create-croissant 0.1.0 → 0.1.1

package/template/apps/web/node_modules/@better-auth/core/src/utils/host.ts

@@ -0,0 +1,401 @@
+import { isValidIP, normalizeIP } from "./ip";
+
+/**
+ * Host classification per RFC 6890 (Special-Purpose IP Address Registries),
+ * RFC 6761 (Special-Use Domain Names), and RFC 8252 §7.3 (loopback redirect URIs).
+ *
+ * This module is the single source of truth for "is this host public? private?
+ * loopback? link-local?" in the codebase. Consumers MUST prefer these predicates
+ * over bespoke regexes or substring matches; divergent checks are how bypass
+ * vulnerabilities get introduced (e.g. Oligo's "0.0.0.0 Day" 2024).
+ *
+ * Four user-facing primitives:
+ *
+ *   - `classifyHost(host)` — the workhorse. Returns a {@link HostClassification}
+ *     with `kind`, `literal`, and `canonical` fields.
+ *   - `isLoopbackIP(host)` — strict: IPv4 `127.0.0.0/8` or IPv6 `::1` only.
+ *     Use this for RFC 8252 §7.3 loopback redirect URI matching where IP
+ *     literals are REQUIRED.
+ *   - `isLoopbackHost(host)` — permissive: also accepts `localhost` and RFC 6761
+ *     `.localhost` subdomains. Use this for developer ergonomics (CORS, cookie
+ *     secure bypass, dev-mode HTTP allow-list).
+ *   - `isPublicRoutableHost(host)` — SSRF gate. Returns false for every
+ *     non-`public` kind. Use this before server-side fetches to user-controlled
+ *     URLs.
+ */
+
+/**
+ * The semantic kind of a host, derived from RFC 6890 special-purpose registries
+ * plus a few domain-name categories (localhost, cloud metadata FQDNs).
+ */
+export type HostKind =
+	/** IPv4 `127.0.0.0/8` or IPv6 `::1`. */
+	| "loopback"
+	/** DNS name `localhost` or RFC 6761 `.localhost` TLD. */
+	| "localhost"
+	/** IPv4 `0.0.0.0` or IPv6 `::` — "this host on this network", not loopback. */
+	| "unspecified"
+	/** RFC 1918 `10/8`, `172.16/12`, `192.168/16`, or IPv6 ULA `fc00::/7`. */
+	| "private"
+	/** IPv4 `169.254/16` or IPv6 `fe80::/10`. Includes AWS IMDS `169.254.169.254`. */
+	| "linkLocal"
+	/** RFC 6598 carrier-grade NAT `100.64.0.0/10`. */
+	| "sharedAddressSpace"
+	/** RFC 5737 `192.0.2/24`, `198.51.100/24`, `203.0.113/24`, or RFC 3849 `2001:db8::/32`. */
+	| "documentation"
+	/** RFC 2544 `198.18.0.0/15`. */
+	| "benchmarking"
+	/** IPv4 `224.0.0.0/4` or IPv6 `ff00::/8`. */
+	| "multicast"
+	/** IPv4 limited broadcast `255.255.255.255`. */
+	| "broadcast"
+	/** Other RFC 6890 special-purpose ranges (0/8, 192.0.0/24, 240/4, 2001::/32, etc.). */
+	| "reserved"
+	/** Cloud metadata service FQDN (e.g. `metadata.google.internal`). */
+	| "cloudMetadata"
+	/** Any host not matching a special-purpose range above. */
+	| "public";
+
+/**
+ * The syntactic form of the input host: an IPv4 literal, an IPv6 literal, or
+ * a domain name. IPv4-mapped IPv6 (`::ffff:192.0.2.1`) is reported as `ipv4`
+ * because it's unmapped during canonicalization.
+ */
+export type HostLiteral = "ipv4" | "ipv6" | "fqdn";
+
+/**
+ * Result of {@link classifyHost}. All fields are readonly.
+ *
+ * @property kind - Semantic classification per RFC 6890 + RFC 6761.
+ * @property literal - Syntactic form of the input (IPv4, IPv6, or FQDN).
+ * @property canonical - Lowercase, port-stripped, bracket-stripped, zone-id-stripped
+ *   form suitable for equality comparison. IPv6 is expanded to full form.
+ *   IPv4-mapped IPv6 is collapsed to the underlying IPv4.
+ */
+export interface HostClassification {
+	readonly kind: HostKind;
+	readonly literal: HostLiteral;
+	readonly canonical: string;
+}
+
+/**
+ * Cloud provider instance metadata service FQDNs. These resolve to link-local
+ * IPs (usually `169.254.169.254`) inside their respective clouds and are
+ * prime SSRF targets.
+ *
+ * The IPs themselves are already caught by the `linkLocal` kind; this set
+ * only exists for the FQDN form that a naive server-side fetch might resolve
+ * via its own resolver.
+ */
+const CLOUD_METADATA_HOSTS: ReadonlySet<string> = new Set([
+	"metadata.google.internal",
+	"metadata.goog",
+	"metadata",
+	"instance-data",
+	"instance-data.ec2.internal",
+]);
+
+/** Strip `[...]` if the entire input is bracketed (IPv6 literal form). */
+function stripBrackets(host: string): string {
+	if (host.length >= 2 && host.startsWith("[") && host.endsWith("]")) {
+		return host.slice(1, -1);
+	}
+	return host;
+}
+
+/**
+ * Strip trailing `:port` from host-with-port strings.
+ *
+ * - Bracketed IPv6 with port: `[::1]:8080` → `[::1]`
+ * - IPv4/FQDN with port: `127.0.0.1:3000` / `example.com:443` → base form
+ * - Bare IPv6: `::1` / `fe80::1` → unchanged (multiple colons means no port)
+ */
+function stripPort(host: string): string {
+	if (host.startsWith("[")) {
+		const end = host.indexOf("]");
+		if (end === -1) return host;
+		return host.slice(0, end + 1);
+	}
+	const firstColon = host.indexOf(":");
+	if (firstColon === -1) return host;
+	if (host.indexOf(":", firstColon + 1) !== -1) return host;
+	return host.slice(0, firstColon);
+}
+
+/** Strip IPv6 zone identifier: `fe80::1%eth0` → `fe80::1`. */
+function stripZoneId(host: string): string {
+	const zone = host.indexOf("%");
+	if (zone === -1) return host;
+	return host.slice(0, zone);
+}
+
+/**
+ * Strip trailing dots (RFC 1034 absolute DNS form): `localhost.` → `localhost`.
+ * Without this, `metadata.google.internal.` would fall through to `public` and
+ * bypass the cloud-metadata / `.localhost` checks, since WHATWG URL parsing
+ * preserves the trailing dot in `url.hostname`.
+ */
+function stripTrailingDot(host: string): string {
+	return host.replace(/\.+$/, "");
+}
+
+/** Fast dotted-decimal shape check. Does NOT validate octet bounds. */
+function looksLikeIPv4(host: string): boolean {
+	return /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(host);
+}
+
+/** Pack a validated dotted-decimal IPv4 into a 32-bit unsigned integer. */
+function ipv4ToUint32(ip: string): number {
+	const parts = ip.split(".");
+	return (
+		((Number(parts[0]) << 24) |
+			(Number(parts[1]) << 16) |
+			(Number(parts[2]) << 8) |
+			Number(parts[3])) >>>
+		0
+	);
+}
+
+/** Check whether a 32-bit value matches `prefix/length` (both unsigned). */
+function inIPv4Range(value: number, prefix: number, length: number): boolean {
+	if (length === 0) return true;
+	const mask = length === 32 ? 0xffffffff : (~0 << (32 - length)) >>> 0;
+	return (value & mask) === (prefix & mask);
+}
+
+function classifyIPv4(ip: string): HostKind {
+	if (ip === "0.0.0.0") return "unspecified";
+	if (ip === "255.255.255.255") return "broadcast";
+
+	const n = ipv4ToUint32(ip);
+
+	if (inIPv4Range(n, ipv4ToUint32("127.0.0.0"), 8)) return "loopback";
+	if (inIPv4Range(n, ipv4ToUint32("10.0.0.0"), 8)) return "private";
+	if (inIPv4Range(n, ipv4ToUint32("172.16.0.0"), 12)) return "private";
+	if (inIPv4Range(n, ipv4ToUint32("192.168.0.0"), 16)) return "private";
+	if (inIPv4Range(n, ipv4ToUint32("169.254.0.0"), 16)) return "linkLocal";
+	if (inIPv4Range(n, ipv4ToUint32("100.64.0.0"), 10))
+		return "sharedAddressSpace";
+	if (inIPv4Range(n, ipv4ToUint32("192.0.2.0"), 24)) return "documentation";
+	if (inIPv4Range(n, ipv4ToUint32("198.51.100.0"), 24)) return "documentation";
+	if (inIPv4Range(n, ipv4ToUint32("203.0.113.0"), 24)) return "documentation";
+	if (inIPv4Range(n, ipv4ToUint32("198.18.0.0"), 15)) return "benchmarking";
+	if (inIPv4Range(n, ipv4ToUint32("224.0.0.0"), 4)) return "multicast";
+	if (inIPv4Range(n, ipv4ToUint32("0.0.0.0"), 8)) return "reserved";
+	if (inIPv4Range(n, ipv4ToUint32("192.0.0.0"), 24)) return "reserved";
+	if (inIPv4Range(n, ipv4ToUint32("240.0.0.0"), 4)) return "reserved";
+
+	return "public";
+}
+
+/**
+ * Extract an IPv4 address embedded in an expanded IPv6 literal.
+ *
+ * Used to recurse into tunnel/translation forms (6to4, NAT64, Teredo) so a
+ * private destination cannot be smuggled behind a syntactically-public IPv6
+ * literal. `startGroup` is the index of the first of two 16-bit groups in the
+ * expanded form (`0000:0000:...`). With `xor: true`, the 32-bit value is XORed
+ * with `0xffffffff` before decoding (Teredo obfuscates the client IPv4 this
+ * way).
+ */
+function extractEmbeddedIPv4(
+	expanded: string,
+	startGroup: number,
+	options: { xor?: boolean } = {},
+): string | null {
+	const offset = startGroup * 5;
+	const g1 = Number.parseInt(expanded.slice(offset, offset + 4), 16);
+	const g2 = Number.parseInt(expanded.slice(offset + 5, offset + 9), 16);
+	if (!Number.isFinite(g1) || !Number.isFinite(g2)) return null;
+	let combined = ((g1 << 16) | g2) >>> 0;
+	if (options.xor) combined = (combined ^ 0xffffffff) >>> 0;
+	return `${(combined >>> 24) & 0xff}.${(combined >>> 16) & 0xff}.${(combined >>> 8) & 0xff}.${combined & 0xff}`;
+}
+
+/**
+ * Classify an expanded, full-form, lowercase IPv6 address (no IPv4-mapped
+ * input — those are unmapped to IPv4 before reaching here).
+ *
+ * 6to4 (`2002::/16`), NAT64 (`64:ff9b::/96`) and Teredo (`2001:0000::/32`)
+ * embed an IPv4 that can route to private/loopback space. If the embedded
+ * IPv4 classifies as non-`public`, return `reserved` — blocks SSRF without
+ * advertising the address as a loopback literal for RFC 8252 §7.3 matching.
+ */
+function classifyIPv6(expanded: string): HostKind {
+	if (expanded === "0000:0000:0000:0000:0000:0000:0000:0000")
+		return "unspecified";
+	if (expanded === "0000:0000:0000:0000:0000:0000:0000:0001") return "loopback";
+
+	const firstByte = Number.parseInt(expanded.slice(0, 2), 16);
+	const secondByte = Number.parseInt(expanded.slice(2, 4), 16);
+
+	if (firstByte === 0xff) return "multicast";
+	if (firstByte === 0xfe && (secondByte & 0xc0) === 0x80) return "linkLocal";
+	if ((firstByte & 0xfe) === 0xfc) return "private";
+
+	if (expanded.startsWith("2001:0db8:")) return "documentation";
+
+	if (expanded.startsWith("2002:")) {
+		const embedded = extractEmbeddedIPv4(expanded, 1);
+		if (embedded && classifyIPv4(embedded) !== "public") return "reserved";
+		return "public";
+	}
+
+	if (expanded.startsWith("0064:ff9b:0000:0000:0000:0000:")) {
+		const embedded = extractEmbeddedIPv4(expanded, 6);
+		if (embedded && classifyIPv4(embedded) !== "public") return "reserved";
+		return "reserved";
+	}
+
+	if (expanded.startsWith("2001:0000:")) {
+		const embedded = extractEmbeddedIPv4(expanded, 6, { xor: true });
+		if (embedded && classifyIPv4(embedded) !== "public") return "reserved";
+		return "reserved";
+	}
+
+	if (expanded.startsWith("0100:0000:0000:0000:")) return "reserved";
+
+	return "public";
+}
+
+/**
+ * Classify a host string according to RFC 6890 / RFC 6761.
+ *
+ * Accepts inputs in any of these shapes and normalizes before classifying:
+ *
+ *   - Bare IPv4: `127.0.0.1`
+ *   - Bare IPv6: `::1`, `fe80::1%eth0`
+ *   - Bracketed IPv6: `[::1]`
+ *   - Host with port: `localhost:3000`, `127.0.0.1:443`, `[::1]:8080`
+ *   - FQDN: `example.com`, `tenant.localhost`
+ *   - IPv4-mapped IPv6: `::ffff:192.0.2.1` (reported as `literal: "ipv4"`)
+ *
+ * Invalid or non-resolvable FQDNs are returned as `{ kind: "public", literal: "fqdn" }`
+ * — this function never throws. Callers that need structural validation must
+ * combine this with a URL/hostname validator upstream.
+ *
+ * @example
+ * classifyHost("127.0.0.1")
+ * // { kind: "loopback", literal: "ipv4", canonical: "127.0.0.1" }
+ *
+ * @example
+ * classifyHost("[::1]:8080")
+ * // { kind: "loopback", literal: "ipv6", canonical: "0000:0000:...:0001" }
+ *
+ * @example
+ * classifyHost("::ffff:192.0.2.1")
+ * // { kind: "documentation", literal: "ipv4", canonical: "192.0.2.1" }
+ *
+ * @example
+ * classifyHost("tenant-a.localhost")
+ * // { kind: "localhost", literal: "fqdn", canonical: "tenant-a.localhost" }
+ */
+export function classifyHost(host: string): HostClassification {
+	const stripped = stripTrailingDot(
+		stripZoneId(stripBrackets(stripPort(host.trim()))),
+	);
+	const lowered = stripped.toLowerCase();
+
+	if (lowered === "") {
+		return { kind: "reserved", literal: "fqdn", canonical: "" };
+	}
+
+	if (!isValidIP(lowered)) {
+		if (lowered === "localhost" || lowered.endsWith(".localhost")) {
+			return { kind: "localhost", literal: "fqdn", canonical: lowered };
+		}
+		if (CLOUD_METADATA_HOSTS.has(lowered)) {
+			return { kind: "cloudMetadata", literal: "fqdn", canonical: lowered };
+		}
+		return { kind: "public", literal: "fqdn", canonical: lowered };
+	}
+
+	if (looksLikeIPv4(lowered)) {
+		return { kind: classifyIPv4(lowered), literal: "ipv4", canonical: lowered };
+	}
+
+	const canonical = normalizeIP(lowered, { ipv6Subnet: 128 });
+
+	if (looksLikeIPv4(canonical)) {
+		return {
+			kind: classifyIPv4(canonical),
+			literal: "ipv4",
+			canonical,
+		};
+	}
+
+	return { kind: classifyIPv6(canonical), literal: "ipv6", canonical };
+}
+
+/**
+ * Strict loopback-IP-literal check per RFC 8252 §7.3.
+ *
+ * Returns true ONLY for IPv4 `127.0.0.0/8` or IPv6 `::1`. The DNS name
+ * `localhost` returns false — RFC 8252 §8.3 explicitly recommends against
+ * relying on name resolution for loopback redirect URIs.
+ *
+ * Use this for OAuth redirect URI matching.
+ *
+ * @example
+ * isLoopbackIP("127.0.0.1")     // true
+ * isLoopbackIP("::1")           // true
+ * isLoopbackIP("[::1]:8080")    // true
+ * isLoopbackIP("localhost")     // false  (use isLoopbackHost for DNS names)
+ * isLoopbackIP("0.0.0.0")       // false  (unspecified, not loopback)
+ */
+export function isLoopbackIP(host: string): boolean {
+	return classifyHost(host).kind === "loopback";
+}
+
+/**
+ * Permissive loopback check for developer-ergonomics code paths.
+ *
+ * Returns true for IPv4 `127.0.0.0/8`, IPv6 `::1`, the literal name `localhost`,
+ * and any RFC 6761 `.localhost` subdomain (`tenant.localhost`, `app.localhost`).
+ *
+ * Use this for things like: allowing HTTP for dev servers, skipping Secure
+ * cookie requirements, browser-trust heuristics. Do NOT use this for OAuth
+ * redirect URI matching — use {@link isLoopbackIP} there.
+ *
+ * @example
+ * isLoopbackHost("localhost")         // true
+ * isLoopbackHost("tenant.localhost")  // true  (RFC 6761)
+ * isLoopbackHost("127.0.0.1")         // true
+ * isLoopbackHost("0.0.0.0")           // false (unspecified, NOT loopback)
+ */
+export function isLoopbackHost(host: string): boolean {
+	const kind = classifyHost(host).kind;
+	return kind === "loopback" || kind === "localhost";
+}
+
+/**
+ * First-line SSRF gate: returns true ONLY for hosts that classify as `public`.
+ *
+ * Every RFC 6890 special-purpose range (loopback, private, link-local,
+ * unspecified, documentation, multicast, broadcast, reserved, shared address
+ * space, benchmarking) and cloud-metadata FQDN returns false.
+ *
+ * Use this BEFORE issuing a server-side fetch to a user-supplied URL, e.g.
+ * OAuth introspection endpoints, webhook targets, or metadata-document
+ * fetches (CIMD).
+ *
+ * Limitations (this is a syntactic check, not a complete SSRF mitigation):
+ * - No DNS resolution: a public-looking FQDN that resolves to a private IP
+ *   passes this check. Re-verify the resolved address before connecting, or
+ *   pin the socket to the resolved IP.
+ * - No DNS-rebinding defense: attackers can return a public IP on the first
+ *   lookup and a private IP on the second. Resolve once and reuse the IP.
+ * - No redirect following: HTTP 3xx responses can redirect to private hosts.
+ *   Re-run this check on every redirect target, or disable auto-follow.
+ *
+ * @example
+ * isPublicRoutableHost("example.com")            // true
+ * isPublicRoutableHost("127.0.0.1")              // false (loopback)
+ * isPublicRoutableHost("169.254.169.254")        // false (linkLocal / AWS IMDS)
+ * isPublicRoutableHost("metadata.google.internal") // false (cloudMetadata)
+ * isPublicRoutableHost("10.0.0.1")               // false (private)
+ * isPublicRoutableHost("::ffff:127.0.0.1")       // false (mapped loopback)
+ */
+export function isPublicRoutableHost(host: string): boolean {
+	return classifyHost(host).kind === "public";
+}

package/template/apps/web/node_modules/@better-auth/core/src/utils/id.ts

@@ -0,0 +1,5 @@
+import { createRandomStringGenerator } from "@better-auth/utils/random";
+
+export const generateId = (size?: number) => {
+	return createRandomStringGenerator("a-z", "A-Z", "0-9")(size || 32);
+};

package/template/apps/web/node_modules/@better-auth/core/src/utils/ip.ts

@@ -0,0 +1,211 @@
+import * as z from "zod";
+
+/**
+ * Normalizes an IP address for consistent rate limiting.
+ *
+ * Features:
+ * - Normalizes IPv6 to canonical lowercase form
+ * - Converts IPv4-mapped IPv6 to IPv4
+ * - Supports IPv6 subnet extraction
+ * - Handles all edge cases (::1, ::, etc.)
+ */
+
+interface NormalizeIPOptions {
+	/**
+	 * For IPv6 addresses, extract the subnet prefix instead of full address.
+	 * Common values: 32, 48, 64, 128 (default: 128 = full address)
+	 *
+	 * @default 128
+	 */
+	ipv6Subnet?: 128 | 64 | 48 | 32;
+}
+
+/**
+ * Checks if an IP is valid IPv4 or IPv6
+ */
+export function isValidIP(ip: string): boolean {
+	return z.ipv4().safeParse(ip).success || z.ipv6().safeParse(ip).success;
+}
+
+/**
+ * Checks if an IP is IPv6
+ */
+function isIPv6(ip: string): boolean {
+	return z.ipv6().safeParse(ip).success;
+}
+
+/**
+ * Converts IPv4-mapped IPv6 address to IPv4
+ * e.g., "::ffff:192.0.2.1" -> "192.0.2.1"
+ */
+function extractIPv4FromMapped(ipv6: string): string | null {
+	const lower = ipv6.toLowerCase();
+
+	// Handle ::ffff:192.0.2.1 format
+	if (lower.startsWith("::ffff:")) {
+		const ipv4Part = lower.substring(7);
+		// Check if it's a valid IPv4
+		if (z.ipv4().safeParse(ipv4Part).success) {
+			return ipv4Part;
+		}
+	}
+
+	// Handle full form: 0:0:0:0:0:ffff:192.0.2.1
+	const parts = ipv6.split(":");
+	if (parts.length === 7 && parts[5]?.toLowerCase() === "ffff") {
+		const ipv4Part = parts[6];
+		if (ipv4Part && z.ipv4().safeParse(ipv4Part).success) {
+			return ipv4Part;
+		}
+	}
+
+	// Handle hex-encoded IPv4 in mapped address
+	// e.g., ::ffff:c000:0201 -> 192.0.2.1
+	if (lower.includes("::ffff:") || lower.includes(":ffff:")) {
+		const groups = expandIPv6(ipv6);
+		if (
+			groups.length === 8 &&
+			groups[0] === "0000" &&
+			groups[1] === "0000" &&
+			groups[2] === "0000" &&
+			groups[3] === "0000" &&
+			groups[4] === "0000" &&
+			groups[5] === "ffff" &&
+			groups[6] &&
+			groups[7]
+		) {
+			// Convert last two groups to IPv4
+			const byte1 = Number.parseInt(groups[6].substring(0, 2), 16);
+			const byte2 = Number.parseInt(groups[6].substring(2, 4), 16);
+			const byte3 = Number.parseInt(groups[7].substring(0, 2), 16);
+			const byte4 = Number.parseInt(groups[7].substring(2, 4), 16);
+			return `${byte1}.${byte2}.${byte3}.${byte4}`;
+		}
+	}
+
+	return null;
+}
+
+/**
+ * Expands a compressed IPv6 address to full form
+ * e.g., "2001:db8::1" -> ["2001", "0db8", "0000", "0000", "0000", "0000", "0000", "0001"]
+ */
+function expandIPv6(ipv6: string): string[] {
+	// Handle :: notation (zero compression)
+	if (ipv6.includes("::")) {
+		const sides = ipv6.split("::");
+		const left = sides[0] ? sides[0].split(":") : [];
+		const right = sides[1] ? sides[1].split(":") : [];
+
+		// Calculate missing groups
+		const totalGroups = 8;
+		const missingGroups = totalGroups - left.length - right.length;
+		const zeros = Array(missingGroups).fill("0000");
+
+		// Pad existing groups to 4 digits
+		const paddedLeft = left.map((g) => g.padStart(4, "0"));
+		const paddedRight = right.map((g) => g.padStart(4, "0"));
+
+		return [...paddedLeft, ...zeros, ...paddedRight];
+	}
+
+	// No compression, just pad each group
+	return ipv6.split(":").map((g) => g.padStart(4, "0"));
+}
+
+/**
+ * Normalizes an IPv6 address to canonical form
+ * e.g., "2001:DB8::1" -> "2001:0db8:0000:0000:0000:0000:0000:0001"
+ */
+function normalizeIPv6(
+	ipv6: string,
+	subnetPrefix?: 128 | 32 | 48 | 64,
+): string {
+	const groups = expandIPv6(ipv6);
+
+	if (subnetPrefix && subnetPrefix < 128) {
+		// Apply subnet mask
+		const prefix = subnetPrefix;
+		let bitsRemaining: number = prefix;
+
+		const maskedGroups = groups.map((group) => {
+			if (bitsRemaining <= 0) {
+				return "0000";
+			}
+			if (bitsRemaining >= 16) {
+				bitsRemaining -= 16;
+				return group;
+			}
+
+			// Partial mask for this group
+			const value = Number.parseInt(group, 16);
+			const mask = (0xffff << (16 - bitsRemaining)) & 0xffff;
+			const masked = value & mask;
+			bitsRemaining = 0;
+			return masked.toString(16).padStart(4, "0");
+		});
+
+		return maskedGroups.join(":").toLowerCase();
+	}
+
+	return groups.join(":").toLowerCase();
+}
+
+/**
+ * Normalizes an IP address (IPv4 or IPv6) for consistent rate limiting.
+ *
+ * @param ip - The IP address to normalize
+ * @param options - Normalization options
+ * @returns Normalized IP address
+ *
+ * @example
+ * normalizeIP("2001:DB8::1")
+ * // -> "2001:0db8:0000:0000:0000:0000:0000:0000"
+ *
+ * @example
+ * normalizeIP("::ffff:192.0.2.1")
+ * // -> "192.0.2.1" (converted to IPv4)
+ *
+ * @example
+ * normalizeIP("2001:db8::1", { ipv6Subnet: 64 })
+ * // -> "2001:0db8:0000:0000:0000:0000:0000:0000" (subnet /64)
+ */
+export function normalizeIP(
+	ip: string,
+	options: NormalizeIPOptions = {},
+): string {
+	// IPv4 addresses are already normalized
+	if (z.ipv4().safeParse(ip).success) {
+		return ip.toLowerCase();
+	}
+
+	// Check if it's IPv6
+	if (!isIPv6(ip)) {
+		// Return as-is if not valid (shouldn't happen due to prior validation)
+		return ip.toLowerCase();
+	}
+
+	// Check for IPv4-mapped IPv6
+	const ipv4 = extractIPv4FromMapped(ip);
+	if (ipv4) {
+		return ipv4.toLowerCase();
+	}
+
+	// Normalize IPv6
+	const subnetPrefix = options.ipv6Subnet || 64;
+	return normalizeIPv6(ip, subnetPrefix);
+}
+
+/**
+ * Creates a rate limit key from IP and path
+ * Uses a separator to prevent collision attacks
+ *
+ * @param ip - The IP address (should be normalized)
+ * @param path - The request path
+ * @returns Rate limit key
+ */
+export function createRateLimitKey(ip: string, path: string): string {
+	// Use | as separator to prevent collision attacks
+	// e.g., "192.0.2.1" + "/sign-in" vs "192.0.2" + ".1/sign-in"
+	return `${ip}|${path}`;
+}

package/template/apps/web/node_modules/@better-auth/core/src/utils/json.ts

@@ -0,0 +1,56 @@
+import { logger } from "../env";
+
+const iso8601Regex = /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?Z$/;
+
+function reviveDate(value: unknown): any {
+	if (typeof value === "string" && iso8601Regex.test(value)) {
+		const date = new Date(value);
+		if (!isNaN(date.getTime())) {
+			return date;
+		}
+	}
+	return value;
+}
+
+/**
+ * Recursively walk a pre-parsed object and convert ISO 8601 date strings
+ * to Date instances. This handles the case where a Redis client (or similar)
+ * returns already-parsed JSON objects whose date fields are still strings.
+ */
+function reviveDates(value: unknown): any {
+	if (value === null || value === undefined) {
+		return value;
+	}
+	if (typeof value === "string") {
+		return reviveDate(value);
+	}
+	if (value instanceof Date) {
+		return value;
+	}
+	if (Array.isArray(value)) {
+		return value.map(reviveDates);
+	}
+	if (typeof value === "object") {
+		const result: Record<string, any> = {};
+		for (const key of Object.keys(value)) {
+			result[key] = reviveDates((value as Record<string, any>)[key]);
+		}
+		return result;
+	}
+	return value;
+}
+
+export function safeJSONParse<T>(data: unknown): T | null {
+	try {
+		if (typeof data !== "string") {
+			if (data === null || data === undefined) {
+				return null;
+			}
+			return reviveDates(data) as T;
+		}
+		return JSON.parse(data, (_, value) => reviveDate(value));
+	} catch (e) {
+		logger.error("Error parsing JSON", { error: e });
+		return null;
+	}
+}

package/template/apps/web/node_modules/@better-auth/core/src/utils/string.ts

@@ -0,0 +1,3 @@
+export function capitalizeFirstLetter(str: string) {
+	return str.charAt(0).toUpperCase() + str.slice(1);
+}