./rate-limiter/index.mjs";
+import { onRequestRateLimit } from "./rate-limiter/index.mjs";
 import { addOAuthServerContext, getOAuthState } from "./state/oauth.mjs";
 import { getShouldSkipSessionRefresh, setShouldSkipSessionRefresh } from "./state/should-session-refresh.mjs";
-import { freshSessionMiddleware, getSession, getSessionFromCtx, listSessions, requestOnlySessionMiddleware, revokeOtherSessions, revokeSession, revokeSessions, sensitiveSessionMiddleware, sessionMiddleware } from "./routes/session.mjs";
+import { freshSessionMiddleware, getSession, getSessionFromCtx, isStateful, listSessions, requestOnlySessionMiddleware, revokeOtherSessions, revokeSession, revokeSessions, sensitiveSessionMiddleware, sessionMiddleware } from "./routes/session.mjs";
 import { accountInfo, getAccessToken, linkSocialAccount, listUserAccounts, refreshToken, unlinkAccount } from "./routes/account.mjs";
 import { callbackOAuth } from "./routes/callback.mjs";
 import { createEmailVerificationToken, sendVerificationEmail, sendVerificationEmailFn, verifyEmail } from "./routes/email-verification.mjs";
@@ -24,7 +24,7 @@ import { APIError } from "@better-auth/core/error";
 import { ATTR_CONTEXT, ATTR_HOOK_TYPE, ATTR_HTTP_RESPONSE_STATUS_CODE, ATTR_HTTP_ROUTE, withSpan } from "@better-auth/core/instrumentation";
 import { normalizePathname } from "@better-auth/core/utils/url";
 import { createRouter } from "better-call";
-import { createAuthEndpoint, createAuthMiddleware, optionsMiddleware } from "@better-auth/core/api";
+import { NO_STORE_HEADERS, createAuthEndpoint, createAuthMiddleware, optionsMiddleware } from "@better-auth/core/api";
 //#region src/api/index.ts
 function checkEndpointConflicts(options, logger) {
 	const endpointRegistry = /* @__PURE__ */ new Map();
@@ -178,7 +178,6 @@ const router = (ctx, options) => {
 			return currentRequest;
 		},
 		async onResponse(res, req) {
-			await onResponseRateLimit(req, ctx);
 			for (const plugin of ctx.options.plugins || []) if (plugin.onResponse) {
 				const response = await withSpan(`onResponse ${plugin.id}`, {
 					[ATTR_HOOK_TYPE]: "onResponse",
@@ -214,4 +213,4 @@ const router = (ctx, options) => {
 	});
 };
 //#endregion
-export { APIError, accountInfo, addOAuthServerContext, callbackOAuth, changeEmail, changePassword, checkEndpointConflicts, createAuthEndpoint, createAuthMiddleware, createEmailVerificationToken, deleteUser, deleteUserCallback, dispatchAuthEndpoint, error, formCsrfMiddleware, freshSessionMiddleware, getAccessToken, getEndpoints, getIp, getOAuthState, getSession, getSessionFromCtx, getShouldSkipSessionRefresh, isAPIError, linkSocialAccount, listSessions, listUserAccounts, ok, optionsMiddleware, originCheck, originCheckMiddleware, refreshToken, requestOnlySessionMiddleware, requestPasswordReset, requestPasswordResetCallback, requireOrgRole, requireResourceOwnership, resetPassword, revokeOtherSessions, revokeSession, revokeSessions, router, sendVerificationEmail, sendVerificationEmailFn, sensitiveSessionMiddleware, sessionMiddleware, setPassword, setShouldSkipSessionRefresh, signInEmail, signInSocial, signOut, signUpEmail, unlinkAccount, updateSession, updateUser, verifyEmail, verifyPassword };
+export { APIError, NO_STORE_HEADERS, accountInfo, addOAuthServerContext, callbackOAuth, changeEmail, changePassword, checkEndpointConflicts, createAuthEndpoint, createAuthMiddleware, createEmailVerificationToken, deleteUser, deleteUserCallback, dispatchAuthEndpoint, error, formCsrfMiddleware, freshSessionMiddleware, getAccessToken, getEndpoints, getIp, getOAuthState, getSession, getSessionFromCtx, getShouldSkipSessionRefresh, isAPIError, isStateful, linkSocialAccount, listSessions, listUserAccounts, ok, optionsMiddleware, originCheck, originCheckMiddleware, refreshToken, requestOnlySessionMiddleware, requestPasswordReset, requestPasswordResetCallback, requireOrgRole, requireResourceOwnership, resetPassword, revokeOtherSessions, revokeSession, revokeSessions, router, sendVerificationEmail, sendVerificationEmailFn, sensitiveSessionMiddleware, sessionMiddleware, setPassword, setShouldSkipSessionRefresh, signInEmail, signInSocial, signOut, signUpEmail, unlinkAccount, updateSession, updateUser, verifyEmail, verifyPassword };

package/dist/api/middlewares/origin-check.mjs

@@ -23,7 +23,10 @@ function shouldSkipOriginCheck(ctx) {
 	if (Array.isArray(skipOriginCheck) && ctx.request) try {
 		const basePath = new URL(ctx.context.baseURL).pathname;
 		const currentPath = normalizePathname(ctx.request.url, basePath);
-		return skipOriginCheck.some((skipPath) => currentPath.startsWith(skipPath));
+		return skipOriginCheck.some((skipPath) => {
+			const normalizedSkipPath = skipPath.replace(/\/+$/, "");
+			return currentPath === normalizedSkipPath || currentPath.startsWith(`${normalizedSkipPath}/`);
+		});
 	} catch {}
 	return false;
 }
@@ -47,6 +50,7 @@ const originCheckMiddleware = createAuthMiddleware(async (ctx) => {
 	const newUserCallbackURL = body?.newUserCallbackURL;
 	const validateURL = (url, label) => {
 		if (!url) return;
+		if (typeof url !== "string") throw APIError.fromStatus("BAD_REQUEST", { message: `Invalid ${label}: expected a string` });
 		if (!ctx.context.isTrustedOrigin(url, { allowRelativePaths: label !== "origin" })) {
 			ctx.context.logger.error(`Invalid ${label}: ${url}`);
 			ctx.context.logger.info(`If it's a valid URL, please add ${url} to trustedOrigins in your auth config\n`, `Current list of trustedOrigins: ${ctx.context.trustedOrigins}`);

package/dist/api/rate-limiter/index.mjs

@@ -1,14 +1,66 @@
 import { wildcardMatch } from "../../utils/wildcard.mjs";
 import { getIp } from "../../utils/get-request-ip.mjs";
-import { safeJSONParse } from "@better-auth/core/utils/json";
+import { BetterAuthError } from "@better-auth/core/error";
 import { normalizePathname } from "@better-auth/core/utils/url";
 import { createRateLimitKey } from "@better-auth/core/utils/ip";
 //#region src/api/rate-limiter/index.ts
 const memory = /* @__PURE__ */ new Map();
-function shouldRateLimit(max, window, rateLimitData) {
+const MEMORY_STORE_MAX_ENTRIES = 1e5;
+function pruneMemoryStore() {
 	const now = Date.now();
-	const windowInMs = window * 1e3;
-	return now - rateLimitData.lastRequest < windowInMs && rateLimitData.count >= max;
+	for (const [key, entry] of memory) if (now >= entry.expiresAt) memory.delete(key);
+	if (memory.size <= MEMORY_STORE_MAX_ENTRIES) return;
+	const overflow = memory.size - MEMORY_STORE_MAX_ENTRIES;
+	let removed = 0;
+	for (const key of memory.keys()) {
+		memory.delete(key);
+		if (++removed >= overflow) break;
+	}
+}
+/**
+* Decide an atomic rate-limit step against an in-memory `RateLimit` snapshot
+* for the rolling `window` (seconds) and `max`. Shared by the memory backend
+* (read-decide-write is atomic under single-threaded JS) and as the fallback
+* for storages lacking an atomic primitive.
+*/
+function decideConsume(data, rule, now) {
+	const windowInMs = rule.window * 1e3;
+	if (!data) return {
+		next: {
+			key: "",
+			count: 1,
+			lastRequest: now
+		},
+		update: false,
+		allowed: true,
+		retryAfter: null
+	};
+	if (now - data.lastRequest >= windowInMs) return {
+		next: {
+			...data,
+			count: 1,
+			lastRequest: now
+		},
+		update: true,
+		allowed: true,
+		retryAfter: null
+	};
+	if (data.count >= rule.max) return {
+		next: data,
+		update: true,
+		allowed: false,
+		retryAfter: getRetryAfter(data.lastRequest, rule.window)
+	};
+	return {
+		next: {
+			...data,
+			count: data.count + 1,
+			lastRequest: now
+		},
+		update: true,
+		allowed: true,
+		retryAfter: null
+	};
 }
 function rateLimitResponse(retryAfter) {
 	return new Response(JSON.stringify({ message: "Too many requests. Please try again later." }), {
@@ -25,94 +77,173 @@ function getRetryAfter(lastRequest, window) {
 function createDatabaseStorageWrapper(ctx) {
 	const model = "rateLimit";
 	const db = ctx.adapter;
-	return {
-		get: async (key) => {
-			const data = (await db.findMany({
+	let longestObservedWindow = Math.max(...getConfiguredRateLimitWindows(ctx));
+	const readRow = async (key) => {
+		const data = (await db.findMany({
+			model,
+			where: [{
+				field: "key",
+				value: key
+			}]
+		}))[0];
+		if (typeof data?.lastRequest === "bigint") data.lastRequest = Number(data.lastRequest);
+		return data;
+	};
+	const consume = async (key, rule) => {
+		if (rule.window > longestObservedWindow) longestObservedWindow = rule.window;
+		const windowInMs = rule.window * 1e3;
+		const data = await readRow(key);
+		const now = Date.now();
+		if (!data) try {
+			await db.create({
+				model,
+				data: {
+					key,
+					count: 1,
+					lastRequest: now
+				}
+			});
+			return {
+				allowed: true,
+				retryAfter: null
+			};
+		} catch (error) {
+			if (!await readRow(key)) throw error;
+			return consume(key, rule);
+		}
+		if (now - data.lastRequest >= windowInMs) {
+			if (await db.incrementOne({
 				model,
 				where: [{
 					field: "key",
 					value: key
-				}]
-			}))[0];
-			if (typeof data?.lastRequest === "bigint") data.lastRequest = Number(data.lastRequest);
-			return data;
-		},
-		set: async (key, value, _update) => {
-			try {
-				if (_update) await db.updateMany({
-					model,
-					where: [{
-						field: "key",
-						value: key
-					}],
-					update: {
-						count: value.count,
-						lastRequest: value.lastRequest
-					}
-				});
-				else await db.create({
-					model,
-					data: {
-						key,
-						count: value.count,
-						lastRequest: value.lastRequest
-					}
-				});
-			} catch (e) {
-				ctx.logger.error("Error setting rate limit", e);
+				}, {
+					field: "lastRequest",
+					operator: "lte",
+					value: data.lastRequest
+				}],
+				increment: {},
+				set: {
+					count: 1,
+					lastRequest: now
+				}
+			})) {
+				deleteExpiredRows(now);
+				return {
+					allowed: true,
+					retryAfter: null
+				};
 			}
+			return consume(key, rule);
 		}
+		const windowStart = now - windowInMs;
+		if (await db.incrementOne({
+			model,
+			where: [
+				{
+					field: "key",
+					value: key
+				},
+				{
+					field: "lastRequest",
+					operator: "gt",
+					value: windowStart
+				},
+				{
+					field: "count",
+					operator: "lt",
+					value: rule.max
+				}
+			],
+			increment: { count: 1 },
+			set: { lastRequest: now }
+		})) return {
+			allowed: true,
+			retryAfter: null
+		};
+		const fresh = await readRow(key);
+		if (!fresh) return consume(key, rule);
+		if (now - fresh.lastRequest >= windowInMs) return consume(key, rule);
+		return {
+			allowed: false,
+			retryAfter: getRetryAfter(fresh.lastRequest, rule.window)
+		};
+	};
+	const deleteExpiredRows = (now) => {
+		const cutoff = now - longestObservedWindow * 1e3;
+		ctx.runInBackground(db.deleteMany({
+			model,
+			where: [{
+				field: "lastRequest",
+				operator: "lt",
+				value: cutoff
+			}]
+		}).then(() => void 0).catch((e) => ctx.logger.error("Error pruning rate limit rows", e)));
 	};
+	return { consume };
+}
+function getConfiguredRateLimitWindows(ctx) {
+	const windows = [ctx.rateLimit.window, ...getDefaultSpecialRules().map((rule) => rule.window)];
+	for (const plugin of ctx.options.plugins || []) if (plugin.rateLimit) windows.push(...plugin.rateLimit.map((rule) => rule.window));
+	if (ctx.rateLimit.customRules) {
+		for (const customRule of Object.values(ctx.rateLimit.customRules)) if (customRule && typeof customRule !== "function") windows.push(customRule.window);
+	}
+	const validWindows = windows.filter((window) => Number.isFinite(window) && window > 0);
+	return validWindows.length > 0 ? validWindows : [ctx.rateLimit.window];
 }
 function getRateLimitStorage(ctx, rateLimitSettings) {
 	if (ctx.options.rateLimit?.customStorage) return ctx.options.rateLimit.customStorage;
 	const storage = ctx.rateLimit.storage;
-	if (storage === "secondary-storage") return {
-		get: async (key) => {
-			const data = await ctx.options.secondaryStorage?.get(key);
-			return data ? safeJSONParse(data) : null;
-		},
-		set: async (key, value, _update) => {
-			const ttl = rateLimitSettings?.window ?? ctx.options.rateLimit?.window ?? 10;
-			await ctx.options.secondaryStorage?.set?.(key, JSON.stringify(value), ttl);
-		}
-	};
-	else if (storage === "memory") return {
-		async get(key) {
+	if (storage === "secondary-storage") {
+		const ttlFor = (window) => window ?? ctx.options.rateLimit?.window ?? 10;
+		const increment = ctx.options.secondaryStorage?.increment;
+		if (!increment) throw new BetterAuthError("Secondary-storage rate limiting requires SecondaryStorage.increment.");
+		return { consume: async (key, rule) => {
+			if (await increment(key, ttlFor(rule.window)) <= rule.max) return {
+				allowed: true,
+				retryAfter: null
+			};
+			return {
+				allowed: false,
+				retryAfter: rule.window
+			};
+		} };
+	} else if (storage === "memory") {
+		const ttlFor = (window) => window ?? ctx.options.rateLimit?.window ?? 10;
+		return { async consume(key, rule) {
+			pruneMemoryStore();
+			const now = Date.now();
 			const entry = memory.get(key);
-			if (!entry) return null;
-			if (Date.now() >= entry.expiresAt) {
-				memory.delete(key);
-				return null;
-			}
-			return entry.data;
-		},
-		async set(key, value, _update) {
-			const ttl = rateLimitSettings?.window ?? ctx.options.rateLimit?.window ?? 10;
-			const expiresAt = Date.now() + ttl * 1e3;
-			memory.set(key, {
-				data: value,
-				expiresAt
+			const decision = decideConsume(entry && now < entry.expiresAt ? entry.data : void 0, rule, now);
+			if (decision.allowed) memory.set(key, {
+				data: {
+					...decision.next,
+					key
+				},
+				expiresAt: now + ttlFor(rule.window) * 1e3
 			});
-		}
-	};
+			return {
+				allowed: decision.allowed,
+				retryAfter: decision.retryAfter
+			};
+		} };
+	}
 	return createDatabaseStorageWrapper(ctx);
 }
 let ipWarningLogged = false;
+const NO_TRUSTED_IP_KEY = "no-trusted-ip";
 async function resolveRateLimitConfig(req, ctx) {
 	const basePath = new URL(ctx.baseURL).pathname;
 	const path = normalizePathname(req.url, basePath);
 	let currentWindow = ctx.rateLimit.window;
 	let currentMax = ctx.rateLimit.max;
 	const ip = getIp(req, ctx.options);
-	if (!ip) {
-		if (!ipWarningLogged) {
-			ctx.logger.warn("Rate limiting skipped: could not determine client IP address. Ensure your runtime forwards a trusted client IP header and configure `advanced.ipAddress.ipAddressHeaders` if needed.");
-			ipWarningLogged = true;
-		}
-		return null;
+	if (!ip && ctx.options.advanced?.ipAddress?.disableIpTracking) return null;
+	if (!ip && !ipWarningLogged) {
+		ctx.logger.warn("Rate limiting could not determine a client IP and is falling back to a single shared per-path bucket. Ensure your runtime forwards a trusted client IP header and configure `advanced.ipAddress.ipAddressHeaders` if needed.");
+		ipWarningLogged = true;
 	}
-	const key = createRateLimitKey(ip, path);
+	const key = createRateLimitKey(ip ?? NO_TRUSTED_IP_KEY, path);
 	const specialRule = getDefaultSpecialRules().find((rule) => rule.pathMatcher(path));
 	if (specialRule) {
 		currentWindow = specialRule.window;
@@ -150,37 +281,24 @@ async function resolveRateLimitConfig(req, ctx) {
 		currentMax
 	};
 }
+/**
+* Decides the rate limit for the request in a single atomic step. The whole
+* check-and-increment happens here in the request phase; there is no separate
+* response-phase write-back, so concurrent requests cannot all pass a stale
+* read before any increment lands.
+*/
 async function onRequestRateLimit(req, ctx) {
 	if (!ctx.rateLimit.enabled) return;
 	const config = await resolveRateLimitConfig(req, ctx);
 	if (!config) return;
 	const { key, currentWindow, currentMax } = config;
-	const data = await getRateLimitStorage(ctx, { window: currentWindow }).get(key);
-	if (data && shouldRateLimit(currentMax, currentWindow, data)) return rateLimitResponse(getRetryAfter(data.lastRequest, currentWindow));
-}
-async function onResponseRateLimit(req, ctx) {
-	if (!ctx.rateLimit.enabled) return;
-	const config = await resolveRateLimitConfig(req, ctx);
-	if (!config) return;
-	const { key, currentWindow } = config;
 	const storage = getRateLimitStorage(ctx, { window: currentWindow });
-	const data = await storage.get(key);
-	const now = Date.now();
-	if (!data) await storage.set(key, {
-		key,
-		count: 1,
-		lastRequest: now
-	});
-	else if (now - data.lastRequest > currentWindow * 1e3) await storage.set(key, {
-		...data,
-		count: 1,
-		lastRequest: now
-	}, true);
-	else await storage.set(key, {
-		...data,
-		count: data.count + 1,
-		lastRequest: now
-	}, true);
+	const rule = {
+		window: currentWindow,
+		max: currentMax
+	};
+	const { allowed, retryAfter } = await storage.consume(key, rule);
+	if (!allowed) return rateLimitResponse(retryAfter ?? currentWindow);
 }
 function getDefaultSpecialRules() {
 	return [{
@@ -198,4 +316,4 @@ function getDefaultSpecialRules() {
 	}];
 }
 //#endregion
-export { onRequestRateLimit, onResponseRateLimit };
+export { onRequestRateLimit };

package/dist/api/routes/account.mjs

@@ -1,3 +1,4 @@
+import { shouldBindAccountCookieToSessionUser } from "../../context/store-capabilities.mjs";
 import { parseAccountOutput } from "../../db/schema.mjs";
 import { generateRandomString } from "../../crypto/random.mjs";
 import { getAccountCookie } from "../../cookies/session-store.mjs";
@@ -7,7 +8,7 @@ import { decryptOAuthToken } from "../../oauth2/token-encryption.mjs";
 import { persistOAuthAccount } from "../../oauth2/persist-account.mjs";
 import { applyUpdateUserInfoOnLink } from "../../oauth2/resolve-account.mjs";
 import { generateState } from "../../oauth2/state.mjs";
-import { freshSessionMiddleware, getSessionFromCtx, sessionMiddleware } from "./session.mjs";
+import { freshSessionMiddleware, getSessionFromCtx, isStateful, sessionMiddleware } from "./session.mjs";
 import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
 import { additionalAuthorizationParamsSchema, readGrantedScopes, supportsIdTokenSignIn, verifyProviderIdToken } from "@better-auth/core/oauth2";
 import { SocialProviderListEnum } from "@better-auth/core/social-providers";
@@ -126,7 +127,7 @@ const linkSocialAccount = createAuthEndpoint("/link-social", {
 		}
 		const { token, nonce } = c.body.idToken;
 		if (!await verifyProviderIdToken(provider, token, nonce)) {
-			c.context.logger.error("Invalid id token", { provider: c.body.provider });
+			c.context.logger.warn("Invalid id token", { provider: c.body.provider });
 			throw APIError.from("UNAUTHORIZED", BASE_ERROR_CODES.INVALID_TOKEN);
 		}
 		const linkingUserInfo = await provider.getUserInfo({
@@ -250,7 +251,7 @@ const unlinkAccount = createAuthEndpoint("/unlink-account", {
 * so the cache is left in place for them.
 */
 async function resolveUserId(ctx, userId) {
-	const session = await getSessionFromCtx(ctx, { disableCookieCache: !!ctx.context.options.database || !!ctx.context.options.secondaryStorage });
+	const session = await getSessionFromCtx(ctx, { disableCookieCache: isStateful(ctx) });
 	if (!session && (ctx.request || ctx.headers)) throw ctx.error("UNAUTHORIZED");
 	const resolvedUserId = session?.user?.id || userId;
 	if (!resolvedUserId) throw APIError.from("BAD_REQUEST", {
@@ -259,6 +260,9 @@ async function resolveUserId(ctx, userId) {
 	});
 	return resolvedUserId;
 }
+function matchesAccountSelection(ctx, account, { resolvedUserId, providerId, accountId }) {
+	return (!shouldBindAccountCookieToSessionUser(ctx.context.options) || account.userId === resolvedUserId) && (!providerId || providerId === account.providerId) && (!accountId || account.accountId === accountId);
+}
 /**
 * Fetches a currently-valid access token for a user's provider account,
 * refreshing and persisting it when it is within five seconds of expiry.
@@ -274,7 +278,11 @@ async function getValidAccessToken(ctx, { resolvedUserId, providerId, accountId,
 	let account = resolvedAccount;
 	if (!account) {
 		const accountData = await getAccountCookie(ctx);
-		if (accountData && accountData.userId === resolvedUserId && providerId === accountData.providerId && (!accountId || accountData.accountId === accountId)) account = accountData;
+		if (accountData && matchesAccountSelection(ctx, accountData, {
+			resolvedUserId,
+			providerId,
+			accountId
+		})) account = accountData;
 		else account = (await ctx.context.internalAdapter.findAccounts(resolvedUserId)).find((acc) => accountId ? acc.accountId === accountId && acc.providerId === providerId : acc.providerId === providerId);
 	}
 	if (!account) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.ACCOUNT_NOT_FOUND);
@@ -401,7 +409,11 @@ const refreshToken = createAuthEndpoint("/refresh-token", {
 	});
 	let account = void 0;
 	const accountData = await getAccountCookie(ctx);
-	if (!!accountData && accountData.userId === resolvedUserId && providerId === accountData.providerId && (!accountId || accountData.accountId === accountId)) account = accountData;
+	if (!!accountData && matchesAccountSelection(ctx, accountData, {
+		resolvedUserId,
+		providerId,
+		accountId
+	})) account = accountData;
 	else account = (await ctx.context.internalAdapter.findAccounts(resolvedUserId)).find((acc) => accountId ? acc.accountId === accountId && acc.providerId === providerId : acc.providerId === providerId);
 	if (!account) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.ACCOUNT_NOT_FOUND);
 	const refreshToken = account.refreshToken ?? void 0;
@@ -475,7 +487,10 @@ const accountInfo = createAuthEndpoint("/account-info", {
 	if (!providedAccountId) {
 		if (ctx.context.options.account?.storeAccountCookie) {
 			const accountData = await getAccountCookie(ctx);
-			if (accountData) account = accountData;
+			if (accountData && matchesAccountSelection(ctx, accountData, {
+				resolvedUserId,
+				providerId: providedProviderId
+			})) account = accountData;
 		}
 	} else {
 		const matchingAccounts = (await ctx.context.internalAdapter.findAccounts(resolvedUserId)).filter((acc) => acc.accountId === providedAccountId && (!providedProviderId || acc.providerId === providedProviderId));
@@ -485,7 +500,7 @@ const accountInfo = createAuthEndpoint("/account-info", {
 		});
 		account = matchingAccounts[0];
 	}
-	if (!account || account.userId !== resolvedUserId) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.ACCOUNT_NOT_FOUND);
+	if (!account || !matchesAccountSelection(ctx, account, { resolvedUserId })) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.ACCOUNT_NOT_FOUND);
 	const provider = await getAwaitableValue(ctx.context.socialProviders, { value: account.providerId });
 	if (!provider) throw APIError.from("BAD_REQUEST", {
 		message: "Account is not associated with a configured social provider.",

package/dist/api/routes/callback.mjs

@@ -88,12 +88,12 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 	}
 	if (error) redirectOnError(error, error_description);
 	if (!code) {
-		c.context.logger.error("Code not found");
+		c.context.logger.warn("Code not found");
 		throw redirectOnError(OAUTH_CALLBACK_ERROR_CODES.NO_CODE);
 	}
 	const provider = await getAwaitableValue(c.context.socialProviders, { value: c.params.id });
 	if (!provider) {
-		c.context.logger.error("Oauth provider with id", c.params.id, "not found");
+		c.context.logger.warn("OAuth provider not found", { providerId: c.params.id });
 		throw redirectOnError(OAUTH_CALLBACK_ERROR_CODES.PROVIDER_NOT_FOUND);
 	}
 	if (iss && provider.issuer && iss !== provider.issuer) {

package/dist/api/routes/email-verification.mjs

@@ -27,11 +27,11 @@ async function sendVerificationEmailFn(ctx, user) {
 	const token = await createEmailVerificationToken(ctx.context.secret, user.email, void 0, ctx.context.options.emailVerification?.expiresIn);
 	const callbackURL = ctx.body.callbackURL ? encodeURIComponent(ctx.body.callbackURL) : encodeURIComponent("/");
 	const url = `${ctx.context.baseURL}/verify-email?token=${token}&callbackURL=${callbackURL}`;
-	await ctx.context.runInBackgroundOrAwait(ctx.context.options.emailVerification.sendVerificationEmail({
+	await ctx.context.options.emailVerification.sendVerificationEmail({
 		user,
 		url,
 		token
-	}, ctx.request?.clone()));
+	}, ctx.request);
 }
 const sendVerificationEmail = createAuthEndpoint("/send-verification-email", {
 	method: "POST",
@@ -94,12 +94,25 @@ const sendVerificationEmail = createAuthEndpoint("/send-verification-email", {
 	const { email } = ctx.body;
 	const session = await getSessionFromCtx(ctx);
 	if (!session) {
+		/**
+		* Enforce a constant-time floor so an attacker cannot distinguish
+		* "email not found / already verified" (fast local JWT sign) from
+		* "email found and unverified" (slow external email-send) by
+		* comparing response times.
+		*/
+		const MINIMUM_MS = 500;
+		const start = Date.now();
 		const user = await ctx.context.internalAdapter.findUserByEmail(email);
-		if (!user || user.user.emailVerified) {
-			await createEmailVerificationToken(ctx.context.secret, email, void 0, ctx.context.options.emailVerification?.expiresIn);
-			return ctx.json({ status: true });
+		let error;
+		if (!user || user.user.emailVerified) await createEmailVerificationToken(ctx.context.secret, email, void 0, ctx.context.options.emailVerification?.expiresIn);
+		else try {
+			await sendVerificationEmailFn(ctx, user.user);
+		} catch (e) {
+			error = e;
 		}
-		await sendVerificationEmailFn(ctx, user.user);
+		const remaining = MINIMUM_MS - (Date.now() - start);
+		if (remaining > 0) await new Promise((resolve) => setTimeout(resolve, remaining));
+		if (error) throw error;
 		return ctx.json({ status: true });
 	}
 	if (session?.user.email.toLowerCase() !== email.toLowerCase()) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.EMAIL_MISMATCH);

package/dist/api/routes/index.d.mts

@@ -4,7 +4,7 @@ import { createEmailVerificationToken, sendVerificationEmail, sendVerificationEm
 import { error } from "./error.mjs";
 import { ok } from "./ok.mjs";
 import { requestPasswordReset, requestPasswordResetCallback, resetPassword, verifyPassword } from "./password.mjs";
-import { freshSessionMiddleware, getSession, getSessionFromCtx, listSessions, requestOnlySessionMiddleware, revokeOtherSessions, revokeSession, revokeSessions, sensitiveSessionMiddleware, sessionMiddleware } from "./session.mjs";
+import { freshSessionMiddleware, getSession, getSessionFromCtx, isStateful, listSessions, requestOnlySessionMiddleware, revokeOtherSessions, revokeSession, revokeSessions, sensitiveSessionMiddleware, sessionMiddleware } from "./session.mjs";
 import { signInEmail, signInSocial } from "./sign-in.mjs";
 import { signOut } from "./sign-out.mjs";
 import { signUpEmail } from "./sign-up.mjs";