This is page 22 of 51. Use http://codebase.md/better-auth/better-auth?lines=false&page={x} to view the full context.
# Directory Structure
```
├── .gitattributes
├── .github
│ ├── CODEOWNERS
│ ├── FUNDING.yml
│ ├── ISSUE_TEMPLATE
│ │ ├── bug_report.yml
│ │ └── feature_request.yml
│ ├── renovate.json5
│ └── workflows
│ ├── ci.yml
│ ├── e2e.yml
│ ├── preview.yml
│ └── release.yml
├── .gitignore
├── .npmrc
├── .nvmrc
├── .vscode
│ └── settings.json
├── banner-dark.png
├── banner.png
├── biome.json
├── bump.config.ts
├── CODE_OF_CONDUCT.md
├── CONTRIBUTING.md
├── demo
│ ├── expo-example
│ │ ├── .env.example
│ │ ├── .gitignore
│ │ ├── app.config.ts
│ │ ├── assets
│ │ │ ├── bg-image.jpeg
│ │ │ ├── fonts
│ │ │ │ └── SpaceMono-Regular.ttf
│ │ │ ├── icon.png
│ │ │ └── images
│ │ │ ├── adaptive-icon.png
│ │ │ ├── favicon.png
│ │ │ ├── logo.png
│ │ │ ├── partial-react-logo.png
│ │ │ ├── react-logo.png
│ │ │ ├── [email protected]
│ │ │ ├── [email protected]
│ │ │ └── splash.png
│ │ ├── babel.config.js
│ │ ├── components.json
│ │ ├── expo-env.d.ts
│ │ ├── index.ts
│ │ ├── metro.config.js
│ │ ├── nativewind-env.d.ts
│ │ ├── package.json
│ │ ├── README.md
│ │ ├── src
│ │ │ ├── app
│ │ │ │ ├── _layout.tsx
│ │ │ │ ├── api
│ │ │ │ │ └── auth
│ │ │ │ │ └── [...route]+api.ts
│ │ │ │ ├── dashboard.tsx
│ │ │ │ ├── forget-password.tsx
│ │ │ │ ├── index.tsx
│ │ │ │ └── sign-up.tsx
│ │ │ ├── components
│ │ │ │ ├── icons
│ │ │ │ │ └── google.tsx
│ │ │ │ └── ui
│ │ │ │ ├── avatar.tsx
│ │ │ │ ├── button.tsx
│ │ │ │ ├── card.tsx
│ │ │ │ ├── dialog.tsx
│ │ │ │ ├── input.tsx
│ │ │ │ ├── separator.tsx
│ │ │ │ └── text.tsx
│ │ │ ├── global.css
│ │ │ └── lib
│ │ │ ├── auth-client.ts
│ │ │ ├── auth.ts
│ │ │ ├── icons
│ │ │ │ ├── iconWithClassName.ts
│ │ │ │ └── X.tsx
│ │ │ └── utils.ts
│ │ ├── tailwind.config.js
│ │ └── tsconfig.json
│ └── nextjs
│ ├── .env.example
│ ├── .gitignore
│ ├── app
│ │ ├── (auth)
│ │ │ ├── forget-password
│ │ │ │ └── page.tsx
│ │ │ ├── reset-password
│ │ │ │ └── page.tsx
│ │ │ ├── sign-in
│ │ │ │ ├── loading.tsx
│ │ │ │ └── page.tsx
│ │ │ └── two-factor
│ │ │ ├── otp
│ │ │ │ └── page.tsx
│ │ │ └── page.tsx
│ │ ├── accept-invitation
│ │ │ └── [id]
│ │ │ ├── invitation-error.tsx
│ │ │ └── page.tsx
│ │ ├── admin
│ │ │ └── page.tsx
│ │ ├── api
│ │ │ └── auth
│ │ │ └── [...all]
│ │ │ └── route.ts
│ │ ├── apps
│ │ │ └── register
│ │ │ └── page.tsx
│ │ ├── client-test
│ │ │ └── page.tsx
│ │ ├── dashboard
│ │ │ ├── change-plan.tsx
│ │ │ ├── client.tsx
│ │ │ ├── organization-card.tsx
│ │ │ ├── page.tsx
│ │ │ ├── upgrade-button.tsx
│ │ │ └── user-card.tsx
│ │ ├── device
│ │ │ ├── approve
│ │ │ │ └── page.tsx
│ │ │ ├── denied
│ │ │ │ └── page.tsx
│ │ │ ├── layout.tsx
│ │ │ ├── page.tsx
│ │ │ └── success
│ │ │ └── page.tsx
│ │ ├── favicon.ico
│ │ ├── features.tsx
│ │ ├── fonts
│ │ │ ├── GeistMonoVF.woff
│ │ │ └── GeistVF.woff
│ │ ├── globals.css
│ │ ├── layout.tsx
│ │ ├── oauth
│ │ │ └── authorize
│ │ │ ├── concet-buttons.tsx
│ │ │ └── page.tsx
│ │ ├── page.tsx
│ │ └── pricing
│ │ └── page.tsx
│ ├── components
│ │ ├── account-switch.tsx
│ │ ├── blocks
│ │ │ └── pricing.tsx
│ │ ├── logo.tsx
│ │ ├── one-tap.tsx
│ │ ├── sign-in-btn.tsx
│ │ ├── sign-in.tsx
│ │ ├── sign-up.tsx
│ │ ├── theme-provider.tsx
│ │ ├── theme-toggle.tsx
│ │ ├── tier-labels.tsx
│ │ ├── ui
│ │ │ ├── accordion.tsx
│ │ │ ├── alert-dialog.tsx
│ │ │ ├── alert.tsx
│ │ │ ├── aspect-ratio.tsx
│ │ │ ├── avatar.tsx
│ │ │ ├── badge.tsx
│ │ │ ├── breadcrumb.tsx
│ │ │ ├── button.tsx
│ │ │ ├── calendar.tsx
│ │ │ ├── card.tsx
│ │ │ ├── carousel.tsx
│ │ │ ├── chart.tsx
│ │ │ ├── checkbox.tsx
│ │ │ ├── collapsible.tsx
│ │ │ ├── command.tsx
│ │ │ ├── context-menu.tsx
│ │ │ ├── copy-button.tsx
│ │ │ ├── dialog.tsx
│ │ │ ├── drawer.tsx
│ │ │ ├── dropdown-menu.tsx
│ │ │ ├── form.tsx
│ │ │ ├── hover-card.tsx
│ │ │ ├── input-otp.tsx
│ │ │ ├── input.tsx
│ │ │ ├── label.tsx
│ │ │ ├── menubar.tsx
│ │ │ ├── navigation-menu.tsx
│ │ │ ├── pagination.tsx
│ │ │ ├── password-input.tsx
│ │ │ ├── popover.tsx
│ │ │ ├── progress.tsx
│ │ │ ├── radio-group.tsx
│ │ │ ├── resizable.tsx
│ │ │ ├── scroll-area.tsx
│ │ │ ├── select.tsx
│ │ │ ├── separator.tsx
│ │ │ ├── sheet.tsx
│ │ │ ├── skeleton.tsx
│ │ │ ├── slider.tsx
│ │ │ ├── sonner.tsx
│ │ │ ├── switch.tsx
│ │ │ ├── table.tsx
│ │ │ ├── tabs.tsx
│ │ │ ├── tabs2.tsx
│ │ │ ├── textarea.tsx
│ │ │ ├── toast.tsx
│ │ │ ├── toaster.tsx
│ │ │ ├── toggle-group.tsx
│ │ │ ├── toggle.tsx
│ │ │ └── tooltip.tsx
│ │ └── wrapper.tsx
│ ├── components.json
│ ├── hooks
│ │ └── use-toast.ts
│ ├── lib
│ │ ├── auth-client.ts
│ │ ├── auth-types.ts
│ │ ├── auth.ts
│ │ ├── email
│ │ │ ├── invitation.tsx
│ │ │ ├── resend.ts
│ │ │ └── reset-password.tsx
│ │ ├── metadata.ts
│ │ ├── shared.ts
│ │ └── utils.ts
│ ├── next.config.ts
│ ├── package.json
│ ├── postcss.config.mjs
│ ├── proxy.ts
│ ├── public
│ │ ├── __og.png
│ │ ├── _og.png
│ │ ├── favicon
│ │ │ ├── android-chrome-192x192.png
│ │ │ ├── android-chrome-512x512.png
│ │ │ ├── apple-touch-icon.png
│ │ │ ├── favicon-16x16.png
│ │ │ ├── favicon-32x32.png
│ │ │ ├── favicon.ico
│ │ │ ├── light
│ │ │ │ ├── android-chrome-192x192.png
│ │ │ │ ├── android-chrome-512x512.png
│ │ │ │ ├── apple-touch-icon.png
│ │ │ │ ├── favicon-16x16.png
│ │ │ │ ├── favicon-32x32.png
│ │ │ │ ├── favicon.ico
│ │ │ │ └── site.webmanifest
│ │ │ └── site.webmanifest
│ │ ├── logo.svg
│ │ └── og.png
│ ├── README.md
│ ├── tailwind.config.ts
│ ├── tsconfig.json
│ └── turbo.json
├── docker-compose.yml
├── docs
│ ├── .env.example
│ ├── .gitignore
│ ├── app
│ │ ├── api
│ │ │ ├── ai-chat
│ │ │ │ └── route.ts
│ │ │ ├── analytics
│ │ │ │ ├── conversation
│ │ │ │ │ └── route.ts
│ │ │ │ ├── event
│ │ │ │ │ └── route.ts
│ │ │ │ └── feedback
│ │ │ │ └── route.ts
│ │ │ ├── chat
│ │ │ │ └── route.ts
│ │ │ ├── og
│ │ │ │ └── route.tsx
│ │ │ ├── og-release
│ │ │ │ └── route.tsx
│ │ │ ├── search
│ │ │ │ └── route.ts
│ │ │ └── support
│ │ │ └── route.ts
│ │ ├── blog
│ │ │ ├── _components
│ │ │ │ ├── _layout.tsx
│ │ │ │ ├── blog-list.tsx
│ │ │ │ ├── changelog-layout.tsx
│ │ │ │ ├── default-changelog.tsx
│ │ │ │ ├── fmt-dates.tsx
│ │ │ │ ├── icons.tsx
│ │ │ │ ├── stat-field.tsx
│ │ │ │ └── support.tsx
│ │ │ ├── [[...slug]]
│ │ │ │ └── page.tsx
│ │ │ └── layout.tsx
│ │ ├── changelogs
│ │ │ ├── _components
│ │ │ │ ├── _layout.tsx
│ │ │ │ ├── changelog-layout.tsx
│ │ │ │ ├── default-changelog.tsx
│ │ │ │ ├── fmt-dates.tsx
│ │ │ │ ├── grid-pattern.tsx
│ │ │ │ ├── icons.tsx
│ │ │ │ └── stat-field.tsx
│ │ │ ├── [[...slug]]
│ │ │ │ └── page.tsx
│ │ │ └── layout.tsx
│ │ ├── community
│ │ │ ├── _components
│ │ │ │ ├── header.tsx
│ │ │ │ └── stats.tsx
│ │ │ └── page.tsx
│ │ ├── docs
│ │ │ ├── [[...slug]]
│ │ │ │ ├── page.client.tsx
│ │ │ │ └── page.tsx
│ │ │ ├── layout.tsx
│ │ │ └── lib
│ │ │ └── get-llm-text.ts
│ │ ├── global.css
│ │ ├── layout.config.tsx
│ │ ├── layout.tsx
│ │ ├── llms.txt
│ │ │ ├── [...slug]
│ │ │ │ └── route.ts
│ │ │ └── route.ts
│ │ ├── not-found.tsx
│ │ ├── page.tsx
│ │ ├── reference
│ │ │ └── route.ts
│ │ ├── sitemap.xml
│ │ ├── static.json
│ │ │ └── route.ts
│ │ └── v1
│ │ ├── _components
│ │ │ └── v1-text.tsx
│ │ ├── bg-line.tsx
│ │ └── page.tsx
│ ├── assets
│ │ ├── Geist.ttf
│ │ └── GeistMono.ttf
│ ├── components
│ │ ├── ai-chat-modal.tsx
│ │ ├── anchor-scroll-fix.tsx
│ │ ├── api-method-tabs.tsx
│ │ ├── api-method.tsx
│ │ ├── banner.tsx
│ │ ├── blocks
│ │ │ └── features.tsx
│ │ ├── builder
│ │ │ ├── beam.tsx
│ │ │ ├── code-tabs
│ │ │ │ ├── code-editor.tsx
│ │ │ │ ├── code-tabs.tsx
│ │ │ │ ├── index.tsx
│ │ │ │ ├── tab-bar.tsx
│ │ │ │ └── theme.ts
│ │ │ ├── index.tsx
│ │ │ ├── sign-in.tsx
│ │ │ ├── sign-up.tsx
│ │ │ ├── social-provider.tsx
│ │ │ ├── store.ts
│ │ │ └── tabs.tsx
│ │ ├── display-techstack.tsx
│ │ ├── divider-text.tsx
│ │ ├── docs
│ │ │ ├── docs.client.tsx
│ │ │ ├── docs.tsx
│ │ │ ├── layout
│ │ │ │ ├── nav.tsx
│ │ │ │ ├── theme-toggle.tsx
│ │ │ │ ├── toc-thumb.tsx
│ │ │ │ └── toc.tsx
│ │ │ ├── page.client.tsx
│ │ │ ├── page.tsx
│ │ │ ├── shared.tsx
│ │ │ └── ui
│ │ │ ├── button.tsx
│ │ │ ├── collapsible.tsx
│ │ │ ├── popover.tsx
│ │ │ └── scroll-area.tsx
│ │ ├── endpoint.tsx
│ │ ├── features.tsx
│ │ ├── floating-ai-search.tsx
│ │ ├── fork-button.tsx
│ │ ├── generate-apple-jwt.tsx
│ │ ├── generate-secret.tsx
│ │ ├── github-stat.tsx
│ │ ├── icons.tsx
│ │ ├── landing
│ │ │ ├── gradient-bg.tsx
│ │ │ ├── grid-pattern.tsx
│ │ │ ├── hero.tsx
│ │ │ ├── section-svg.tsx
│ │ │ ├── section.tsx
│ │ │ ├── spotlight.tsx
│ │ │ └── testimonials.tsx
│ │ ├── logo-context-menu.tsx
│ │ ├── logo.tsx
│ │ ├── markdown-renderer.tsx
│ │ ├── markdown.tsx
│ │ ├── mdx
│ │ │ ├── add-to-cursor.tsx
│ │ │ └── database-tables.tsx
│ │ ├── message-feedback.tsx
│ │ ├── mobile-search-icon.tsx
│ │ ├── nav-bar.tsx
│ │ ├── nav-link.tsx
│ │ ├── nav-mobile.tsx
│ │ ├── promo-card.tsx
│ │ ├── resource-card.tsx
│ │ ├── resource-grid.tsx
│ │ ├── resource-section.tsx
│ │ ├── ripple.tsx
│ │ ├── search-dialog.tsx
│ │ ├── side-bar.tsx
│ │ ├── sidebar-content.tsx
│ │ ├── techstack-icons.tsx
│ │ ├── theme-provider.tsx
│ │ ├── theme-toggler.tsx
│ │ └── ui
│ │ ├── accordion.tsx
│ │ ├── alert-dialog.tsx
│ │ ├── alert.tsx
│ │ ├── aside-link.tsx
│ │ ├── aspect-ratio.tsx
│ │ ├── avatar.tsx
│ │ ├── background-beams.tsx
│ │ ├── background-boxes.tsx
│ │ ├── badge.tsx
│ │ ├── breadcrumb.tsx
│ │ ├── button.tsx
│ │ ├── calendar.tsx
│ │ ├── callout.tsx
│ │ ├── card.tsx
│ │ ├── carousel.tsx
│ │ ├── chart.tsx
│ │ ├── checkbox.tsx
│ │ ├── code-block.tsx
│ │ ├── collapsible.tsx
│ │ ├── command.tsx
│ │ ├── context-menu.tsx
│ │ ├── dialog.tsx
│ │ ├── drawer.tsx
│ │ ├── dropdown-menu.tsx
│ │ ├── dynamic-code-block.tsx
│ │ ├── fade-in.tsx
│ │ ├── form.tsx
│ │ ├── hover-card.tsx
│ │ ├── input-otp.tsx
│ │ ├── input.tsx
│ │ ├── label.tsx
│ │ ├── menubar.tsx
│ │ ├── navigation-menu.tsx
│ │ ├── pagination.tsx
│ │ ├── popover.tsx
│ │ ├── progress.tsx
│ │ ├── radio-group.tsx
│ │ ├── resizable.tsx
│ │ ├── scroll-area.tsx
│ │ ├── select.tsx
│ │ ├── separator.tsx
│ │ ├── sheet.tsx
│ │ ├── sidebar.tsx
│ │ ├── skeleton.tsx
│ │ ├── slider.tsx
│ │ ├── sonner.tsx
│ │ ├── sparkles.tsx
│ │ ├── switch.tsx
│ │ ├── table.tsx
│ │ ├── tabs.tsx
│ │ ├── textarea.tsx
│ │ ├── toggle-group.tsx
│ │ ├── toggle.tsx
│ │ ├── tooltip-docs.tsx
│ │ ├── tooltip.tsx
│ │ └── use-copy-button.tsx
│ ├── components.json
│ ├── content
│ │ ├── blogs
│ │ │ ├── 0-supabase-auth-to-planetscale-migration.mdx
│ │ │ ├── 1-3.mdx
│ │ │ ├── authjs-joins-better-auth.mdx
│ │ │ └── seed-round.mdx
│ │ ├── changelogs
│ │ │ ├── 1-2.mdx
│ │ │ └── 1.0.mdx
│ │ └── docs
│ │ ├── adapters
│ │ │ ├── community-adapters.mdx
│ │ │ ├── drizzle.mdx
│ │ │ ├── mongo.mdx
│ │ │ ├── mssql.mdx
│ │ │ ├── mysql.mdx
│ │ │ ├── other-relational-databases.mdx
│ │ │ ├── postgresql.mdx
│ │ │ ├── prisma.mdx
│ │ │ └── sqlite.mdx
│ │ ├── authentication
│ │ │ ├── apple.mdx
│ │ │ ├── atlassian.mdx
│ │ │ ├── cognito.mdx
│ │ │ ├── discord.mdx
│ │ │ ├── dropbox.mdx
│ │ │ ├── email-password.mdx
│ │ │ ├── facebook.mdx
│ │ │ ├── figma.mdx
│ │ │ ├── github.mdx
│ │ │ ├── gitlab.mdx
│ │ │ ├── google.mdx
│ │ │ ├── huggingface.mdx
│ │ │ ├── kakao.mdx
│ │ │ ├── kick.mdx
│ │ │ ├── line.mdx
│ │ │ ├── linear.mdx
│ │ │ ├── linkedin.mdx
│ │ │ ├── microsoft.mdx
│ │ │ ├── naver.mdx
│ │ │ ├── notion.mdx
│ │ │ ├── other-social-providers.mdx
│ │ │ ├── paypal.mdx
│ │ │ ├── reddit.mdx
│ │ │ ├── roblox.mdx
│ │ │ ├── salesforce.mdx
│ │ │ ├── slack.mdx
│ │ │ ├── spotify.mdx
│ │ │ ├── tiktok.mdx
│ │ │ ├── twitch.mdx
│ │ │ ├── twitter.mdx
│ │ │ ├── vk.mdx
│ │ │ └── zoom.mdx
│ │ ├── basic-usage.mdx
│ │ ├── comparison.mdx
│ │ ├── concepts
│ │ │ ├── api.mdx
│ │ │ ├── cli.mdx
│ │ │ ├── client.mdx
│ │ │ ├── cookies.mdx
│ │ │ ├── database.mdx
│ │ │ ├── email.mdx
│ │ │ ├── hooks.mdx
│ │ │ ├── oauth.mdx
│ │ │ ├── plugins.mdx
│ │ │ ├── rate-limit.mdx
│ │ │ ├── session-management.mdx
│ │ │ ├── typescript.mdx
│ │ │ └── users-accounts.mdx
│ │ ├── examples
│ │ │ ├── astro.mdx
│ │ │ ├── next-js.mdx
│ │ │ ├── nuxt.mdx
│ │ │ ├── remix.mdx
│ │ │ └── svelte-kit.mdx
│ │ ├── guides
│ │ │ ├── auth0-migration-guide.mdx
│ │ │ ├── browser-extension-guide.mdx
│ │ │ ├── clerk-migration-guide.mdx
│ │ │ ├── create-a-db-adapter.mdx
│ │ │ ├── next-auth-migration-guide.mdx
│ │ │ ├── optimizing-for-performance.mdx
│ │ │ ├── saml-sso-with-okta.mdx
│ │ │ ├── supabase-migration-guide.mdx
│ │ │ └── your-first-plugin.mdx
│ │ ├── installation.mdx
│ │ ├── integrations
│ │ │ ├── astro.mdx
│ │ │ ├── convex.mdx
│ │ │ ├── elysia.mdx
│ │ │ ├── expo.mdx
│ │ │ ├── express.mdx
│ │ │ ├── fastify.mdx
│ │ │ ├── hono.mdx
│ │ │ ├── lynx.mdx
│ │ │ ├── nestjs.mdx
│ │ │ ├── next.mdx
│ │ │ ├── nitro.mdx
│ │ │ ├── nuxt.mdx
│ │ │ ├── remix.mdx
│ │ │ ├── solid-start.mdx
│ │ │ ├── svelte-kit.mdx
│ │ │ ├── tanstack.mdx
│ │ │ └── waku.mdx
│ │ ├── introduction.mdx
│ │ ├── meta.json
│ │ ├── plugins
│ │ │ ├── 2fa.mdx
│ │ │ ├── admin.mdx
│ │ │ ├── anonymous.mdx
│ │ │ ├── api-key.mdx
│ │ │ ├── autumn.mdx
│ │ │ ├── bearer.mdx
│ │ │ ├── captcha.mdx
│ │ │ ├── community-plugins.mdx
│ │ │ ├── device-authorization.mdx
│ │ │ ├── dodopayments.mdx
│ │ │ ├── dub.mdx
│ │ │ ├── email-otp.mdx
│ │ │ ├── generic-oauth.mdx
│ │ │ ├── have-i-been-pwned.mdx
│ │ │ ├── jwt.mdx
│ │ │ ├── last-login-method.mdx
│ │ │ ├── magic-link.mdx
│ │ │ ├── mcp.mdx
│ │ │ ├── multi-session.mdx
│ │ │ ├── oauth-proxy.mdx
│ │ │ ├── oidc-provider.mdx
│ │ │ ├── one-tap.mdx
│ │ │ ├── one-time-token.mdx
│ │ │ ├── open-api.mdx
│ │ │ ├── organization.mdx
│ │ │ ├── passkey.mdx
│ │ │ ├── phone-number.mdx
│ │ │ ├── polar.mdx
│ │ │ ├── siwe.mdx
│ │ │ ├── sso.mdx
│ │ │ ├── stripe.mdx
│ │ │ └── username.mdx
│ │ └── reference
│ │ ├── contributing.mdx
│ │ ├── faq.mdx
│ │ ├── options.mdx
│ │ ├── resources.mdx
│ │ ├── security.mdx
│ │ └── telemetry.mdx
│ ├── hooks
│ │ └── use-mobile.ts
│ ├── ignore-build.sh
│ ├── lib
│ │ ├── blog.ts
│ │ ├── chat
│ │ │ └── inkeep-qa-schema.ts
│ │ ├── constants.ts
│ │ ├── export-search-indexes.ts
│ │ ├── inkeep-analytics.ts
│ │ ├── is-active.ts
│ │ ├── metadata.ts
│ │ ├── source.ts
│ │ └── utils.ts
│ ├── next.config.js
│ ├── package.json
│ ├── postcss.config.js
│ ├── proxy.ts
│ ├── public
│ │ ├── avatars
│ │ │ └── beka.jpg
│ │ ├── blogs
│ │ │ ├── authjs-joins.png
│ │ │ ├── seed-round.png
│ │ │ └── supabase-ps.png
│ │ ├── branding
│ │ │ ├── better-auth-brand-assets.zip
│ │ │ ├── better-auth-logo-dark.png
│ │ │ ├── better-auth-logo-dark.svg
│ │ │ ├── better-auth-logo-light.png
│ │ │ ├── better-auth-logo-light.svg
│ │ │ ├── better-auth-logo-wordmark-dark.png
│ │ │ ├── better-auth-logo-wordmark-dark.svg
│ │ │ ├── better-auth-logo-wordmark-light.png
│ │ │ └── better-auth-logo-wordmark-light.svg
│ │ ├── extension-id.png
│ │ ├── favicon
│ │ │ ├── android-chrome-192x192.png
│ │ │ ├── android-chrome-512x512.png
│ │ │ ├── apple-touch-icon.png
│ │ │ ├── favicon-16x16.png
│ │ │ ├── favicon-32x32.png
│ │ │ ├── favicon.ico
│ │ │ ├── light
│ │ │ │ ├── android-chrome-192x192.png
│ │ │ │ ├── android-chrome-512x512.png
│ │ │ │ ├── apple-touch-icon.png
│ │ │ │ ├── favicon-16x16.png
│ │ │ │ ├── favicon-32x32.png
│ │ │ │ ├── favicon.ico
│ │ │ │ └── site.webmanifest
│ │ │ └── site.webmanifest
│ │ ├── images
│ │ │ └── blogs
│ │ │ └── better auth (1).png
│ │ ├── logo.png
│ │ ├── logo.svg
│ │ ├── LogoDark.webp
│ │ ├── LogoLight.webp
│ │ ├── og.png
│ │ ├── open-api-reference.png
│ │ ├── people-say
│ │ │ ├── code-with-antonio.jpg
│ │ │ ├── dagmawi-babi.png
│ │ │ ├── dax.png
│ │ │ ├── dev-ed.png
│ │ │ ├── egoist.png
│ │ │ ├── guillermo-rauch.png
│ │ │ ├── jonathan-wilke.png
│ │ │ ├── josh-tried-coding.jpg
│ │ │ ├── kitze.jpg
│ │ │ ├── lazar-nikolov.png
│ │ │ ├── nizzy.png
│ │ │ ├── omar-mcadam.png
│ │ │ ├── ryan-vogel.jpg
│ │ │ ├── saltyatom.jpg
│ │ │ ├── sebastien-chopin.png
│ │ │ ├── shreyas-mididoddi.png
│ │ │ ├── tech-nerd.png
│ │ │ ├── theo.png
│ │ │ ├── vybhav-bhargav.png
│ │ │ └── xavier-pladevall.jpg
│ │ ├── plus.svg
│ │ ├── release-og
│ │ │ ├── 1-2.png
│ │ │ ├── 1-3.png
│ │ │ └── changelog-og.png
│ │ └── v1-og.png
│ ├── README.md
│ ├── scripts
│ │ ├── endpoint-to-doc
│ │ │ ├── index.ts
│ │ │ ├── input.ts
│ │ │ ├── output.mdx
│ │ │ └── readme.md
│ │ └── sync-orama.ts
│ ├── source.config.ts
│ ├── tailwind.config.js
│ ├── tsconfig.json
│ └── turbo.json
├── e2e
│ ├── integration
│ │ ├── package.json
│ │ ├── playwright.config.ts
│ │ ├── solid-vinxi
│ │ │ ├── .gitignore
│ │ │ ├── app.config.ts
│ │ │ ├── e2e
│ │ │ │ ├── test.spec.ts
│ │ │ │ └── utils.ts
│ │ │ ├── package.json
│ │ │ ├── public
│ │ │ │ └── favicon.ico
│ │ │ ├── src
│ │ │ │ ├── app.tsx
│ │ │ │ ├── entry-client.tsx
│ │ │ │ ├── entry-server.tsx
│ │ │ │ ├── global.d.ts
│ │ │ │ ├── lib
│ │ │ │ │ ├── auth-client.ts
│ │ │ │ │ └── auth.ts
│ │ │ │ └── routes
│ │ │ │ ├── [...404].tsx
│ │ │ │ ├── api
│ │ │ │ │ └── auth
│ │ │ │ │ └── [...all].ts
│ │ │ │ └── index.tsx
│ │ │ └── tsconfig.json
│ │ ├── test-utils
│ │ │ ├── package.json
│ │ │ └── src
│ │ │ └── playwright.ts
│ │ └── vanilla-node
│ │ ├── e2e
│ │ │ ├── app.ts
│ │ │ ├── domain.spec.ts
│ │ │ ├── postgres-js.spec.ts
│ │ │ ├── test.spec.ts
│ │ │ └── utils.ts
│ │ ├── index.html
│ │ ├── package.json
│ │ ├── src
│ │ │ ├── main.ts
│ │ │ └── vite-env.d.ts
│ │ ├── tsconfig.json
│ │ └── vite.config.ts
│ └── smoke
│ ├── package.json
│ ├── test
│ │ ├── bun.spec.ts
│ │ ├── cloudflare.spec.ts
│ │ ├── deno.spec.ts
│ │ ├── fixtures
│ │ │ ├── bun-simple.ts
│ │ │ ├── cloudflare
│ │ │ │ ├── .gitignore
│ │ │ │ ├── drizzle
│ │ │ │ │ ├── 0000_clean_vector.sql
│ │ │ │ │ └── meta
│ │ │ │ │ ├── _journal.json
│ │ │ │ │ └── 0000_snapshot.json
│ │ │ │ ├── drizzle.config.ts
│ │ │ │ ├── package.json
│ │ │ │ ├── src
│ │ │ │ │ ├── auth-schema.ts
│ │ │ │ │ ├── db.ts
│ │ │ │ │ └── index.ts
│ │ │ │ ├── test
│ │ │ │ │ ├── apply-migrations.ts
│ │ │ │ │ ├── env.d.ts
│ │ │ │ │ └── index.test.ts
│ │ │ │ ├── tsconfig.json
│ │ │ │ ├── vitest.config.ts
│ │ │ │ ├── worker-configuration.d.ts
│ │ │ │ └── wrangler.json
│ │ │ ├── deno-simple.ts
│ │ │ ├── tsconfig-declaration
│ │ │ │ ├── package.json
│ │ │ │ ├── src
│ │ │ │ │ ├── demo.ts
│ │ │ │ │ ├── index.ts
│ │ │ │ │ └── username.ts
│ │ │ │ └── tsconfig.json
│ │ │ ├── tsconfig-exact-optional-property-types
│ │ │ │ ├── package.json
│ │ │ │ ├── src
│ │ │ │ │ ├── index.ts
│ │ │ │ │ ├── organization.ts
│ │ │ │ │ ├── user-additional-fields.ts
│ │ │ │ │ └── username.ts
│ │ │ │ └── tsconfig.json
│ │ │ ├── tsconfig-isolated-module-bundler
│ │ │ │ ├── package.json
│ │ │ │ ├── src
│ │ │ │ │ └── index.ts
│ │ │ │ └── tsconfig.json
│ │ │ ├── tsconfig-verbatim-module-syntax-node10
│ │ │ │ ├── package.json
│ │ │ │ ├── src
│ │ │ │ │ └── index.ts
│ │ │ │ └── tsconfig.json
│ │ │ └── vite
│ │ │ ├── package.json
│ │ │ ├── src
│ │ │ │ ├── client.ts
│ │ │ │ └── server.ts
│ │ │ ├── tsconfig.json
│ │ │ └── vite.config.ts
│ │ ├── ssr.ts
│ │ ├── typecheck.spec.ts
│ │ └── vite.spec.ts
│ └── tsconfig.json
├── LICENSE.md
├── package.json
├── packages
│ ├── better-auth
│ │ ├── package.json
│ │ ├── README.md
│ │ ├── src
│ │ │ ├── __snapshots__
│ │ │ │ └── init.test.ts.snap
│ │ │ ├── adapters
│ │ │ │ ├── adapter-factory
│ │ │ │ │ ├── index.ts
│ │ │ │ │ ├── test
│ │ │ │ │ │ ├── __snapshots__
│ │ │ │ │ │ │ └── adapter-factory.test.ts.snap
│ │ │ │ │ │ └── adapter-factory.test.ts
│ │ │ │ │ └── types.ts
│ │ │ │ ├── create-test-suite.ts
│ │ │ │ ├── drizzle-adapter
│ │ │ │ │ ├── drizzle-adapter.ts
│ │ │ │ │ ├── index.ts
│ │ │ │ │ └── test
│ │ │ │ │ ├── .gitignore
│ │ │ │ │ ├── adapter.drizzle.mysql.test.ts
│ │ │ │ │ ├── adapter.drizzle.pg.test.ts
│ │ │ │ │ ├── adapter.drizzle.sqlite.test.ts
│ │ │ │ │ └── generate-schema.ts
│ │ │ │ ├── index.ts
│ │ │ │ ├── kysely-adapter
│ │ │ │ │ ├── bun-sqlite-dialect.ts
│ │ │ │ │ ├── dialect.ts
│ │ │ │ │ ├── index.ts
│ │ │ │ │ ├── kysely-adapter.ts
│ │ │ │ │ ├── node-sqlite-dialect.ts
│ │ │ │ │ ├── test
│ │ │ │ │ │ ├── adapter.kysely.mssql.test.ts
│ │ │ │ │ │ ├── adapter.kysely.mysql.test.ts
│ │ │ │ │ │ ├── adapter.kysely.pg.test.ts
│ │ │ │ │ │ ├── adapter.kysely.sqlite.test.ts
│ │ │ │ │ │ └── node-sqlite-dialect.test.ts
│ │ │ │ │ └── types.ts
│ │ │ │ ├── memory-adapter
│ │ │ │ │ ├── adapter.memory.test.ts
│ │ │ │ │ ├── index.ts
│ │ │ │ │ └── memory-adapter.ts
│ │ │ │ ├── mongodb-adapter
│ │ │ │ │ ├── adapter.mongo-db.test.ts
│ │ │ │ │ ├── index.ts
│ │ │ │ │ └── mongodb-adapter.ts
│ │ │ │ ├── prisma-adapter
│ │ │ │ │ ├── index.ts
│ │ │ │ │ ├── prisma-adapter.ts
│ │ │ │ │ └── test
│ │ │ │ │ ├── .gitignore
│ │ │ │ │ ├── base.prisma
│ │ │ │ │ ├── generate-auth-config.ts
│ │ │ │ │ ├── generate-prisma-schema.ts
│ │ │ │ │ ├── get-prisma-client.ts
│ │ │ │ │ ├── prisma.mysql.test.ts
│ │ │ │ │ ├── prisma.pg.test.ts
│ │ │ │ │ ├── prisma.sqlite.test.ts
│ │ │ │ │ └── push-prisma-schema.ts
│ │ │ │ ├── test-adapter.ts
│ │ │ │ ├── test.ts
│ │ │ │ ├── tests
│ │ │ │ │ ├── auth-flow.ts
│ │ │ │ │ ├── index.ts
│ │ │ │ │ ├── normal.ts
│ │ │ │ │ ├── number-id.ts
│ │ │ │ │ ├── performance.ts
│ │ │ │ │ └── transactions.ts
│ │ │ │ └── utils.ts
│ │ │ ├── api
│ │ │ │ ├── check-endpoint-conflicts.test.ts
│ │ │ │ ├── index.test.ts
│ │ │ │ ├── index.ts
│ │ │ │ ├── middlewares
│ │ │ │ │ ├── index.ts
│ │ │ │ │ ├── origin-check.test.ts
│ │ │ │ │ └── origin-check.ts
│ │ │ │ ├── rate-limiter
│ │ │ │ │ ├── index.ts
│ │ │ │ │ └── rate-limiter.test.ts
│ │ │ │ ├── routes
│ │ │ │ │ ├── account.test.ts
│ │ │ │ │ ├── account.ts
│ │ │ │ │ ├── callback.ts
│ │ │ │ │ ├── email-verification.test.ts
│ │ │ │ │ ├── email-verification.ts
│ │ │ │ │ ├── error.ts
│ │ │ │ │ ├── index.ts
│ │ │ │ │ ├── ok.ts
│ │ │ │ │ ├── reset-password.test.ts
│ │ │ │ │ ├── reset-password.ts
│ │ │ │ │ ├── session-api.test.ts
│ │ │ │ │ ├── session.ts
│ │ │ │ │ ├── sign-in.test.ts
│ │ │ │ │ ├── sign-in.ts
│ │ │ │ │ ├── sign-out.test.ts
│ │ │ │ │ ├── sign-out.ts
│ │ │ │ │ ├── sign-up.test.ts
│ │ │ │ │ ├── sign-up.ts
│ │ │ │ │ ├── update-user.test.ts
│ │ │ │ │ └── update-user.ts
│ │ │ │ ├── to-auth-endpoints.test.ts
│ │ │ │ └── to-auth-endpoints.ts
│ │ │ ├── auth.test.ts
│ │ │ ├── auth.ts
│ │ │ ├── call.test.ts
│ │ │ ├── client
│ │ │ │ ├── client-ssr.test.ts
│ │ │ │ ├── client.test.ts
│ │ │ │ ├── config.ts
│ │ │ │ ├── fetch-plugins.ts
│ │ │ │ ├── index.ts
│ │ │ │ ├── lynx
│ │ │ │ │ ├── index.ts
│ │ │ │ │ └── lynx-store.ts
│ │ │ │ ├── parser.ts
│ │ │ │ ├── path-to-object.ts
│ │ │ │ ├── plugins
│ │ │ │ │ ├── index.ts
│ │ │ │ │ └── infer-plugin.ts
│ │ │ │ ├── proxy.ts
│ │ │ │ ├── query.ts
│ │ │ │ ├── react
│ │ │ │ │ ├── index.ts
│ │ │ │ │ └── react-store.ts
│ │ │ │ ├── session-atom.ts
│ │ │ │ ├── solid
│ │ │ │ │ ├── index.ts
│ │ │ │ │ └── solid-store.ts
│ │ │ │ ├── svelte
│ │ │ │ │ └── index.ts
│ │ │ │ ├── test-plugin.ts
│ │ │ │ ├── types.ts
│ │ │ │ ├── url.test.ts
│ │ │ │ ├── vanilla.ts
│ │ │ │ └── vue
│ │ │ │ ├── index.ts
│ │ │ │ └── vue-store.ts
│ │ │ ├── cookies
│ │ │ │ ├── check-cookies.ts
│ │ │ │ ├── cookie-utils.ts
│ │ │ │ ├── cookies.test.ts
│ │ │ │ └── index.ts
│ │ │ ├── crypto
│ │ │ │ ├── buffer.ts
│ │ │ │ ├── hash.ts
│ │ │ │ ├── index.ts
│ │ │ │ ├── jwt.ts
│ │ │ │ ├── password.test.ts
│ │ │ │ ├── password.ts
│ │ │ │ └── random.ts
│ │ │ ├── db
│ │ │ │ ├── db.test.ts
│ │ │ │ ├── field.ts
│ │ │ │ ├── get-migration.ts
│ │ │ │ ├── get-schema.ts
│ │ │ │ ├── get-tables.test.ts
│ │ │ │ ├── get-tables.ts
│ │ │ │ ├── index.ts
│ │ │ │ ├── internal-adapter.test.ts
│ │ │ │ ├── internal-adapter.ts
│ │ │ │ ├── schema.ts
│ │ │ │ ├── secondary-storage.test.ts
│ │ │ │ ├── to-zod.ts
│ │ │ │ ├── utils.ts
│ │ │ │ └── with-hooks.ts
│ │ │ ├── index.ts
│ │ │ ├── init.test.ts
│ │ │ ├── init.ts
│ │ │ ├── integrations
│ │ │ │ ├── next-js.ts
│ │ │ │ ├── node.ts
│ │ │ │ ├── react-start.ts
│ │ │ │ ├── solid-start.ts
│ │ │ │ └── svelte-kit.ts
│ │ │ ├── oauth2
│ │ │ │ ├── index.ts
│ │ │ │ ├── link-account.test.ts
│ │ │ │ ├── link-account.ts
│ │ │ │ ├── state.ts
│ │ │ │ └── utils.ts
│ │ │ ├── plugins
│ │ │ │ ├── access
│ │ │ │ │ ├── access.test.ts
│ │ │ │ │ ├── access.ts
│ │ │ │ │ ├── index.ts
│ │ │ │ │ └── types.ts
│ │ │ │ ├── additional-fields
│ │ │ │ │ ├── additional-fields.test.ts
│ │ │ │ │ └── client.ts
│ │ │ │ ├── admin
│ │ │ │ │ ├── access
│ │ │ │ │ │ ├── index.ts
│ │ │ │ │ │ └── statement.ts
│ │ │ │ │ ├── admin.test.ts
│ │ │ │ │ ├── admin.ts
│ │ │ │ │ ├── client.ts
│ │ │ │ │ ├── error-codes.ts
│ │ │ │ │ ├── has-permission.ts
│ │ │ │ │ ├── index.ts
│ │ │ │ │ ├── schema.ts
│ │ │ │ │ └── types.ts
│ │ │ │ ├── anonymous
│ │ │ │ │ ├── anon.test.ts
│ │ │ │ │ ├── client.ts
│ │ │ │ │ └── index.ts
│ │ │ │ ├── api-key
│ │ │ │ │ ├── api-key.test.ts
│ │ │ │ │ ├── client.ts
│ │ │ │ │ ├── index.ts
│ │ │ │ │ ├── rate-limit.ts
│ │ │ │ │ ├── routes
│ │ │ │ │ │ ├── create-api-key.ts
│ │ │ │ │ │ ├── delete-all-expired-api-keys.ts
│ │ │ │ │ │ ├── delete-api-key.ts
│ │ │ │ │ │ ├── get-api-key.ts
│ │ │ │ │ │ ├── index.ts
│ │ │ │ │ │ ├── list-api-keys.ts
│ │ │ │ │ │ ├── update-api-key.ts
│ │ │ │ │ │ └── verify-api-key.ts
│ │ │ │ │ ├── schema.ts
│ │ │ │ │ └── types.ts
│ │ │ │ ├── bearer
│ │ │ │ │ ├── bearer.test.ts
│ │ │ │ │ └── index.ts
│ │ │ │ ├── captcha
│ │ │ │ │ ├── captcha.test.ts
│ │ │ │ │ ├── constants.ts
│ │ │ │ │ ├── error-codes.ts
│ │ │ │ │ ├── index.ts
│ │ │ │ │ ├── types.ts
│ │ │ │ │ ├── utils.ts
│ │ │ │ │ └── verify-handlers
│ │ │ │ │ ├── captchafox.ts
│ │ │ │ │ ├── cloudflare-turnstile.ts
│ │ │ │ │ ├── google-recaptcha.ts
│ │ │ │ │ ├── h-captcha.ts
│ │ │ │ │ └── index.ts
│ │ │ │ ├── custom-session
│ │ │ │ │ ├── client.ts
│ │ │ │ │ ├── custom-session.test.ts
│ │ │ │ │ └── index.ts
│ │ │ │ ├── device-authorization
│ │ │ │ │ ├── client.ts
│ │ │ │ │ ├── device-authorization.test.ts
│ │ │ │ │ ├── index.ts
│ │ │ │ │ └── schema.ts
│ │ │ │ ├── email-otp
│ │ │ │ │ ├── client.ts
│ │ │ │ │ ├── email-otp.test.ts
│ │ │ │ │ ├── index.ts
│ │ │ │ │ └── utils.ts
│ │ │ │ ├── generic-oauth
│ │ │ │ │ ├── client.ts
│ │ │ │ │ ├── generic-oauth.test.ts
│ │ │ │ │ └── index.ts
│ │ │ │ ├── haveibeenpwned
│ │ │ │ │ ├── haveibeenpwned.test.ts
│ │ │ │ │ └── index.ts
│ │ │ │ ├── index.ts
│ │ │ │ ├── jwt
│ │ │ │ │ ├── adapter.ts
│ │ │ │ │ ├── client.ts
│ │ │ │ │ ├── index.ts
│ │ │ │ │ ├── jwt.test.ts
│ │ │ │ │ ├── schema.ts
│ │ │ │ │ ├── sign.ts
│ │ │ │ │ ├── types.ts
│ │ │ │ │ └── utils.ts
│ │ │ │ ├── last-login-method
│ │ │ │ │ ├── client.ts
│ │ │ │ │ ├── custom-prefix.test.ts
│ │ │ │ │ ├── index.ts
│ │ │ │ │ └── last-login-method.test.ts
│ │ │ │ ├── magic-link
│ │ │ │ │ ├── client.ts
│ │ │ │ │ ├── index.ts
│ │ │ │ │ ├── magic-link.test.ts
│ │ │ │ │ └── utils.ts
│ │ │ │ ├── mcp
│ │ │ │ │ ├── authorize.ts
│ │ │ │ │ ├── index.ts
│ │ │ │ │ └── mcp.test.ts
│ │ │ │ ├── multi-session
│ │ │ │ │ ├── client.ts
│ │ │ │ │ ├── index.ts
│ │ │ │ │ └── multi-session.test.ts
│ │ │ │ ├── oauth-proxy
│ │ │ │ │ ├── index.ts
│ │ │ │ │ └── oauth-proxy.test.ts
│ │ │ │ ├── oidc-provider
│ │ │ │ │ ├── authorize.ts
│ │ │ │ │ ├── client.ts
│ │ │ │ │ ├── index.ts
│ │ │ │ │ ├── oidc.test.ts
│ │ │ │ │ ├── schema.ts
│ │ │ │ │ ├── types.ts
│ │ │ │ │ ├── ui.ts
│ │ │ │ │ └── utils.ts
│ │ │ │ ├── one-tap
│ │ │ │ │ ├── client.ts
│ │ │ │ │ └── index.ts
│ │ │ │ ├── one-time-token
│ │ │ │ │ ├── client.ts
│ │ │ │ │ ├── index.ts
│ │ │ │ │ ├── one-time-token.test.ts
│ │ │ │ │ └── utils.ts
│ │ │ │ ├── open-api
│ │ │ │ │ ├── generator.ts
│ │ │ │ │ ├── index.ts
│ │ │ │ │ ├── logo.ts
│ │ │ │ │ └── open-api.test.ts
│ │ │ │ ├── organization
│ │ │ │ │ ├── access
│ │ │ │ │ │ ├── index.ts
│ │ │ │ │ │ └── statement.ts
│ │ │ │ │ ├── adapter.ts
│ │ │ │ │ ├── call.ts
│ │ │ │ │ ├── client.test.ts
│ │ │ │ │ ├── client.ts
│ │ │ │ │ ├── error-codes.ts
│ │ │ │ │ ├── has-permission.ts
│ │ │ │ │ ├── index.ts
│ │ │ │ │ ├── organization-hook.test.ts
│ │ │ │ │ ├── organization.test.ts
│ │ │ │ │ ├── organization.ts
│ │ │ │ │ ├── permission.ts
│ │ │ │ │ ├── routes
│ │ │ │ │ │ ├── crud-access-control.test.ts
│ │ │ │ │ │ ├── crud-access-control.ts
│ │ │ │ │ │ ├── crud-invites.ts
│ │ │ │ │ │ ├── crud-members.test.ts
│ │ │ │ │ │ ├── crud-members.ts
│ │ │ │ │ │ ├── crud-org.test.ts
│ │ │ │ │ │ ├── crud-org.ts
│ │ │ │ │ │ └── crud-team.ts
│ │ │ │ │ ├── schema.ts
│ │ │ │ │ ├── team.test.ts
│ │ │ │ │ └── types.ts
│ │ │ │ ├── passkey
│ │ │ │ │ ├── client.ts
│ │ │ │ │ ├── index.ts
│ │ │ │ │ └── passkey.test.ts
│ │ │ │ ├── phone-number
│ │ │ │ │ ├── client.ts
│ │ │ │ │ ├── index.ts
│ │ │ │ │ ├── phone-number-error.ts
│ │ │ │ │ └── phone-number.test.ts
│ │ │ │ ├── siwe
│ │ │ │ │ ├── client.ts
│ │ │ │ │ ├── index.ts
│ │ │ │ │ ├── schema.ts
│ │ │ │ │ ├── siwe.test.ts
│ │ │ │ │ └── types.ts
│ │ │ │ ├── two-factor
│ │ │ │ │ ├── backup-codes
│ │ │ │ │ │ └── index.ts
│ │ │ │ │ ├── client.ts
│ │ │ │ │ ├── constant.ts
│ │ │ │ │ ├── error-code.ts
│ │ │ │ │ ├── index.ts
│ │ │ │ │ ├── otp
│ │ │ │ │ │ └── index.ts
│ │ │ │ │ ├── schema.ts
│ │ │ │ │ ├── totp
│ │ │ │ │ │ └── index.ts
│ │ │ │ │ ├── two-factor.test.ts
│ │ │ │ │ ├── types.ts
│ │ │ │ │ ├── utils.ts
│ │ │ │ │ └── verify-two-factor.ts
│ │ │ │ └── username
│ │ │ │ ├── client.ts
│ │ │ │ ├── error-codes.ts
│ │ │ │ ├── index.ts
│ │ │ │ ├── schema.ts
│ │ │ │ └── username.test.ts
│ │ │ ├── social-providers
│ │ │ │ └── index.ts
│ │ │ ├── social.test.ts
│ │ │ ├── test-utils
│ │ │ │ ├── headers.ts
│ │ │ │ ├── index.ts
│ │ │ │ ├── state.ts
│ │ │ │ └── test-instance.ts
│ │ │ ├── types
│ │ │ │ ├── adapter.ts
│ │ │ │ ├── api.ts
│ │ │ │ ├── helper.ts
│ │ │ │ ├── index.ts
│ │ │ │ ├── models.ts
│ │ │ │ ├── plugins.ts
│ │ │ │ └── types.test.ts
│ │ │ └── utils
│ │ │ ├── await-object.ts
│ │ │ ├── boolean.ts
│ │ │ ├── clone.ts
│ │ │ ├── constants.ts
│ │ │ ├── date.ts
│ │ │ ├── ensure-utc.ts
│ │ │ ├── get-request-ip.ts
│ │ │ ├── hashing.ts
│ │ │ ├── hide-metadata.ts
│ │ │ ├── id.ts
│ │ │ ├── import-util.ts
│ │ │ ├── index.ts
│ │ │ ├── is-atom.ts
│ │ │ ├── is-promise.ts
│ │ │ ├── json.ts
│ │ │ ├── merger.ts
│ │ │ ├── middleware-response.ts
│ │ │ ├── misc.ts
│ │ │ ├── password.ts
│ │ │ ├── plugin-helper.ts
│ │ │ ├── shim.ts
│ │ │ ├── time.ts
│ │ │ ├── url.ts
│ │ │ └── wildcard.ts
│ │ ├── tsconfig.json
│ │ ├── tsdown.config.ts
│ │ ├── vitest.config.ts
│ │ └── vitest.setup.ts
│ ├── cli
│ │ ├── CHANGELOG.md
│ │ ├── package.json
│ │ ├── README.md
│ │ ├── src
│ │ │ ├── commands
│ │ │ │ ├── generate.ts
│ │ │ │ ├── info.ts
│ │ │ │ ├── init.ts
│ │ │ │ ├── login.ts
│ │ │ │ ├── mcp.ts
│ │ │ │ ├── migrate.ts
│ │ │ │ └── secret.ts
│ │ │ ├── generators
│ │ │ │ ├── auth-config.ts
│ │ │ │ ├── drizzle.ts
│ │ │ │ ├── index.ts
│ │ │ │ ├── kysely.ts
│ │ │ │ ├── prisma.ts
│ │ │ │ └── types.ts
│ │ │ ├── index.ts
│ │ │ └── utils
│ │ │ ├── add-svelte-kit-env-modules.ts
│ │ │ ├── check-package-managers.ts
│ │ │ ├── format-ms.ts
│ │ │ ├── get-config.ts
│ │ │ ├── get-package-info.ts
│ │ │ ├── get-tsconfig-info.ts
│ │ │ └── install-dependencies.ts
│ │ ├── test
│ │ │ ├── __snapshots__
│ │ │ │ ├── auth-schema-mysql-enum.txt
│ │ │ │ ├── auth-schema-mysql-number-id.txt
│ │ │ │ ├── auth-schema-mysql-passkey-number-id.txt
│ │ │ │ ├── auth-schema-mysql-passkey.txt
│ │ │ │ ├── auth-schema-mysql.txt
│ │ │ │ ├── auth-schema-number-id.txt
│ │ │ │ ├── auth-schema-pg-enum.txt
│ │ │ │ ├── auth-schema-pg-passkey.txt
│ │ │ │ ├── auth-schema-sqlite-enum.txt
│ │ │ │ ├── auth-schema-sqlite-number-id.txt
│ │ │ │ ├── auth-schema-sqlite-passkey-number-id.txt
│ │ │ │ ├── auth-schema-sqlite-passkey.txt
│ │ │ │ ├── auth-schema-sqlite.txt
│ │ │ │ ├── auth-schema.txt
│ │ │ │ ├── migrations.sql
│ │ │ │ ├── schema-mongodb.prisma
│ │ │ │ ├── schema-mysql-custom.prisma
│ │ │ │ ├── schema-mysql.prisma
│ │ │ │ ├── schema-numberid.prisma
│ │ │ │ └── schema.prisma
│ │ │ ├── generate-all-db.test.ts
│ │ │ ├── generate.test.ts
│ │ │ ├── get-config.test.ts
│ │ │ ├── info.test.ts
│ │ │ └── migrate.test.ts
│ │ ├── tsconfig.json
│ │ └── tsdown.config.ts
│ ├── core
│ │ ├── package.json
│ │ ├── src
│ │ │ ├── api
│ │ │ │ └── index.ts
│ │ │ ├── async_hooks
│ │ │ │ └── index.ts
│ │ │ ├── context
│ │ │ │ ├── endpoint-context.ts
│ │ │ │ ├── index.ts
│ │ │ │ └── transaction.ts
│ │ │ ├── db
│ │ │ │ ├── adapter
│ │ │ │ │ └── index.ts
│ │ │ │ ├── index.ts
│ │ │ │ ├── plugin.ts
│ │ │ │ ├── schema
│ │ │ │ │ ├── account.ts
│ │ │ │ │ ├── rate-limit.ts
│ │ │ │ │ ├── session.ts
│ │ │ │ │ ├── shared.ts
│ │ │ │ │ ├── user.ts
│ │ │ │ │ └── verification.ts
│ │ │ │ └── type.ts
│ │ │ ├── env
│ │ │ │ ├── color-depth.ts
│ │ │ │ ├── env-impl.ts
│ │ │ │ ├── index.ts
│ │ │ │ ├── logger.test.ts
│ │ │ │ └── logger.ts
│ │ │ ├── error
│ │ │ │ ├── codes.ts
│ │ │ │ └── index.ts
│ │ │ ├── index.ts
│ │ │ ├── oauth2
│ │ │ │ ├── client-credentials-token.ts
│ │ │ │ ├── create-authorization-url.ts
│ │ │ │ ├── index.ts
│ │ │ │ ├── oauth-provider.ts
│ │ │ │ ├── refresh-access-token.ts
│ │ │ │ ├── utils.ts
│ │ │ │ └── validate-authorization-code.ts
│ │ │ ├── social-providers
│ │ │ │ ├── apple.ts
│ │ │ │ ├── atlassian.ts
│ │ │ │ ├── cognito.ts
│ │ │ │ ├── discord.ts
│ │ │ │ ├── dropbox.ts
│ │ │ │ ├── facebook.ts
│ │ │ │ ├── figma.ts
│ │ │ │ ├── github.ts
│ │ │ │ ├── gitlab.ts
│ │ │ │ ├── google.ts
│ │ │ │ ├── huggingface.ts
│ │ │ │ ├── index.ts
│ │ │ │ ├── kakao.ts
│ │ │ │ ├── kick.ts
│ │ │ │ ├── line.ts
│ │ │ │ ├── linear.ts
│ │ │ │ ├── linkedin.ts
│ │ │ │ ├── microsoft-entra-id.ts
│ │ │ │ ├── naver.ts
│ │ │ │ ├── notion.ts
│ │ │ │ ├── paypal.ts
│ │ │ │ ├── reddit.ts
│ │ │ │ ├── roblox.ts
│ │ │ │ ├── salesforce.ts
│ │ │ │ ├── slack.ts
│ │ │ │ ├── spotify.ts
│ │ │ │ ├── tiktok.ts
│ │ │ │ ├── twitch.ts
│ │ │ │ ├── twitter.ts
│ │ │ │ ├── vk.ts
│ │ │ │ └── zoom.ts
│ │ │ ├── types
│ │ │ │ ├── context.ts
│ │ │ │ ├── cookie.ts
│ │ │ │ ├── helper.ts
│ │ │ │ ├── index.ts
│ │ │ │ ├── init-options.ts
│ │ │ │ ├── plugin-client.ts
│ │ │ │ └── plugin.ts
│ │ │ └── utils
│ │ │ ├── error-codes.ts
│ │ │ └── index.ts
│ │ ├── tsconfig.json
│ │ └── tsdown.config.ts
│ ├── expo
│ │ ├── CHANGELOG.md
│ │ ├── package.json
│ │ ├── README.md
│ │ ├── src
│ │ │ ├── client.ts
│ │ │ ├── expo.test.ts
│ │ │ └── index.ts
│ │ ├── tsconfig.json
│ │ └── tsdown.config.ts
│ ├── sso
│ │ ├── package.json
│ │ ├── src
│ │ │ ├── client.ts
│ │ │ ├── index.ts
│ │ │ ├── oidc.test.ts
│ │ │ └── saml.test.ts
│ │ ├── tsconfig.json
│ │ └── tsdown.config.ts
│ ├── stripe
│ │ ├── CHANGELOG.md
│ │ ├── package.json
│ │ ├── src
│ │ │ ├── client.ts
│ │ │ ├── hooks.ts
│ │ │ ├── index.ts
│ │ │ ├── schema.ts
│ │ │ ├── stripe.test.ts
│ │ │ ├── types.ts
│ │ │ └── utils.ts
│ │ ├── tsconfig.json
│ │ ├── tsdown.config.ts
│ │ └── vitest.config.ts
│ └── telemetry
│ ├── package.json
│ ├── src
│ │ ├── detectors
│ │ │ ├── detect-auth-config.ts
│ │ │ ├── detect-database.ts
│ │ │ ├── detect-framework.ts
│ │ │ ├── detect-project-info.ts
│ │ │ ├── detect-runtime.ts
│ │ │ └── detect-system-info.ts
│ │ ├── index.ts
│ │ ├── project-id.ts
│ │ ├── telemetry.test.ts
│ │ ├── types.ts
│ │ └── utils
│ │ ├── hash.ts
│ │ ├── id.ts
│ │ ├── import-util.ts
│ │ └── package-json.ts
│ ├── tsconfig.json
│ └── tsdown.config.ts
├── pnpm-lock.yaml
├── pnpm-workspace.yaml
├── README.md
├── SECURITY.md
├── tsconfig.base.json
├── tsconfig.json
└── turbo.json
```
# Files
--------------------------------------------------------------------------------
/packages/better-auth/src/plugins/phone-number/phone-number.test.ts:
--------------------------------------------------------------------------------
```typescript
import { describe, expect, it, vi } from "vitest";
import { getTestInstance } from "../../test-utils/test-instance";
import { phoneNumber } from ".";
import { createAuthClient } from "../../client";
import { phoneNumberClient } from "./client";
import { bearer } from "../bearer";
describe("phone-number", async (it) => {
let otp = "";
const { customFetchImpl, sessionSetter } = await getTestInstance({
plugins: [
phoneNumber({
async sendOTP({ code }) {
otp = code;
},
signUpOnVerification: {
getTempEmail(phoneNumber) {
return `temp-${phoneNumber}`;
},
},
}),
],
});
const client = createAuthClient({
baseURL: "http://localhost:3000",
plugins: [phoneNumberClient()],
fetchOptions: {
customFetchImpl,
},
});
const headers = new Headers();
const testPhoneNumber = "+251911121314";
it("should send verification code", async () => {
const res = await client.phoneNumber.sendOtp({
phoneNumber: testPhoneNumber,
});
expect(res.error).toBe(null);
expect(otp).toHaveLength(6);
});
it("should verify phone number", async () => {
const res = await client.phoneNumber.verify(
{
phoneNumber: testPhoneNumber,
code: otp,
},
{
onSuccess: sessionSetter(headers),
},
);
expect(res.error).toBe(null);
expect(res.data?.status).toBe(true);
});
it("shouldn't verify again with the same code", async () => {
const res = await client.phoneNumber.verify({
phoneNumber: testPhoneNumber,
code: otp,
});
expect(res.error?.status).toBe(400);
});
it("should update phone number", async () => {
const newPhoneNumber = "+0123456789";
await client.phoneNumber.sendOtp({
phoneNumber: newPhoneNumber,
fetchOptions: {
headers,
},
});
const res = await client.phoneNumber.verify({
phoneNumber: newPhoneNumber,
updatePhoneNumber: true,
code: otp,
fetchOptions: {
headers,
},
});
const user = await client.getSession({
fetchOptions: {
headers,
},
});
expect(user.data?.user.phoneNumber).toBe(newPhoneNumber);
expect(user.data?.user.phoneNumberVerified).toBe(true);
});
it("should not verify if code expired", async () => {
vi.useFakeTimers();
await client.phoneNumber.sendOtp({
phoneNumber: "+25120201212",
});
vi.advanceTimersByTime(1000 * 60 * 5 + 1); // 5 minutes + 1ms
const res = await client.phoneNumber.verify({
phoneNumber: "+25120201212",
code: otp,
});
expect(res.error?.status).toBe(400);
});
});
describe("phone auth flow", async () => {
let otp = "";
const { customFetchImpl, sessionSetter, auth } = await getTestInstance({
plugins: [
phoneNumber({
async sendOTP({ code }) {
otp = code;
},
signUpOnVerification: {
getTempEmail(phoneNumber) {
return `temp-${phoneNumber}`;
},
},
}),
bearer(),
],
user: {
changeEmail: {
enabled: true,
},
},
});
const client = createAuthClient({
baseURL: "http://localhost:3000",
plugins: [phoneNumberClient()],
fetchOptions: {
customFetchImpl,
},
});
it("should send otp", async () => {
const res = await client.phoneNumber.sendOtp({
phoneNumber: "+251911121314",
});
expect(res.error).toBe(null);
expect(otp).toHaveLength(6);
});
it("should verify phone number and create user & session", async () => {
const res = await client.phoneNumber.verify({
phoneNumber: "+251911121314",
code: otp,
});
const session = await client.getSession({
fetchOptions: {
headers: {
Authorization: `Bearer ${res.data?.token}`,
},
throw: true,
},
});
expect(session?.user.phoneNumberVerified).toBe(true);
expect(session?.user.email).toBe("temp-+251911121314");
expect(session?.session.token).toBeDefined();
});
let headers = new Headers();
it("should go through send-verify and sign-in the user", async () => {
await client.phoneNumber.sendOtp({
phoneNumber: "+251911121314",
});
const res = await client.phoneNumber.verify(
{
phoneNumber: "+251911121314",
code: otp,
},
{
onSuccess: sessionSetter(headers),
},
);
expect(res.data?.status).toBe(true);
});
const newEmail = "[email protected]";
it("should set password and update user", async () => {
const res = await auth.api.setPassword({
body: {
newPassword: "password",
},
headers,
});
const changedEmailRes = await client.changeEmail({
newEmail,
fetchOptions: {
headers,
},
});
expect(changedEmailRes.error).toBe(null);
expect(changedEmailRes.data?.status).toBe(true);
});
it("should sign in with phone number and password", async () => {
const res = await client.signIn.phoneNumber({
phoneNumber: "+251911121314",
password: "password",
});
expect(res.data?.token).toBeDefined();
});
it("should sign in with new email", async () => {
const res = await client.signIn.email({
email: newEmail,
password: "password",
});
expect(res.error).toBe(null);
});
});
describe("verify phone-number", async (it) => {
let otp = "";
const { customFetchImpl, sessionSetter } = await getTestInstance({
plugins: [
phoneNumber({
async sendOTP({ code }) {
otp = code;
},
signUpOnVerification: {
getTempEmail(phoneNumber) {
return `temp-${phoneNumber}`;
},
},
allowedAttempts: 3,
}),
],
});
const client = createAuthClient({
baseURL: "http://localhost:3000",
plugins: [phoneNumberClient()],
fetchOptions: {
customFetchImpl,
},
});
const headers = new Headers();
const testPhoneNumber = "+251911121314";
it("should verify the last code", async () => {
await client.phoneNumber.sendOtp({
phoneNumber: testPhoneNumber,
});
vi.useFakeTimers();
vi.advanceTimersByTime(1000);
await client.phoneNumber.sendOtp({
phoneNumber: testPhoneNumber,
});
vi.advanceTimersByTime(1000);
await client.phoneNumber.sendOtp({
phoneNumber: testPhoneNumber,
});
const res = await client.phoneNumber.verify(
{
phoneNumber: testPhoneNumber,
code: otp,
},
{
onSuccess: sessionSetter(headers),
},
);
expect(res.error).toBe(null);
expect(res.data?.status).toBe(true);
});
it("should block after exceeding allowed attempts", async () => {
await client.phoneNumber.sendOtp({
phoneNumber: testPhoneNumber,
});
for (let i = 0; i < 3; i++) {
const res = await client.phoneNumber.verify({
phoneNumber: testPhoneNumber,
code: "000000",
});
expect(res.error?.status).toBe(400);
expect(res.error?.message).toBe("Invalid OTP");
}
//Try one more time - should be blocked
const res = await client.phoneNumber.verify({
phoneNumber: testPhoneNumber,
code: "000000",
});
expect(res.error?.status).toBe(403);
expect(res.error?.message).toBe("Too many attempts");
});
});
describe("reset password flow attempts", async (it) => {
let otp = "";
let resetOtp = "";
const { customFetchImpl, sessionSetter } = await getTestInstance({
plugins: [
phoneNumber({
async sendOTP({ code }) {
console.log("sendOTP", code);
otp = code;
},
sendPasswordResetOTP(data, request) {
resetOtp = data.code;
},
signUpOnVerification: {
getTempEmail(phoneNumber) {
return `temp-${phoneNumber}`;
},
},
allowedAttempts: 3,
}),
],
});
const client = createAuthClient({
baseURL: "http://localhost:3000",
plugins: [phoneNumberClient()],
fetchOptions: {
customFetchImpl,
},
});
const testPhoneNumber = "+251911121314";
it("should block reset password after exceeding allowed attempts", async () => {
//register phone number
await client.phoneNumber.sendOtp({
phoneNumber: testPhoneNumber,
});
await client.phoneNumber.verify({
phoneNumber: testPhoneNumber,
code: otp,
});
await client.phoneNumber.requestPasswordReset({
phoneNumber: testPhoneNumber,
});
for (let i = 0; i < 3; i++) {
const res = await client.phoneNumber.resetPassword({
phoneNumber: testPhoneNumber,
otp: otp,
newPassword: "password",
});
expect(res.error?.status).toBe(400);
expect(res.error?.message).toBe("Invalid OTP");
}
const res = await client.phoneNumber.resetPassword({
phoneNumber: testPhoneNumber,
otp: otp,
newPassword: "password",
});
expect(res.error?.status).toBe(403);
expect(res.error?.message).toBe("Too many attempts");
});
it("should successfully reset password with correct code", async () => {
await client.phoneNumber.requestPasswordReset({
phoneNumber: testPhoneNumber,
});
const resetPasswordRes = await client.phoneNumber.resetPassword({
phoneNumber: testPhoneNumber,
otp: resetOtp,
newPassword: "password",
});
expect(resetPasswordRes.error).toBe(null);
expect(resetPasswordRes.data?.status).toBe(true);
});
it("shouldn't allow to re-use the same OTP code", async () => {
const res = await client.phoneNumber.resetPassword({
phoneNumber: testPhoneNumber,
otp: resetOtp,
newPassword: "password",
});
expect(res.error?.status).toBe(400);
});
});
describe("phone number verification requirement", async () => {
let otp = "";
const { customFetchImpl } = await getTestInstance({
plugins: [
phoneNumber({
async sendOTP({ code }) {
otp = code;
},
requireVerification: true,
signUpOnVerification: {
getTempEmail(phoneNumber) {
return `temp-${phoneNumber}`;
},
},
}),
],
user: {
changeEmail: {
enabled: true,
},
},
});
const client = createAuthClient({
baseURL: "http://localhost:3000",
plugins: [phoneNumberClient()],
fetchOptions: {
customFetchImpl,
},
});
const testPhoneNumber = "+251911121314";
const testPassword = "password123";
const testEmail = "[email protected]";
it("should not allow sign in with unverified phone number and trigger OTP send", async () => {
await client.signUp.email({
email: testEmail,
password: testPassword,
name: "test",
phoneNumber: testPhoneNumber,
});
const signInRes = await client.signIn.phoneNumber({
phoneNumber: testPhoneNumber,
password: testPassword,
});
expect(signInRes.error?.status).toBe(401);
expect(signInRes.error?.code).toMatch("PHONE_NUMBER_NOT_VERIFIED");
expect(otp).toHaveLength(6);
});
});
```
--------------------------------------------------------------------------------
/packages/better-auth/src/plugins/two-factor/index.ts:
--------------------------------------------------------------------------------
```typescript
import { generateRandomString } from "../../crypto/random";
import * as z from "zod";
import {
createAuthEndpoint,
createAuthMiddleware,
} from "@better-auth/core/api";
import { sessionMiddleware } from "../../api";
import { symmetricEncrypt } from "../../crypto";
import type { BetterAuthPlugin } from "@better-auth/core";
import {
backupCode2fa,
generateBackupCodes,
type BackupCodeOptions,
} from "./backup-codes";
import { otp2fa } from "./otp";
import { totp2fa } from "./totp";
import type { TwoFactorOptions, UserWithTwoFactor } from "./types";
import { mergeSchema } from "../../db/schema";
import { TWO_FACTOR_COOKIE_NAME, TRUST_DEVICE_COOKIE_NAME } from "./constant";
import { validatePassword } from "../../utils/password";
import { APIError } from "better-call";
import { deleteSessionCookie, setSessionCookie } from "../../cookies";
import { schema } from "./schema";
import { BASE_ERROR_CODES } from "@better-auth/core/error";
import { createOTP } from "@better-auth/utils/otp";
import { createHMAC } from "@better-auth/utils/hmac";
import { TWO_FACTOR_ERROR_CODES } from "./error-code";
export * from "./error-code";
export const twoFactor = (options?: TwoFactorOptions) => {
const opts = {
twoFactorTable: "twoFactor",
};
const backupCodeOptions = {
storeBackupCodes: "encrypted",
...options?.backupCodeOptions,
} satisfies BackupCodeOptions;
const totp = totp2fa(options?.totpOptions);
const backupCode = backupCode2fa(backupCodeOptions);
const otp = otp2fa(options?.otpOptions);
return {
id: "two-factor",
endpoints: {
...totp.endpoints,
...otp.endpoints,
...backupCode.endpoints,
/**
* ### Endpoint
*
* POST `/two-factor/enable`
*
* ### API Methods
*
* **server:**
* `auth.api.enableTwoFactor`
*
* **client:**
* `authClient.twoFactor.enable`
*
* @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/2fa#api-method-two-factor-enable)
*/
enableTwoFactor: createAuthEndpoint(
"/two-factor/enable",
{
method: "POST",
body: z.object({
password: z.string().meta({
description: "User password",
}),
issuer: z
.string()
.meta({
description: "Custom issuer for the TOTP URI",
})
.optional(),
}),
use: [sessionMiddleware],
metadata: {
openapi: {
summary: "Enable two factor authentication",
description:
"Use this endpoint to enable two factor authentication. This will generate a TOTP URI and backup codes. Once the user verifies the TOTP URI, the two factor authentication will be enabled.",
responses: {
200: {
description: "Successful response",
content: {
"application/json": {
schema: {
type: "object",
properties: {
totpURI: {
type: "string",
description: "TOTP URI",
},
backupCodes: {
type: "array",
items: {
type: "string",
},
description: "Backup codes",
},
},
},
},
},
},
},
},
},
},
async (ctx) => {
const user = ctx.context.session.user as UserWithTwoFactor;
const { password, issuer } = ctx.body;
const isPasswordValid = await validatePassword(ctx, {
password,
userId: user.id,
});
if (!isPasswordValid) {
throw new APIError("BAD_REQUEST", {
message: BASE_ERROR_CODES.INVALID_PASSWORD,
});
}
const secret = generateRandomString(32);
const encryptedSecret = await symmetricEncrypt({
key: ctx.context.secret,
data: secret,
});
const backupCodes = await generateBackupCodes(
ctx.context.secret,
backupCodeOptions,
);
if (options?.skipVerificationOnEnable) {
const updatedUser = await ctx.context.internalAdapter.updateUser(
user.id,
{
twoFactorEnabled: true,
},
);
const newSession = await ctx.context.internalAdapter.createSession(
updatedUser.id,
false,
ctx.context.session.session,
);
/**
* Update the session cookie with the new user data
*/
await setSessionCookie(ctx, {
session: newSession,
user: updatedUser,
});
//remove current session
await ctx.context.internalAdapter.deleteSession(
ctx.context.session.session.token,
);
}
//delete existing two factor
await ctx.context.adapter.deleteMany({
model: opts.twoFactorTable,
where: [
{
field: "userId",
value: user.id,
},
],
});
await ctx.context.adapter.create({
model: opts.twoFactorTable,
data: {
secret: encryptedSecret,
backupCodes: backupCodes.encryptedBackupCodes,
userId: user.id,
},
});
const totpURI = createOTP(secret, {
digits: options?.totpOptions?.digits || 6,
period: options?.totpOptions?.period,
}).url(issuer || options?.issuer || ctx.context.appName, user.email);
return ctx.json({ totpURI, backupCodes: backupCodes.backupCodes });
},
),
/**
* ### Endpoint
*
* POST `/two-factor/disable`
*
* ### API Methods
*
* **server:**
* `auth.api.disableTwoFactor`
*
* **client:**
* `authClient.twoFactor.disable`
*
* @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/2fa#api-method-two-factor-disable)
*/
disableTwoFactor: createAuthEndpoint(
"/two-factor/disable",
{
method: "POST",
body: z.object({
password: z.string().meta({
description: "User password",
}),
}),
use: [sessionMiddleware],
metadata: {
openapi: {
summary: "Disable two factor authentication",
description:
"Use this endpoint to disable two factor authentication.",
responses: {
200: {
description: "Successful response",
content: {
"application/json": {
schema: {
type: "object",
properties: {
status: {
type: "boolean",
},
},
},
},
},
},
},
},
},
},
async (ctx) => {
const user = ctx.context.session.user as UserWithTwoFactor;
const { password } = ctx.body;
const isPasswordValid = await validatePassword(ctx, {
password,
userId: user.id,
});
if (!isPasswordValid) {
throw new APIError("BAD_REQUEST", {
message: "Invalid password",
});
}
const updatedUser = await ctx.context.internalAdapter.updateUser(
user.id,
{
twoFactorEnabled: false,
},
);
await ctx.context.adapter.delete({
model: opts.twoFactorTable,
where: [
{
field: "userId",
value: updatedUser.id,
},
],
});
const newSession = await ctx.context.internalAdapter.createSession(
updatedUser.id,
false,
ctx.context.session.session,
);
/**
* Update the session cookie with the new user data
*/
await setSessionCookie(ctx, {
session: newSession,
user: updatedUser,
});
//remove current session
await ctx.context.internalAdapter.deleteSession(
ctx.context.session.session.token,
);
return ctx.json({ status: true });
},
),
},
options: options,
hooks: {
after: [
{
matcher(context) {
return (
context.path === "/sign-in/email" ||
context.path === "/sign-in/username" ||
context.path === "/sign-in/phone-number"
);
},
handler: createAuthMiddleware(async (ctx) => {
const data = ctx.context.newSession;
if (!data) {
return;
}
if (!data?.user.twoFactorEnabled) {
return;
}
// Check for trust device cookie
const trustDeviceCookieName = ctx.context.createAuthCookie(
TRUST_DEVICE_COOKIE_NAME,
);
const trustDeviceCookie = await ctx.getSignedCookie(
trustDeviceCookieName.name,
ctx.context.secret,
);
if (trustDeviceCookie) {
const [token, sessionToken] = trustDeviceCookie.split("!");
const expectedToken = await createHMAC(
"SHA-256",
"base64urlnopad",
).sign(ctx.context.secret, `${data.user.id}!${sessionToken}`);
if (token === expectedToken) {
// Trust device cookie is valid, refresh it and skip 2FA
const newToken = await createHMAC(
"SHA-256",
"base64urlnopad",
).sign(ctx.context.secret, `${data.user.id}!${sessionToken}`);
await ctx.setSignedCookie(
trustDeviceCookieName.name,
`${newToken}!${data.session.token}`,
ctx.context.secret,
trustDeviceCookieName.attributes,
);
return;
}
}
/**
* remove the session cookie. It's set by the sign in credential
*/
deleteSessionCookie(ctx, true);
await ctx.context.internalAdapter.deleteSession(data.session.token);
const maxAge = (options?.otpOptions?.period ?? 3) * 60; // 3 minutes
const twoFactorCookie = ctx.context.createAuthCookie(
TWO_FACTOR_COOKIE_NAME,
{
maxAge,
},
);
const identifier = `2fa-${generateRandomString(20)}`;
await ctx.context.internalAdapter.createVerificationValue({
value: data.user.id,
identifier,
expiresAt: new Date(Date.now() + maxAge * 1000),
});
await ctx.setSignedCookie(
twoFactorCookie.name,
identifier,
ctx.context.secret,
twoFactorCookie.attributes,
);
return ctx.json({
twoFactorRedirect: true,
});
}),
},
],
},
schema: mergeSchema(schema, options?.schema),
rateLimit: [
{
pathMatcher(path) {
return path.startsWith("/two-factor/");
},
window: 10,
max: 3,
},
],
$ERROR_CODES: TWO_FACTOR_ERROR_CODES,
} satisfies BetterAuthPlugin;
};
export * from "./client";
export * from "./types";
```
--------------------------------------------------------------------------------
/docs/components/landing/testimonials.tsx:
--------------------------------------------------------------------------------
```typescript
import { cn } from "@/lib/utils";
import { Icons } from "../icons";
import Link from "next/link";
import { noSSR } from "foxact/no-ssr";
import { Suspense } from "react";
const testimonials = [
{
name: "Dev Ed",
profession: "Content Creator",
link: "https://x.com/edgarasben/status/1856336936505590160",
description:
"This has been the best auth experience by a mileee, auto generated my drizzle schemas for users, sessions etc, full type safe and dead simple api, well done @better_auth 👏👏",
avatar: "/people-say/dev-ed.png",
image: "",
social: <Icons.x />,
},
{
name: "Lazar Nikolov",
profession: "Software Engineer & Educator",
link: "https://x.com/NikolovLazar/status/1888992999872331985",
description:
"I didn't know @better_auth was THAT good. I'm implementing it in TanStack Start and I can't believe how good the DX is. This is my favorite stack now (along with @DrizzleORM and @shadcn ui).",
avatar: "/people-say/lazar-nikolov.png",
image: "",
social: <Icons.x />,
},
{
name: "Theo - t3.gg",
profession: "CEO of t3.chat",
link: "https://x.com/theo/status/1879769267866120341",
description: "Very exciting project and a super easy rec",
avatar: "/people-say/theo.png",
image: "",
social: <Icons.x />,
},
{
name: "kitze",
profession: "http://sizzy.co",
link: "https://x.com/thekitze/status/1911524156115476831",
description:
"I rarely stumble upon a framework/library that makes me rethink things. @better_auth is a rare exception. it literally delayed @zerotoshipped for a week...",
avatar: "/people-say/kitze.jpg",
image: "",
social: <Icons.x />,
},
{
name: "Sébastien Chopin",
profession: "Creator of Nuxt & NuxtLabs",
link: "https://x.com/Atinux/status/1853751424561336322",
description:
"When @better_auth meets @nuxt_hub to build full-stack Nuxt apps on Cloudflare (using D1 & KV).",
avatar: "/people-say/sebastien-chopin.png",
image: "",
social: <Icons.x />,
},
{
name: "Dax",
profession: "Creator of SST",
link: "https://x.com/thdxr/status/1866222656468705426",
description:
"between better-auth and openauth one of those options should cover how you want to do things for 95% of cases. the problem of defaulting to SaaS for auth in js is finally fixed...",
avatar: "/people-say/dax.png",
image: "",
social: <Icons.x />,
},
{
name: "SaltyAtom",
profession: "Creator of ElysiaJS",
link: "https://x.com/saltyAom/status/1916919136565051491",
description: `Strategies to win at Auth:
1. Copy Better Auth -
2. Go back to 1`,
avatar: "/people-say/saltyatom.jpg",
image: "",
social: <Icons.x />,
},
{
name: "Josh Tried Coding",
profession: "devrel @upstash",
description: `using better-auth for the first time
holy sh** is it good, works so nice with typescript + drizzle`,
avatar: "/people-say/josh-tried-coding.jpg",
image: "",
link: "https://x.com/joshtriedcoding/status/1916108678672900301",
social: <Icons.x />,
},
{
name: "Xavier Pladevall",
profession: "Founder of IndexBI",
description: `We've been using @better_auth in prod @IndexBI and absolutely love it. Super comprehensive from day one.👏`,
avatar: "/people-say/xavier-pladevall.jpg",
image: "",
link: "https://x.com/xavierpladevall/status/1915490484891341211",
social: <Icons.x />,
},
{
name: "Code with Antonio",
profession: "Content Creator",
description: `i swear @polar_sh and @better_auth developer experience should be mandatory teaching for all CS students`,
link: "https://x.com/YTCodeAntonio/status/1920214390680236396",
avatar: "/people-say/code-with-antonio.jpg",
image: "",
social: <Icons.x />,
},
{
name: "Ryan Vogel",
profession: "Founder of exon",
description:
"i have been using better-auth for exon todo and it is like so fast, I set it up once and it just works",
link: "https://x.com/ryandavogel/status/1914789770451964150",
avatar: "/people-say/ryan-vogel.jpg",
image: "",
social: <Icons.x />,
},
{
name: "Dagmawi Babi",
profession: "Developer",
link: "https://x.com/DagmawiBabi/status/1845966382703280458",
description:
"@better_auth exceeded all expectations, and it's just getting started",
avatar: "/people-say/dagmawi-babi.png",
image: "",
social: <Icons.x />,
},
{
name: "Tech Nerd",
profession: "Developer",
link: "https://x.com/TechNerd556/status/1863523931614822784",
description:
"Using @better_auth with custom components feels like having someone hand you the remote while you're comfortably on the sofa. The ease I'm feeling rn is insane Auth done in under 5 minutes 🤌⚡️.",
avatar: "/people-say/tech-nerd.png",
image: "",
social: <Icons.x />,
},
{
name: "Omar McAdam",
profession: "Creator of AugmentedHQ",
link: "https://x.com/McPizza0/status/1879526862046839249",
description:
"if you're building a code project in 2025 use @better_auth. It has everything you need now and everything you'll need at scale. dont take this suggestion lightly..",
avatar: "/people-say/omar-mcadam.png",
image: "",
social: <Icons.x />,
},
{
name: "Guillermo Rauch",
profession: "CEO of Vercel",
link: "https://x.com/rauchg/status/1871628287962906846",
description: "Great project & maintainer",
avatar: "/people-say/guillermo-rauch.png",
image: "",
social: <Icons.x />,
},
{
name: "Nizzy",
profession: "Co-founder of Zero",
link: "https://x.com/NizzyABI/status/1889178812459422162",
description:
"i cant believe how easy @better_auth is compared to @authjs all i had to do was connect it to my drizzle schema and create a sign up page w the auth :)))",
avatar: "/people-say/nizzy.png",
image: "",
social: <Icons.x />,
},
{
name: "Vybhav Bhargav",
profession: "Founding engineer @glyfspace",
link: "https://x.com/vybhavab/status/1891589126513684669",
description: "better-auth is a work of art.",
avatar: "/people-say/vybhav-bhargav.png",
social: <Icons.x />,
},
{
name: "EGOIST",
profession: "Creator of tsup, ChatWise",
link: "https://x.com/localhost_5173/status/1951152679461278068",
description: "better-auth is great, I use it everywhere",
avatar: "/people-say/egoist.png",
social: <Icons.x />,
},
];
type TestimonialProps = (typeof testimonials)[number];
const TestimonialItem = ({
reverse = false,
testimonials,
noSsr,
}: {
reverse?: boolean;
testimonials: TestimonialProps[];
noSsr?: boolean;
}) => {
noSsr && noSSR();
const animeSeconds = testimonials.length * 10;
return (
<div className="max-w-full mx-auto">
<div
className={`[--anime-duration:${animeSeconds}s] px-10 mx-auto w-full`}
>
<div
style={{
animationDuration: `${animeSeconds}s`,
}}
className={cn(
"scroller flex flex-nowrap w-max min-w-full duration-[1000s] hover:[animation-play-state:paused] overflow-hidden relative gap-5 justify-around shrink-0",
reverse ? "animate-hrtl-scroll-reverse " : "animate-hrtl-scroll",
)}
>
{testimonials.map((testimonial, indx) => {
return (
<div
key={indx}
className={cn(
"flex flex-col justify-between h-[220px] rounded-none border-[1.2px] border-black/20 shrink-0 grow-0 w-[450px] dark:border-white/10",
)}
>
<p className="px-5 py-5 tracking-tight text-md font-extralight sm:text-xl md:text-lg text-pretty text-text-primary dark:text-dark-text-primary">
"{testimonial.description}."
</p>
<div className="flex overflow-hidden h-[28%] gap-1 w-full border-t-[1.2px]">
<div className="flex items-center w-3/4 gap-3 px-4 py-3">
<img
src={testimonial.avatar}
className="w-10 h-10 rounded-full"
alt="avatar"
/>
<div className="flex flex-col items-start justify-start flex-1 gap-0">
<h5 className="text-base font-medium md:text-md">
{testimonial.name}
</h5>
<p className="text-sm md:text-base text-black/30 mt-[-4px] text-text-tertiary dark:text-white/50 dark:text-dark-text-tertiary">
{testimonial.profession}
</p>
</div>
</div>
<div className="w-[1px] bg-black/20 dark:bg-white/20" />
<div className="flex items-center justify-center max-w-full mx-auto">
<Link href={testimonial.link} target="_blank">
{testimonial.social}
</Link>
</div>
</div>
</div>
);
})}
</div>
</div>
</div>
);
};
export const Testimonial = () => {
return (
<div className="max-w-full py-5 mx-auto overflow-hidden">
<div className="flex flex-col gap-3">
<div
style={{
maskImage:
"linear-gradient(to left, transparent 0%, black 20%, black 80%, transparent 95%)",
}}
className="relative flex justify-around gap-5 overflow-hidden shrink-0"
>
<Suspense
fallback={
<TestimonialItem
testimonials={Array(15)
.fill(
testimonials.slice(
Math.floor(testimonials.length / 2) + 1,
testimonials.length - 1,
),
)
.flat()}
/>
}
>
<TestimonialItem
noSsr
reverse
testimonials={Array(15)
.sort(() => Math.random() - 0.5)
.fill(
testimonials.slice(0, Math.floor(testimonials.length / 2)),
)
.flat()}
/>
</Suspense>
</div>
<div
style={{
maskImage:
"linear-gradient(to left, transparent 0%, black 20%, black 80%, transparent 95%)",
}}
className="relative flex justify-around gap-5 overflow-hidden shrink-0"
>
<Suspense
fallback={
<TestimonialItem
testimonials={Array(15)
.fill(
testimonials.slice(
Math.floor(testimonials.length / 2) + 1,
testimonials.length - 1,
),
)
.flat()}
/>
}
>
<TestimonialItem
noSsr
testimonials={Array(15)
.sort(() => Math.random() - 0.5)
.fill(
testimonials.slice(
Math.floor(testimonials.length / 2) + 1,
testimonials.length - 1,
),
)
.flat()}
/>
</Suspense>
</div>
</div>
</div>
);
};
```
--------------------------------------------------------------------------------
/docs/components/builder/sign-up.tsx:
--------------------------------------------------------------------------------
```typescript
"use client";
import { Button } from "@/components/ui/button";
import {
Card,
CardContent,
CardDescription,
CardFooter,
CardHeader,
CardTitle,
} from "@/components/ui/card";
import { Input } from "@/components/ui/input";
import { Label } from "@/components/ui/label";
import { useState } from "react";
import Image from "next/image";
import { Loader2, X } from "lucide-react";
import { useRouter } from "next/navigation";
export function SignUp() {
const [firstName, setFirstName] = useState("");
const [lastName, setLastName] = useState("");
const [email, setEmail] = useState("");
const [password, setPassword] = useState("");
const [passwordConfirmation, setPasswordConfirmation] = useState("");
const [image, setImage] = useState<File | null>(null);
const [imagePreview, setImagePreview] = useState<string | null>(null);
const router = useRouter();
const handleImageChange = (e: React.ChangeEvent<HTMLInputElement>) => {
const file = e.target.files?.[0];
if (file) {
setImage(file);
const reader = new FileReader();
reader.onloadend = () => {
setImagePreview(reader.result as string);
};
reader.readAsDataURL(file);
}
};
const [loading, setLoading] = useState(false);
return (
<Card className="z-50 rounded-md rounded-t-none max-w-md">
<CardHeader>
<CardTitle className="text-lg md:text-xl">Sign Up</CardTitle>
<CardDescription className="text-xs md:text-sm">
Enter your information to create an account
</CardDescription>
</CardHeader>
<CardContent>
<div className="grid gap-4">
<div className="grid grid-cols-2 gap-4">
<div className="grid gap-2">
<Label htmlFor="first-name">First name</Label>
<Input
id="first-name"
placeholder="Max"
required
onChange={(e) => {
setFirstName(e.target.value);
}}
value={firstName}
/>
</div>
<div className="grid gap-2">
<Label htmlFor="last-name">Last name</Label>
<Input
id="last-name"
placeholder="Robinson"
required
onChange={(e) => {
setLastName(e.target.value);
}}
value={lastName}
/>
</div>
</div>
<div className="grid gap-2">
<Label htmlFor="email">Email</Label>
<Input
id="email"
type="email"
placeholder="[email protected]"
required
onChange={(e) => {
setEmail(e.target.value);
}}
value={email}
/>
</div>
<div className="grid gap-2">
<Label htmlFor="password">Password</Label>
<Input
id="password"
type="password"
value={password}
onChange={(e) => setPassword(e.target.value)}
autoComplete="new-password"
placeholder="Password"
/>
</div>
<div className="grid gap-2">
<Label htmlFor="password">Confirm Password</Label>
<Input
id="password_confirmation"
type="password"
value={passwordConfirmation}
onChange={(e) => setPasswordConfirmation(e.target.value)}
autoComplete="new-password"
placeholder="Confirm Password"
/>
</div>
<div className="grid gap-2">
<Label htmlFor="image">Profile Image (optional)</Label>
<div className="flex items-end gap-4">
{imagePreview && (
<div className="relative w-16 h-16 rounded-sm overflow-hidden">
<Image
src={imagePreview}
alt="Profile preview"
layout="fill"
objectFit="cover"
/>
</div>
)}
<div className="flex items-center gap-2 w-full">
<Input
id="image"
type="file"
accept="image/*"
onChange={handleImageChange}
className="w-full"
/>
{imagePreview && (
<X
className="cursor-pointer"
onClick={() => {
setImage(null);
setImagePreview(null);
}}
/>
)}
</div>
</div>
</div>
<Button
type="submit"
className="w-full"
disabled={loading}
onClick={async () => {}}
>
{loading ? (
<Loader2 size={16} className="animate-spin" />
) : (
"Create an account"
)}
</Button>
</div>
</CardContent>
<CardFooter>
<div className="flex justify-center w-full border-t py-4">
<p className="text-center text-xs text-neutral-500">
Secured by <span className="text-orange-400">better-auth.</span>
</p>
</div>
</CardFooter>
</Card>
);
}
async function convertImageToBase64(file: File): Promise<string> {
return new Promise((resolve, reject) => {
const reader = new FileReader();
reader.onloadend = () => resolve(reader.result as string);
reader.onerror = reject;
reader.readAsDataURL(file);
});
}
export const signUpString = `"use client";
import { Button } from "@/components/ui/button";
import {
Card,
CardContent,
CardDescription,
CardFooter,
CardHeader,
CardTitle,
} from "@/components/ui/card";
import { Input } from "@/components/ui/input";
import { Label } from "@/components/ui/label";
import { useState } from "react";
import Image from "next/image";
import { Loader2, X } from "lucide-react";
import { signUp } from "@/lib/auth-client";
import { toast } from "sonner";
import { useRouter } from "next/navigation";
export default function SignUp() {
const [firstName, setFirstName] = useState("");
const [lastName, setLastName] = useState("");
const [email, setEmail] = useState("");
const [password, setPassword] = useState("");
const [passwordConfirmation, setPasswordConfirmation] = useState("");
const [image, setImage] = useState<File | null>(null);
const [imagePreview, setImagePreview] = useState<string | null>(null);
const router = useRouter();
const [loading, setLoading] = useState(false);
const handleImageChange = (e: React.ChangeEvent<HTMLInputElement>) => {
const file = e.target.files?.[0];
if (file) {
setImage(file);
const reader = new FileReader();
reader.onloadend = () => {
setImagePreview(reader.result as string);
};
reader.readAsDataURL(file);
}
};
return (
<Card className="z-50 rounded-md rounded-t-none max-w-md">
<CardHeader>
<CardTitle className="text-lg md:text-xl">Sign Up</CardTitle>
<CardDescription className="text-xs md:text-sm">
Enter your information to create an account
</CardDescription>
</CardHeader>
<CardContent>
<div className="grid gap-4">
<div className="grid grid-cols-2 gap-4">
<div className="grid gap-2">
<Label htmlFor="first-name">First name</Label>
<Input
id="first-name"
placeholder="Max"
required
onChange={(e) => {
setFirstName(e.target.value);
}}
value={firstName}
/>
</div>
<div className="grid gap-2">
<Label htmlFor="last-name">Last name</Label>
<Input
id="last-name"
placeholder="Robinson"
required
onChange={(e) => {
setLastName(e.target.value);
}}
value={lastName}
/>
</div>
</div>
<div className="grid gap-2">
<Label htmlFor="email">Email</Label>
<Input
id="email"
type="email"
placeholder="[email protected]"
required
onChange={(e) => {
setEmail(e.target.value);
}}
value={email}
/>
</div>
<div className="grid gap-2">
<Label htmlFor="password">Password</Label>
<Input
id="password"
type="password"
value={password}
onChange={(e) => setPassword(e.target.value)}
autoComplete="new-password"
placeholder="Password"
/>
</div>
<div className="grid gap-2">
<Label htmlFor="password">Confirm Password</Label>
<Input
id="password_confirmation"
type="password"
value={passwordConfirmation}
onChange={(e) => setPasswordConfirmation(e.target.value)}
autoComplete="new-password"
placeholder="Confirm Password"
/>
</div>
<div className="grid gap-2">
<Label htmlFor="image">Profile Image (optional)</Label>
<div className="flex items-end gap-4">
{imagePreview && (
<div className="relative w-16 h-16 rounded-sm overflow-hidden">
<Image
src={imagePreview}
alt="Profile preview"
layout="fill"
objectFit="cover"
/>
</div>
)}
<div className="flex items-center gap-2 w-full">
<Input
id="image"
type="file"
accept="image/*"
onChange={handleImageChange}
className="w-full"
/>
{imagePreview && (
<X
className="cursor-pointer"
onClick={() => {
setImage(null);
setImagePreview(null);
}}
/>
)}
</div>
</div>
</div>
<Button
type="submit"
className="w-full"
disabled={loading}
onClick={async () => {
await signUp.email({
email,
password,
name: \`\${firstName} \${lastName}\`,
image: image ? await convertImageToBase64(image) : "",
callbackURL: "/dashboard",
fetchOptions: {
onResponse: () => {
setLoading(false);
},
onRequest: () => {
setLoading(true);
},
onError: (ctx) => {
toast.error(ctx.error.message);
},
onSuccess: async () => {
router.push("/dashboard");
},
},
});
}}
>
{loading ? (
<Loader2 size={16} className="animate-spin" />
) : (
"Create an account"
)}
</Button>
</div>
</CardContent>
<CardFooter>
<div className="flex justify-center w-full border-t py-4">
<p className="text-center text-xs text-neutral-500">
Secured by <span className="text-orange-400">better-auth.</span>
</p>
</div>
</CardFooter>
</Card>
);
}
async function convertImageToBase64(file: File): Promise<string> {
return new Promise((resolve, reject) => {
const reader = new FileReader();
reader.onloadend = () => resolve(reader.result as string);
reader.onerror = reject;
reader.readAsDataURL(file);
});
}`;
```
--------------------------------------------------------------------------------
/packages/expo/src/expo.test.ts:
--------------------------------------------------------------------------------
```typescript
import { createAuthClient } from "better-auth/react";
import Database from "better-sqlite3";
import { beforeAll, afterAll, describe, expect, it, vi } from "vitest";
import { expo } from ".";
import { expoClient, storageAdapter } from "./client";
import { betterAuth } from "better-auth";
import { getMigrations } from "better-auth/db";
import { oAuthProxy } from "better-auth/plugins";
vi.mock("expo-web-browser", async () => {
return {
openAuthSessionAsync: vi.fn(async (...args) => {
fn(...args);
return {
type: "success",
url: "better-auth://?cookie=better-auth.session_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjYxMzQwZj",
};
}),
};
});
vi.mock("react-native", async () => {
return {
Platform: {
OS: "android",
},
};
});
vi.mock("expo-constants", async () => {
return {
default: {
platform: {
scheme: "better-auth",
},
},
};
});
vi.mock("expo-linking", async () => {
return {
createURL: vi.fn((url) => `better-auth://${url}`),
};
});
const fn = vi.fn();
function testUtils(extraOpts?: Parameters<typeof betterAuth>[0]) {
const storage = new Map<string, string>();
const auth = betterAuth({
baseURL: "http://localhost:3000",
database: new Database(":memory:"),
emailAndPassword: {
enabled: true,
},
socialProviders: {
google: {
clientId: "test",
clientSecret: "test",
},
},
plugins: [expo(), oAuthProxy()],
trustedOrigins: ["better-auth://"],
...extraOpts,
});
const client = createAuthClient({
baseURL: "http://localhost:3000",
fetchOptions: {
customFetchImpl: (url, init) => {
const req = new Request(url.toString(), init);
return auth.handler(req);
},
},
plugins: [
expoClient({
storage: {
getItem: (key) => storage.get(key) || null,
setItem: async (key, value) => storage.set(key, value),
},
}),
],
});
return { storage, auth, client };
}
describe("expo", async () => {
const { auth, client, storage } = testUtils();
beforeAll(async () => {
const { runMigrations } = await getMigrations(auth.options);
await runMigrations();
vi.useFakeTimers();
});
afterAll(() => {
vi.useRealTimers();
});
it("should store cookie with expires date", async () => {
const testUser = {
email: "[email protected]",
password: "password",
name: "Test User",
};
await client.signUp.email(testUser);
const storedCookie = storage.get("better-auth_cookie");
expect(storedCookie).toBeDefined();
const parsedCookie = JSON.parse(storedCookie || "");
expect(parsedCookie["better-auth.session_token"]).toMatchObject({
value: expect.stringMatching(/.+/),
expires: expect.any(String),
});
});
it("should send cookie and get session", async () => {
const { data } = await client.getSession();
expect(data).toMatchObject({
session: expect.any(Object),
user: expect.any(Object),
});
});
it("should use the scheme to open the browser", async () => {
const { data: res } = await client.signIn.social({
provider: "google",
callbackURL: "/dashboard",
});
const stateId = res?.url?.split("state=")[1]!.split("&")[0];
const ctx = await auth.$context;
if (!stateId) {
throw new Error("State ID not found");
}
const state = await ctx.internalAdapter.findVerificationValue(stateId);
const callbackURL = JSON.parse(state?.value || "{}").callbackURL;
expect(callbackURL).toBe("better-auth:///dashboard");
expect(res).toMatchObject({
url: expect.stringContaining("accounts.google"),
});
expect(fn).toHaveBeenCalledWith(
expect.stringContaining("accounts.google"),
"better-auth:///dashboard",
);
});
it("should get cookies", async () => {
const c = client.getCookie();
expect(c).includes("better-auth.session_token");
});
it("should correctly parse multiple Set-Cookie headers with Expires commas", async () => {
const header =
"better-auth.session_token=abc; Expires=Wed, 21 Oct 2015 07:28:00 GMT; Path=/, better-auth.session_data=xyz; Expires=Thu, 22 Oct 2015 07:28:00 GMT; Path=/";
const map = (await import("./client")).parseSetCookieHeader(header);
expect(map.get("better-auth.session_token")?.value).toBe("abc");
expect(map.get("better-auth.session_data")?.value).toBe("xyz");
});
it("should not trigger infinite refetch with non-better-auth cookies", async () => {
const { hasBetterAuthCookies } = await import("./client");
const betterAuthOnlyHeader = "better-auth.session_token=abc; Path=/";
expect(hasBetterAuthCookies(betterAuthOnlyHeader, "better-auth")).toBe(
true,
);
const sessionDataHeader = "better-auth.session_data=xyz; Path=/";
expect(hasBetterAuthCookies(sessionDataHeader, "better-auth")).toBe(true);
const secureBetterAuthHeader =
"__Secure-better-auth.session_token=abc; Path=/";
expect(hasBetterAuthCookies(secureBetterAuthHeader, "better-auth")).toBe(
true,
);
const secureSessionDataHeader =
"__Secure-better-auth.session_data=xyz; Path=/";
expect(hasBetterAuthCookies(secureSessionDataHeader, "better-auth")).toBe(
true,
);
const nonBetterAuthHeader = "__cf_bm=abc123; Path=/; HttpOnly; Secure";
expect(hasBetterAuthCookies(nonBetterAuthHeader, "better-auth")).toBe(
false,
);
const mixedHeader =
"__cf_bm=abc123; Path=/; HttpOnly; Secure, better-auth.session_token=xyz; Path=/";
expect(hasBetterAuthCookies(mixedHeader, "better-auth")).toBe(true);
const customPrefixHeader = "my-app.session_token=abc; Path=/";
expect(hasBetterAuthCookies(customPrefixHeader, "my-app")).toBe(true);
expect(hasBetterAuthCookies(customPrefixHeader, "better-auth")).toBe(false);
const customPrefixDataHeader = "my-app.session_data=abc; Path=/";
expect(hasBetterAuthCookies(customPrefixDataHeader, "my-app")).toBe(true);
const emptyPrefixHeader = "session_token=abc; Path=/";
expect(hasBetterAuthCookies(emptyPrefixHeader, "")).toBe(true);
const customFullNameHeader = "my_custom_session_token=abc; Path=/";
expect(hasBetterAuthCookies(customFullNameHeader, "")).toBe(true);
const customFullDataHeader = "my_custom_session_data=xyz; Path=/";
expect(hasBetterAuthCookies(customFullDataHeader, "")).toBe(true);
const multipleNonBetterAuthHeader =
"__cf_bm=abc123; Path=/, _ga=GA1.2.123456789.1234567890; Path=/";
expect(
hasBetterAuthCookies(multipleNonBetterAuthHeader, "better-auth"),
).toBe(false);
const nonSessionBetterAuthHeader = "better-auth.other_cookie=abc; Path=/";
expect(
hasBetterAuthCookies(nonSessionBetterAuthHeader, "better-auth"),
).toBe(false);
});
it("should preserve unchanged client store session properties on signout", async () => {
const before = client.$store.atoms.session!.get();
await client.signOut();
const after = client.$store.atoms.session!.get();
expect(after).toMatchObject({
...before,
data: null,
error: null,
isPending: false,
});
});
});
describe("expo with cookieCache", async () => {
const { auth, client, storage } = testUtils({
session: {
expiresIn: 5,
cookieCache: {
enabled: true,
maxAge: 1,
},
},
});
beforeAll(async () => {
const { runMigrations } = await getMigrations(auth.options);
await runMigrations();
vi.useFakeTimers();
});
afterAll(() => {
vi.useRealTimers();
});
it("should store cookie with expires date", async () => {
const testUser = {
email: "[email protected]",
password: "password",
name: "Test User",
};
await client.signUp.email(testUser);
const storedCookie = storage.get("better-auth_cookie");
expect(storedCookie).toBeDefined();
const parsedCookie = JSON.parse(storedCookie || "");
expect(parsedCookie["better-auth.session_token"]).toMatchObject({
value: expect.stringMatching(/.+/),
expires: expect.any(String),
});
expect(parsedCookie["better-auth.session_data"]).toMatchObject({
value: expect.stringMatching(/.+/),
expires: expect.any(String),
});
});
it("should refresh session_data when it expired without erasing session_token", async () => {
vi.advanceTimersByTime(1000);
const { data } = await client.getSession();
expect(data).toMatchObject({
session: expect.any(Object),
user: expect.any(Object),
});
const storedCookie = storage.get("better-auth_cookie");
expect(storedCookie).toBeDefined();
const parsedCookie = JSON.parse(storedCookie || "");
expect(parsedCookie["better-auth.session_token"]).toMatchObject({
value: expect.any(String),
expires: expect.any(String),
});
expect(parsedCookie["better-auth.session_data"]).toMatchObject({
value: expect.any(String),
expires: expect.any(String),
});
});
it("should erase both session_data and session_token when token expired", async () => {
vi.advanceTimersByTime(5000);
const { data } = await client.getSession();
expect(data).toBeNull();
const storedCookie = storage.get("better-auth_cookie");
expect(storedCookie).toBeDefined();
const parsedCookie = JSON.parse(storedCookie || "");
expect(parsedCookie["better-auth.session_token"]).toMatchObject({
value: expect.any(String),
expires: expect.any(String),
});
expect(parsedCookie["better-auth.session_data"]).toMatchObject({
value: expect.any(String),
expires: expect.any(String),
});
});
it("should add `exp://` to trusted origins", async () => {
vi.stubEnv("NODE_ENV", "development");
const auth = betterAuth({
plugins: [expo()],
trustedOrigins: ["http://localhost:3000"],
});
const ctx = await auth.$context;
expect(ctx.options.trustedOrigins).toContain("exp://");
expect(ctx.options.trustedOrigins).toContain("http://localhost:3000");
});
it("should allow independent cookiePrefix configuration", async () => {
const { hasBetterAuthCookies } = await import("./client");
const customCookieHeader = "my-app.session_token=abc; Path=/";
expect(hasBetterAuthCookies(customCookieHeader, "my-app")).toBe(true);
expect(hasBetterAuthCookies(customCookieHeader, "better-auth")).toBe(false);
});
it("should normalize colons in secure storage name via storage adapter", async () => {
const map = new Map<string, string>();
const storage = storageAdapter({
getItem(name) {
return map.get(name) || null;
},
setItem(name, value) {
map.set(name, value);
},
});
storage.setItem("better-auth:session_token", "123");
expect(map.has("better-auth_session_token")).toBe(true);
expect(map.has("better-auth:session_token")).toBe(false);
});
});
```
--------------------------------------------------------------------------------
/packages/better-auth/src/plugins/two-factor/otp/index.ts:
--------------------------------------------------------------------------------
```typescript
import { APIError } from "better-call";
import * as z from "zod";
import { createAuthEndpoint } from "@better-auth/core/api";
import { verifyTwoFactor } from "../verify-two-factor";
import type { TwoFactorProvider, UserWithTwoFactor } from "../types";
import { TWO_FACTOR_ERROR_CODES } from "../error-code";
import {
generateRandomString,
symmetricDecrypt,
symmetricEncrypt,
} from "../../../crypto";
import { setSessionCookie } from "../../../cookies";
import { BASE_ERROR_CODES } from "@better-auth/core/error";
import { defaultKeyHasher } from "../utils";
import type { GenericEndpointContext } from "@better-auth/core";
export interface OTPOptions {
/**
* How long the opt will be valid for in
* minutes
*
* @default "3 mins"
*/
period?: number;
/**
* Number of digits for the OTP code
*
* @default 6
*/
digits?: number;
/**
* Send the otp to the user
*
* @param user - The user to send the otp to
* @param otp - The otp to send
* @param request - The request object
* @returns void | Promise<void>
*/
sendOTP?: (
/**
* The user to send the otp to
* @type UserWithTwoFactor
* @default UserWithTwoFactors
*/
data: {
user: UserWithTwoFactor;
otp: string;
},
/**
* The request object
*/
request?: Request,
) => Promise<void> | void;
/**
* The number of allowed attempts for the OTP
*
* @default 5
*/
allowedAttempts?: number;
storeOTP?:
| "plain"
| "encrypted"
| "hashed"
| { hash: (token: string) => Promise<string> }
| {
encrypt: (token: string) => Promise<string>;
decrypt: (token: string) => Promise<string>;
};
}
/**
* The otp adapter is created from the totp adapter.
*/
export const otp2fa = (options?: OTPOptions) => {
const opts = {
storeOTP: "plain",
digits: 6,
...options,
period: (options?.period || 3) * 60 * 1000,
};
async function storeOTP(ctx: GenericEndpointContext, otp: string) {
if (opts.storeOTP === "hashed") {
return await defaultKeyHasher(otp);
}
if (typeof opts.storeOTP === "object" && "hash" in opts.storeOTP) {
return await opts.storeOTP.hash(otp);
}
if (typeof opts.storeOTP === "object" && "encrypt" in opts.storeOTP) {
return await opts.storeOTP.encrypt(otp);
}
if (opts.storeOTP === "encrypted") {
return await symmetricEncrypt({
key: ctx.context.secret,
data: otp,
});
}
return otp;
}
async function decryptOTP(ctx: GenericEndpointContext, otp: string) {
if (opts.storeOTP === "hashed") {
return await defaultKeyHasher(otp);
}
if (opts.storeOTP === "encrypted") {
return await symmetricDecrypt({
key: ctx.context.secret,
data: otp,
});
}
if (typeof opts.storeOTP === "object" && "encrypt" in opts.storeOTP) {
return await opts.storeOTP.decrypt(otp);
}
if (typeof opts.storeOTP === "object" && "hash" in opts.storeOTP) {
return await opts.storeOTP.hash(otp);
}
return otp;
}
/**
* Generate OTP and send it to the user.
*/
const send2FaOTP = createAuthEndpoint(
"/two-factor/send-otp",
{
method: "POST",
body: z
.object({
/**
* if true, the device will be trusted
* for 30 days. It'll be refreshed on
* every sign in request within this time.
*/
trustDevice: z.boolean().optional().meta({
description:
"If true, the device will be trusted for 30 days. It'll be refreshed on every sign in request within this time. Eg: true",
}),
})
.optional(),
metadata: {
openapi: {
summary: "Send two factor OTP",
description: "Send two factor OTP to the user",
responses: {
200: {
description: "Successful response",
content: {
"application/json": {
schema: {
type: "object",
properties: {
status: {
type: "boolean",
},
},
},
},
},
},
},
},
},
},
async (ctx) => {
if (!options || !options.sendOTP) {
ctx.context.logger.error(
"send otp isn't configured. Please configure the send otp function on otp options.",
);
throw new APIError("BAD_REQUEST", {
message: "otp isn't configured",
});
}
const { session, key } = await verifyTwoFactor(ctx);
if (!session.user.twoFactorEnabled) {
throw new APIError("BAD_REQUEST", {
message: TWO_FACTOR_ERROR_CODES.OTP_NOT_ENABLED,
});
}
const code = generateRandomString(opts.digits, "0-9");
const hashedCode = await storeOTP(ctx, code);
await ctx.context.internalAdapter.createVerificationValue({
value: `${hashedCode}:0`,
identifier: `2fa-otp-${key}`,
expiresAt: new Date(Date.now() + opts.period),
});
await options.sendOTP(
{ user: session.user as UserWithTwoFactor, otp: code },
ctx.request,
);
return ctx.json({ status: true });
},
);
const verifyOTP = createAuthEndpoint(
"/two-factor/verify-otp",
{
method: "POST",
body: z.object({
code: z.string().meta({
description: 'The otp code to verify. Eg: "012345"',
}),
/**
* if true, the device will be trusted
* for 30 days. It'll be refreshed on
* every sign in request within this time.
*/
trustDevice: z.boolean().optional().meta({
description:
"If true, the device will be trusted for 30 days. It'll be refreshed on every sign in request within this time. Eg: true",
}),
}),
metadata: {
openapi: {
summary: "Verify two factor OTP",
description: "Verify two factor OTP",
responses: {
"200": {
description: "Two-factor OTP verified successfully",
content: {
"application/json": {
schema: {
type: "object",
properties: {
token: {
type: "string",
description:
"Session token for the authenticated session",
},
user: {
type: "object",
properties: {
id: {
type: "string",
description: "Unique identifier of the user",
},
email: {
type: "string",
format: "email",
nullable: true,
description: "User's email address",
},
emailVerified: {
type: "boolean",
nullable: true,
description: "Whether the email is verified",
},
name: {
type: "string",
nullable: true,
description: "User's name",
},
image: {
type: "string",
format: "uri",
nullable: true,
description: "User's profile image URL",
},
createdAt: {
type: "string",
format: "date-time",
description: "Timestamp when the user was created",
},
updatedAt: {
type: "string",
format: "date-time",
description:
"Timestamp when the user was last updated",
},
},
required: ["id", "createdAt", "updatedAt"],
description: "The authenticated user object",
},
},
required: ["token", "user"],
},
},
},
},
},
},
},
},
async (ctx) => {
const { session, key, valid, invalid } = await verifyTwoFactor(ctx);
const toCheckOtp =
await ctx.context.internalAdapter.findVerificationValue(
`2fa-otp-${key}`,
);
const [otp, counter] = toCheckOtp?.value?.split(":") ?? [];
const decryptedOtp = await decryptOTP(ctx, otp!);
if (!toCheckOtp || toCheckOtp.expiresAt < new Date()) {
if (toCheckOtp) {
await ctx.context.internalAdapter.deleteVerificationValue(
toCheckOtp.id,
);
}
throw new APIError("BAD_REQUEST", {
message: TWO_FACTOR_ERROR_CODES.OTP_HAS_EXPIRED,
});
}
const allowedAttempts = options?.allowedAttempts || 5;
if (parseInt(counter!) >= allowedAttempts) {
await ctx.context.internalAdapter.deleteVerificationValue(
toCheckOtp.id,
);
throw new APIError("BAD_REQUEST", {
message: TWO_FACTOR_ERROR_CODES.TOO_MANY_ATTEMPTS_REQUEST_NEW_CODE,
});
}
if (decryptedOtp === ctx.body.code) {
if (!session.user.twoFactorEnabled) {
if (!session.session) {
throw new APIError("BAD_REQUEST", {
message: BASE_ERROR_CODES.FAILED_TO_CREATE_SESSION,
});
}
const updatedUser = await ctx.context.internalAdapter.updateUser(
session.user.id,
{
twoFactorEnabled: true,
},
);
const newSession = await ctx.context.internalAdapter.createSession(
session.user.id,
false,
session.session,
);
await ctx.context.internalAdapter.deleteSession(
session.session.token,
);
await setSessionCookie(ctx, {
session: newSession,
user: updatedUser,
});
return ctx.json({
token: newSession.token,
user: {
id: updatedUser.id,
email: updatedUser.email,
emailVerified: updatedUser.emailVerified,
name: updatedUser.name,
image: updatedUser.image,
createdAt: updatedUser.createdAt,
updatedAt: updatedUser.updatedAt,
},
});
}
return valid(ctx);
} else {
await ctx.context.internalAdapter.updateVerificationValue(
toCheckOtp.id,
{
value: `${otp}:${(parseInt(counter!, 10) || 0) + 1}`,
},
);
return invalid("INVALID_CODE");
}
},
);
return {
id: "otp",
endpoints: {
/**
* ### Endpoint
*
* POST `/two-factor/send-otp`
*
* ### API Methods
*
* **server:**
* `auth.api.send2FaOTP`
*
* **client:**
* `authClient.twoFactor.sendOtp`
*
* @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/2fa#api-method-two-factor-send-otp)
*/
sendTwoFactorOTP: send2FaOTP,
/**
* ### Endpoint
*
* POST `/two-factor/verify-otp`
*
* ### API Methods
*
* **server:**
* `auth.api.verifyOTP`
*
* **client:**
* `authClient.twoFactor.verifyOtp`
*
* @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/2fa#api-method-two-factor-verify-otp)
*/
verifyTwoFactorOTP: verifyOTP,
},
} satisfies TwoFactorProvider;
};
```
--------------------------------------------------------------------------------
/docs/content/docs/concepts/oauth.mdx:
--------------------------------------------------------------------------------
```markdown
---
title: OAuth
description: How Better Auth handles OAuth
---
Better Auth comes with built-in support for OAuth 2.0 and OpenID Connect. This allows you to authenticate users via popular OAuth providers like Google, Facebook, GitHub, and more.
If your desired provider isn't directly supported, you can use the [Generic OAuth Plugin](/docs/plugins/generic-oauth) for custom integrations.
## Configuring Social Providers
To enable a social provider, you need to provide `clientId` and `clientSecret` for the provider.
Here's an example of how to configure Google as a provider:
```ts title="auth.ts"
import { betterAuth } from "better-auth";
export const auth = betterAuth({
// Other configurations...
socialProviders: {
google: {
clientId: "YOUR_GOOGLE_CLIENT_ID",
clientSecret: "YOUR_GOOGLE_CLIENT_SECRET",
},
},
});
```
## Usage
### Sign In
To sign in with a social provider, you can use the `signIn.social` function with the `authClient` or `auth.api` for server-side usage.
```ts
// client-side usage
await authClient.signIn.social({
provider: "google", // or any other provider id
})
```
```ts
// server-side usage
await auth.api.signInSocial({
body: {
provider: "google", // or any other provider id
},
});
```
### Link account
To link an account to a social provider, you can use the `linkAccount` function with the `authClient` or `auth.api` for server-side usage.
```ts
await authClient.linkSocial({
provider: "google", // or any other provider id
})
```
server-side usage:
```ts
await auth.api.linkSocialAccount({
body: {
provider: "google", // or any other provider id
},
headers: // pass headers with authenticated token
});
```
### Get Access Token
To get the access token for a social provider, you can use the `getAccessToken` function with the `authClient` or `auth.api` for server-side usage. When you use this endpoint, if the access token is expired, it will be refreshed.
```ts
const { accessToken } = await authClient.getAccessToken({
providerId: "google", // or any other provider id
accountId: "accountId", // optional, if you want to get the access token for a specific account
})
```
server-side usage:
```ts
await auth.api.getAccessToken({
body: {
providerId: "google", // or any other provider id
accountId: "accountId", // optional, if you want to get the access token for a specific account
userId: "userId", // optional, if you don't provide headers with authenticated token
},
headers: // pass headers with authenticated token
});
```
### Get Account Info Provided by the provider
To get provider specific account info you can use the `accountInfo` function with the `authClient` or `auth.api` for server-side usage.
```ts
const info = await authClient.accountInfo({
accountId: "accountId", // here you pass in the provider given account id, the provider is automatically detected from the account id
})
```
server-side usage:
```ts
await auth.api.accountInfo({
body: { accountId: "accountId" },
headers: // pass headers with authenticated token
});
```
### Requesting Additional Scopes
Sometimes your application may need additional OAuth scopes after the user has already signed up (e.g., for accessing GitHub repositories or Google Drive). Users may not want to grant extensive permissions initially, preferring to start with minimal permissions and grant additional access as needed.
You can request additional scopes by using the `linkSocial` method with the same provider. This will trigger a new OAuth flow that requests the additional scopes while maintaining the existing account connection.
```ts
const requestAdditionalScopes = async () => {
await authClient.linkSocial({
provider: "google",
scopes: ["https://www.googleapis.com/auth/drive.file"],
});
};
```
<Callout>
Make sure you're running Better Auth version 1.2.7 or later. Earlier versions (like 1.2.2) may show a "Social account already linked" error when trying to link with an existing provider for additional scopes.
</Callout>
## Provider Options
### scope
The scope of the access request. For example, `email` or `profile`.
```ts title="auth.ts"
import { betterAuth } from "better-auth";
export const auth = betterAuth({
// Other configurations...
socialProviders: {
google: {
clientId: "YOUR_GOOGLE_CLIENT_ID",
clientSecret: "YOUR_GOOGLE_CLIENT_SECRET",
scope: ["email", "profile"],
},
},
});
```
### redirectURI
Custom redirect URI for the provider. By default, it uses `/api/auth/callback/${providerName}`
```ts title="auth.ts"
export const auth = betterAuth({
// Other configurations...
socialProviders: {
google: {
clientId: "YOUR_GOOGLE_CLIENT_ID",
clientSecret: "YOUR_GOOGLE_CLIENT_SECRET",
redirectURI: "https://your-app.com/auth/callback",
},
},
});
```
### disableSignUp
Disables sign-up for new users.
### disableIdTokenSignIn
Disables the use of the ID token for sign-in. By default, it's enabled for some providers like Google and Apple.
### verifyIdToken
A custom function to verify the ID token.
### overrideUserInfoOnSignIn
A boolean value that determines whether to override the user information in the database when signing in. By default, it is set to `false`, meaning that the user information will not be overridden during sign-in. If you want to update the user information every time they sign in, set this to `true`.
### mapProfileToUser
A custom function to map the user profile returned from the provider to the user object in your database.
Useful, if you have additional fields in your user object you want to populate from the provider's profile. Or if you want to change how by default the user object is mapped.
```ts title="auth.ts"
import { betterAuth } from "better-auth";
export const auth = betterAuth({
// Other configurations...
socialProviders: {
google: {
clientId: "YOUR_GOOGLE_CLIENT_ID",
clientSecret: "YOUR_GOOGLE_CLIENT_SECRET",
mapProfileToUser: (profile) => {
return {
firstName: profile.given_name,
lastName: profile.family_name,
};
},
},
},
});
```
### refreshAccessToken
A custom function to refresh the token. This feature is only supported for built-in social providers (Google, Facebook, GitHub, etc.) and is not currently supported for custom OAuth providers configured through the Generic OAuth Plugin. For built-in providers, you can provide a custom function to refresh the token if needed.
```ts title="auth.ts"
import { betterAuth } from "better-auth";
export const auth = betterAuth({
// Other configurations...
socialProviders: {
google: {
clientId: "YOUR_GOOGLE_CLIENT_ID",
clientSecret: "YOUR_GOOGLE_CLIENT_SECRET",
refreshAccessToken: async (token) => {
return {
accessToken: "new-access-token",
refreshToken: "new-refresh-token",
};
},
},
},
});
```
### clientKey
The client key of your application. This is used by TikTok Social Provider instead of `clientId`.
```ts title="auth.ts"
import { betterAuth } from "better-auth";
export const auth = betterAuth({
// Other configurations...
socialProviders: {
tiktok: {
clientKey: "YOUR_TIKTOK_CLIENT_KEY",
clientSecret: "YOUR_TIKTOK_CLIENT_SECRET",
},
},
});
```
### getUserInfo
A custom function to get user info from the provider. This allows you to override the default user info retrieval process.
```ts title="auth.ts"
import { betterAuth } from "better-auth";
export const auth = betterAuth({
// Other configurations...
socialProviders: {
google: {
clientId: "YOUR_GOOGLE_CLIENT_ID",
clientSecret: "YOUR_GOOGLE_CLIENT_SECRET",
getUserInfo: async (token) => {
// Custom implementation to get user info
const response = await fetch("https://www.googleapis.com/oauth2/v2/userinfo", {
headers: {
Authorization: `Bearer ${token.accessToken}`,
},
});
const profile = await response.json();
return {
user: {
id: profile.id,
name: profile.name,
email: profile.email,
image: profile.picture,
emailVerified: profile.verified_email,
},
data: profile,
};
},
},
},
});
```
### disableImplicitSignUp
Disables implicit sign up for new users. When set to true for the provider, sign-in needs to be called with `requestSignUp` as true to create new users.
```ts title="auth.ts"
import { betterAuth } from "better-auth";
export const auth = betterAuth({
// Other configurations...
socialProviders: {
google: {
clientId: "YOUR_GOOGLE_CLIENT_ID",
clientSecret: "YOUR_GOOGLE_CLIENT_SECRET",
disableImplicitSignUp: true,
},
},
});
```
### prompt
The prompt to use for the authorization code request. This controls the authentication flow behavior.
```ts title="auth.ts"
import { betterAuth } from "better-auth";
export const auth = betterAuth({
// Other configurations...
socialProviders: {
google: {
clientId: "YOUR_GOOGLE_CLIENT_ID",
clientSecret: "YOUR_GOOGLE_CLIENT_SECRET",
prompt: "select_account", // or "consent", "login", "none", "select_account+consent"
},
},
});
```
### responseMode
The response mode to use for the authorization code request. This determines how the authorization response is returned.
```ts title="auth.ts"
import { betterAuth } from "better-auth";
export const auth = betterAuth({
// Other configurations...
socialProviders: {
google: {
clientId: "YOUR_GOOGLE_CLIENT_ID",
clientSecret: "YOUR_GOOGLE_CLIENT_SECRET",
responseMode: "query", // or "form_post"
},
},
});
```
### disableDefaultScope
Removes the default scopes of the provider. By default, providers include certain scopes like `email` and `profile`. Set this to `true` to remove these default scopes and use only the scopes you specify.
```ts title="auth.ts"
import { betterAuth } from "better-auth";
export const auth = betterAuth({
// Other configurations...
socialProviders: {
google: {
clientId: "YOUR_GOOGLE_CLIENT_ID",
clientSecret: "YOUR_GOOGLE_CLIENT_SECRET",
disableDefaultScope: true,
scope: ["https://www.googleapis.com/auth/userinfo.email"], // Only this scope will be used
},
},
});
```
### Other Provider Configurations
Each provider may have additional options, check the specific provider documentation for more details.
```
--------------------------------------------------------------------------------
/packages/better-auth/src/plugins/organization/routes/crud-org.test.ts:
--------------------------------------------------------------------------------
```typescript
import { describe, expect, it, vi } from "vitest";
import { getTestInstance } from "../../../test-utils/test-instance";
import { organization } from "../organization";
import { createAuthClient } from "../../../client";
import { organizationClient } from "../client";
import { ORGANIZATION_ERROR_CODES } from "../error-codes";
describe("get-full-organization", async () => {
const { auth, signInWithTestUser, cookieSetter } = await getTestInstance({
plugins: [organization()],
});
const { headers } = await signInWithTestUser();
const client = createAuthClient({
plugins: [organizationClient()],
baseURL: "http://localhost:3000/api/auth",
fetchOptions: {
customFetchImpl: async (url, init) => {
return auth.handler(new Request(url, init));
},
},
});
const org = await client.organization.create({
name: "test",
slug: "test",
metadata: {
test: "test",
},
fetchOptions: {
headers,
},
});
const secondOrg = await client.organization.create({
name: "test-second",
slug: "test-second",
metadata: {
test: "second-org",
},
fetchOptions: {
headers,
},
});
it("should get organization by organizationId", async () => {
const { headers } = await signInWithTestUser();
//set the second org as active
await client.organization.setActive({
organizationId: secondOrg.data?.id as string,
fetchOptions: {
headers,
},
});
const orgById = await client.organization.getFullOrganization({
query: {
// get the first org
organizationId: org.data?.id as string,
},
fetchOptions: {
headers,
},
});
expect(orgById.data?.name).toBe("test");
});
it("should get organization by organizationSlug", async () => {
const { headers } = await signInWithTestUser();
const orgBySlug = await client.organization.getFullOrganization({
query: {
organizationSlug: "test",
},
fetchOptions: {
headers,
},
});
expect(orgBySlug.data?.name).toBe("test");
});
it("should return null when no active organization and no query params", async () => {
await client.organization.setActive({
organizationId: null,
fetchOptions: {
headers,
},
});
const result = await client.organization.getFullOrganization({
fetchOptions: {
headers: headers,
},
});
expect(result.data).toBeNull();
expect(result.error).toBeNull();
});
it("should throw FORBIDDEN when user is not a member of the organization", async () => {
const newHeaders = new Headers();
await client.signUp.email(
{
email: "[email protected]",
password: "password",
name: "test3",
},
{
onSuccess: cookieSetter(newHeaders),
},
);
const result = await client.organization.getFullOrganization({
query: {
organizationId: org.data?.id as string,
},
fetchOptions: {
headers: newHeaders,
},
});
expect(result.error?.status).toBe(403);
expect(result.error?.message).toContain(
ORGANIZATION_ERROR_CODES.USER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION,
);
});
it("should throw BAD_REQUEST when organization doesn't exist", async () => {
const result = await client.organization.getFullOrganization({
query: {
organizationId: "non-existent-org-id",
},
fetchOptions: {
headers,
},
});
expect(result.error?.status).toBe(400);
expect(result.error?.message).toContain(
ORGANIZATION_ERROR_CODES.ORGANIZATION_NOT_FOUND,
);
});
it("should include invitations in the response", async () => {
await client.organization.setActive({
organizationId: org.data?.id as string,
fetchOptions: {
headers,
},
});
// Create an invitation
await client.organization.inviteMember({
email: "[email protected]",
role: "member",
fetchOptions: {
headers,
},
});
const fullOrg = await client.organization.getFullOrganization({
fetchOptions: {
headers,
},
});
expect(fullOrg.data?.invitations).toBeDefined();
expect(Array.isArray(fullOrg.data?.invitations)).toBe(true);
const invitation = fullOrg.data?.invitations.find(
(inv: any) => inv.email === "[email protected]",
);
expect(invitation).toBeDefined();
expect(invitation?.role).toBe("member");
});
it("should prioritize organizationSlug over organizationId when both are provided", async () => {
const result = await client.organization.getFullOrganization({
query: {
organizationId: org.data?.id as string,
organizationSlug: secondOrg.data?.slug as string,
},
fetchOptions: {
headers,
},
});
expect(result.data).toBeTruthy();
expect(result.data?.name).toBe(secondOrg.data?.name);
});
it("should allow listing members with membersLimit", async () => {
const { headers } = await signInWithTestUser();
await client.organization.setActive({
organizationId: org.data?.id as string,
fetchOptions: {
headers,
},
});
const newUser = await auth.api.signUpEmail({
body: {
email: "[email protected]",
password: "password",
name: "test2",
},
});
await auth.api.addMember({
body: {
userId: newUser.user.id,
role: "member",
organizationId: org.data?.id as string,
},
});
const FullOrganization = await client.organization.getFullOrganization({
fetchOptions: {
headers,
},
});
expect(FullOrganization.data?.members.length).toBe(2);
const limitedMembers = await client.organization.getFullOrganization({
query: {
membersLimit: 1,
},
fetchOptions: {
headers,
},
});
expect(limitedMembers.data?.members.length).toBe(1);
});
it("should use default membershipLimit when no membersLimit is specified", async () => {
await client.organization.setActive({
organizationId: org.data?.id as string,
fetchOptions: {
headers,
},
});
for (let i = 3; i <= 5; i++) {
const newUser = await auth.api.signUpEmail({
body: {
email: `test-${i}@test.com`,
password: "password",
name: `test${i}`,
},
});
await auth.api.addMember({
body: {
userId: newUser.user.id,
role: "member",
organizationId: org.data?.id as string,
},
});
}
const fullOrg = await client.organization.getFullOrganization({
fetchOptions: {
headers,
},
});
expect(fullOrg.data?.members.length).toBeGreaterThan(3);
expect(fullOrg.data?.members.length).toBeLessThanOrEqual(6);
});
});
describe("organization hooks", async () => {
it("should apply beforeCreateOrganization hook", async () => {
const beforeCreateOrganization = vi.fn();
const { auth, signInWithTestUser } = await getTestInstance(
{
plugins: [
organization({
organizationHooks: {
beforeCreateOrganization: async (data) => {
beforeCreateOrganization();
return {
data: {
...data.organization,
metadata: {
hookCalled: true,
},
name: "changed-name",
},
};
},
},
}),
],
},
{
clientOptions: {
plugins: [organizationClient()],
},
},
);
const { headers } = await signInWithTestUser();
const result = await auth.api.createOrganization({
body: {
name: "test",
slug: "test",
},
headers,
});
expect(beforeCreateOrganization).toHaveBeenCalled();
expect(result?.name).toBe("changed-name");
expect(result?.metadata).toEqual({
hookCalled: true,
});
});
it("should apply afterCreateOrganization hook", async () => {
const afterCreateOrganization = vi.fn();
const { auth, signInWithTestUser } = await getTestInstance({
plugins: [
organization({
organizationHooks: {
afterCreateOrganization: async (data) => {
afterCreateOrganization();
},
},
}),
],
});
const { headers } = await signInWithTestUser();
const result = await auth.api.createOrganization({
body: {
name: "test",
slug: "test",
},
headers,
});
expect(afterCreateOrganization).toHaveBeenCalled();
});
it("should apply beforeAddMember hook", async () => {
const beforeAddMember = vi.fn();
const { auth, signInWithTestUser } = await getTestInstance({
plugins: [
organization({
organizationHooks: {
beforeAddMember: async (data) => {
beforeAddMember();
return {
data: {
role: "changed-role",
},
};
},
},
}),
],
});
const { headers } = await signInWithTestUser();
await auth.api.createOrganization({
body: {
name: "test",
slug: "test",
},
headers,
});
expect(beforeAddMember).toHaveBeenCalled();
const member = await auth.api.getActiveMember({
headers,
});
expect(member?.role).toBe("changed-role");
});
it("should apply afterAddMember hook", async () => {
const afterAddMember = vi.fn();
const { auth, signInWithTestUser } = await getTestInstance({
plugins: [
organization({
organizationHooks: {
afterAddMember: async (data) => {
afterAddMember();
},
},
}),
],
});
const { headers } = await signInWithTestUser();
await auth.api.createOrganization({
body: {
name: "test",
slug: "test",
},
headers,
});
expect(afterAddMember).toHaveBeenCalled();
});
it("should apply beforeCreateTeam hook", async () => {
const beforeCreateTeam = vi.fn();
const { auth, signInWithTestUser } = await getTestInstance({
plugins: [
organization({
teams: {
enabled: true,
},
organizationHooks: {
beforeCreateTeam: async (data) => {
beforeCreateTeam();
return {
data: {
name: "changed-name",
},
};
},
},
}),
],
});
const { headers } = await signInWithTestUser();
const result = await auth.api.createOrganization({
body: {
name: "test",
slug: "test",
},
headers,
});
expect(beforeCreateTeam).toHaveBeenCalled();
const team = await auth.api.listOrganizationTeams({
headers,
query: {
organizationId: result?.id,
},
});
expect(team[0]?.name).toBe("changed-name");
});
it("should apply afterCreateTeam hook", async () => {
const afterCreateTeam = vi.fn();
const { auth, signInWithTestUser } = await getTestInstance({
plugins: [
organization({
teams: {
enabled: true,
},
organizationHooks: {
afterCreateTeam: async (data) => {
afterCreateTeam();
},
},
}),
],
});
const { headers } = await signInWithTestUser();
await auth.api.createOrganization({
body: {
name: "test",
slug: "test",
},
headers,
});
expect(afterCreateTeam).toHaveBeenCalled();
});
});
```
--------------------------------------------------------------------------------
/docs/content/docs/integrations/convex.mdx:
--------------------------------------------------------------------------------
```markdown
---
title: Convex Integration
description: Integrate Better Auth with Convex.
---
<Callout>
This documentation comes from the [Convex documentation](https://convex-better-auth.netlify.app/),
for more information, please refer to their documentation.
</Callout>
## Prerequisites
<Steps>
<Step>
### Create a Convex project
To use Convex + Better Auth, you'll first need a [Convex](https://www.convex.dev/) project.
If you don't have one, run the following command to get started.
```package-install
npm create convex@latest
```
Check out the [Convex docs](https://docs.convex.dev/home) to learn more about Convex.
</Step>
<Step>
### Run `convex dev`
Running the CLI during setup will initialize your Convex deployment
if it doesn't already exist, and keeps generated types current through the process. Keep it running.
```package-install
npx convex dev
```
</Step>
</Steps>
## Installation of Convex + Better Auth
The following documentation assumes you're using Next.js.
If you're not using Next.js, support for other frameworks is documented in the [installation guide by Convex](https://convex-better-auth.netlify.app/#select-your-framework).
<Callout>
For a complete example, check out Convex + Better Auth example with Next.js [on GitHub](https://github.com/get-convex/better-auth/tree/main/examples/next).
</Callout>
### Installation
<Steps>
<Step>
#### Install packages
Install the component, a pinned version of Better Auth, and ensure the latest version of Convex.
<Callout>
This component requires Convex `1.25.0` or later.
</Callout>
```package-install
npm install [email protected] --save-exact
npm install convex@latest @convex-dev/better-auth
```
</Step>
<Step>
#### Register the component
Register the Better Auth component in your Convex project.
```ts title="convex/convex.config.ts"
import { defineApp } from "convex/server";
import betterAuth from "@convex-dev/better-auth/convex.config";
const app = defineApp();
app.use(betterAuth);
export default app;
```
</Step>
<Step>
#### Add Convex auth config
Add a `convex/auth.config.ts` file to configure Better Auth as an authentication provider.
```ts title="convex/auth.config.ts"
export default {
providers: [
{
domain: process.env.CONVEX_SITE_URL,
applicationID: "convex",
},
],
};
```
</Step>
<Step>
#### Set environment variables
Generate a secret for encryption and generating hashes. Use the command below if you have openssl installed, or generate your own however you like.
```package-install
npx convex env set BETTER_AUTH_SECRET=$(openssl rand -base64 32)
```
Add your site URL to your Convex deployment.
```package-install
npx convex env set SITE_URL http://localhost:3000
```
Add environment variables to the `.env.local` file created by `npx convex dev`.
It will be picked up by your framework dev server.
```shell title=".env.local" tab="Cloud"
# Deployment used by \`npx convex dev\`
CONVEX_DEPLOYMENT=dev:adjective-animal-123 # team: team-name, project: project-name
NEXT_PUBLIC_CONVEX_URL=https://adjective-animal-123.convex.cloud
# Same as NEXT_PUBLIC_CONVEX_URL but ends in .site // [!code ++]
NEXT_PUBLIC_CONVEX_SITE_URL=https://adjective-animal-123.convex.site # [!code ++]
# Your local site URL // [!code ++]
SITE_URL=http://localhost:3000 # [!code ++]
```
```shell title=".env.local" tab="Self hosted"
# Deployment used by \`npx convex dev\`
CONVEX_DEPLOYMENT=dev:adjective-animal-123 # team: team-name, project: project-name
NEXT_PUBLIC_CONVEX_URL=http://127.0.0.1:3210
# Will generally be one number higher than NEXT_PUBLIC_CONVEX_URL,
# so if your convex url is :3212, your site url will be :3213
NEXT_PUBLIC_CONVEX_SITE_URL=http://127.0.0.1:3211 # [!code ++]
# Your local site URL // [!code ++]
SITE_URL=http://localhost:3000 # [!code ++]
```
</Step>
<Step>
### Create a Better Auth instance
Create a Better Auth instance and initialize the component.
<Callout>Some TypeScript errors will show until you save the file.</Callout>
```ts title="convex/auth.ts"
import { createClient, type GenericCtx } from "@convex-dev/better-auth";
import { convex } from "@convex-dev/better-auth/plugins";
import { components } from "./_generated/api";
import { DataModel } from "./_generated/dataModel";
import { query } from "./_generated/server";
import { betterAuth } from "better-auth";
const siteUrl = process.env.SITE_URL!;
// The component client has methods needed for integrating Convex with Better Auth,
// as well as helper methods for general use.
export const authComponent = createClient<DataModel>(components.betterAuth);
export const createAuth = (
ctx: GenericCtx<DataModel>,
{ optionsOnly } = { optionsOnly: false },
) => {
return betterAuth({
// disable logging when createAuth is called just to generate options.
// this is not required, but there's a lot of noise in logs without it.
logger: {
disabled: optionsOnly,
},
baseURL: siteUrl,
database: authComponent.adapter(ctx),
// Configure simple, non-verified email/password to get started
emailAndPassword: {
enabled: true,
requireEmailVerification: false,
},
plugins: [
// The Convex plugin is required for Convex compatibility
convex(),
],
});
};
// Example function for getting the current user
// Feel free to edit, omit, etc.
export const getCurrentUser = query({
args: {},
handler: async (ctx) => {
return authComponent.getAuthUser(ctx);
},
});
```
</Step>
<Step>
### Create a Better Auth client instance
Create a Better Auth client instance for interacting with the Better Auth server from your client.
```ts title="src/lib/auth-client.ts"
import { createAuthClient } from "better-auth/react";
import { convexClient } from "@convex-dev/better-auth/client/plugins";
export const authClient = createAuthClient({
plugins: [convexClient()],
});
```
</Step>
<Step>
### Mount handlers
Register Better Auth route handlers on your Convex deployment.
```ts title="convex/http.ts"
import { httpRouter } from "convex/server";
import { authComponent, createAuth } from "./auth";
const http = httpRouter();
authComponent.registerRoutes(http, createAuth);
export default http;
```
Set up route handlers to proxy auth requests from your framework server to your Convex deployment.
```ts title="app/api/auth/[...all]/route.ts"
import { nextJsHandler } from "@convex-dev/better-auth/nextjs";
export const { GET, POST } = nextJsHandler();
```
</Step>
<Step>
### Set up Convex client provider
Wrap your app with the `ConvexBetterAuthProvider` component.
```ts title="app/ConvexClientProvider.tsx"
"use client";
import { ReactNode } from "react";
import { ConvexReactClient } from "convex/react";
import { authClient } from "@/lib/auth-client"; // [!code ++]
import { ConvexBetterAuthProvider } from "@convex-dev/better-auth/react"; // [!code ++]
const convex = new ConvexReactClient(process.env.NEXT_PUBLIC_CONVEX_URL!, {
// Optionally pause queries until the user is authenticated // [!code ++]
expectAuth: true, // [!code ++]
});
export function ConvexClientProvider({ children }: { children: ReactNode }) {
return (
<ConvexBetterAuthProvider client={convex} authClient={authClient}> // [!code ++]
{children}
</ConvexBetterAuthProvider> // [!code ++]
);
}
```
</Step>
</Steps>
### You're done!
You're now ready to start using Better Auth with Convex.
## Usage
### Using Better Auth from the server
To use Better Auth's [server
methods](https://www.better-auth.com/docs/concepts/api) in server rendering,
server functions, or any other Next.js server code, use Convex functions
and call the function from your server code.
First, a token helper for calling Convex functions from your server code.
```ts title="src/lib/auth-server.ts"
import { createAuth } from "@/convex/auth";
import { getToken as getTokenNextjs } from "@convex-dev/better-auth/nextjs";
export const getToken = () => {
return getTokenNextjs(createAuth);
};
```
Here's an example Convex function that uses Better Auth's server methods, and
a server action that calls the Convex function.
```ts title="convex/users.ts"
import { mutation } from "./_generated/server";
import { v } from "convex/values";
import { createAuth, authComponent } from "./auth";
export const updateUserPassword = mutation({
args: {
currentPassword: v.string(),
newPassword: v.string(),
},
handler: async (ctx, args) => {
const { auth, headers } = await authComponent.getAuth(createAuth, ctx);
await auth.api.changePassword({
body: {
currentPassword: args.currentPassword,
newPassword: args.newPassword,
},
headers,
});
},
});
```
```ts title="app/actions.ts"
"use server";
import { fetchMutation } from "convex/nextjs";
import { api } from "../convex/_generated/api";
import { getToken } from "../lib/auth-server";
// Authenticated mutation via server function
export async function updatePassword({
currentPassword,
newPassword,
}: {
currentPassword: string;
newPassword: string;
}) {
const token = await getToken();
await fetchMutation(
api.users.updatePassword,
{ currentPassword, newPassword },
{ token }
);
}
```
<Callout>
This documentation comes from the [Convex documentation](https://convex-better-auth.netlify.app/),
for more information, please refer to their documentation.
</Callout>
```
--------------------------------------------------------------------------------
/packages/core/src/db/adapter/index.ts:
--------------------------------------------------------------------------------
```typescript
import type { BetterAuthDBSchema, DBFieldAttribute } from "../type";
import type { BetterAuthOptions } from "../../types";
export type DBAdapterDebugLogOption =
| boolean
| {
/**
* Useful when you want to log only certain conditions.
*/
logCondition?: (() => boolean) | undefined;
create?: boolean;
update?: boolean;
updateMany?: boolean;
findOne?: boolean;
findMany?: boolean;
delete?: boolean;
deleteMany?: boolean;
count?: boolean;
}
| {
/**
* Only used for adapter tests to show debug logs if a test fails.
*
* @deprecated Not actually deprecated. Doing this for IDEs to show this option at the very bottom and stop end-users from using this.
*/
isRunningAdapterTests: boolean;
};
export type DBAdapterSchemaCreation = {
/**
* Code to be inserted into the file
*/
code: string;
/**
* Path to the file, including the file name and extension.
* Relative paths are supported, with the current working directory of the developer's project as the base.
*/
path: string;
/**
* Append the file if it already exists.
* Note: This will not apply if `overwrite` is set to true.
*/
append?: boolean;
/**
* Overwrite the file if it already exists
*/
overwrite?: boolean;
};
export interface DBAdapterFactoryConfig<
Options extends BetterAuthOptions = BetterAuthOptions,
> {
/**
* Use plural table names.
*
* All tables will be named with an `s` at the end.
*
* @default false
*/
usePlural?: boolean;
/**
* Enable debug logs.
*
* @default false
*/
debugLogs?: DBAdapterDebugLogOption;
/**
* Name of the adapter.
*
* This is used to identify the adapter in the debug logs.
*
* @default `adapterId`
*/
adapterName?: string;
/**
* Adapter id
*/
adapterId: string;
/**
* If the database supports numeric ids, set this to `true`.
*
* @default true
*/
supportsNumericIds?: boolean;
/**
* If the database doesn't support JSON columns, set this to `false`.
*
* We will handle the translation between using `JSON` columns, and saving `string`s to the database.
*
* @default false
*/
supportsJSON?: boolean;
/**
* If the database doesn't support dates, set this to `false`.
*
* We will handle the translation between using `Date` objects, and saving `string`s to the database.
*
* @default true
*/
supportsDates?: boolean;
/**
* If the database doesn't support booleans, set this to `false`.
*
* We will handle the translation between using `boolean`s, and saving `0`s and `1`s to the database.
*
* @default true
*/
supportsBooleans?: boolean;
/**
* Execute multiple operations in a transaction.
*
* If the database doesn't support transactions, set this to `false` and operations will be executed sequentially.
*
* @default false
*/
transaction?:
| false
| (<R>(
callback: (trx: DBTransactionAdapter<Options>) => Promise<R>,
) => Promise<R>);
/**
* Disable id generation for the `create` method.
*
* This is useful for databases that don't support custom id values and would auto-generate them for you.
*
* @default false
*/
disableIdGeneration?: boolean;
/**
* Map the keys of the input data.
*
* This is useful for databases that expect a different key name for a given situation.
*
* For example, MongoDB uses `_id` while in Better-Auth we use `id`.
*
*
* @example
* Each key represents the old key to replace.
* The value represents the new key
*
* This can be a partial object that only transforms some keys.
*
* ```ts
* mapKeysTransformInput: {
* id: "_id" // We want to replace `id` to `_id` to save into MongoDB
* }
* ```
*/
mapKeysTransformInput?: Record<string, string>;
/**
* Map the keys of the output data.
*
* This is useful for databases that expect a different key name for a given situation.
*
* For example, MongoDB uses `_id` while in Better-Auth we use `id`.
*
* @example
* Each key represents the old key to replace.
* The value represents the new key
*
* This can be a partial object that only transforms some keys.
*
* ```ts
* mapKeysTransformOutput: {
* _id: "id" // In MongoDB, we save `id` as `_id`. So we want to replace `_id` with `id` when we get the data back.
* }
* ```
*/
mapKeysTransformOutput?: Record<string, string>;
/**
* Custom transform input function.
*
* This function is used to transform the input data before it is saved to the database.
*/
customTransformInput?: (props: {
data: any;
/**
* The fields of the model.
*/
fieldAttributes: DBFieldAttribute;
/**
* The field to transform.
*/
field: string;
/**
* The action which was called from the adapter.
*/
action: "create" | "update";
/**
* The model name.
*/
model: string;
/**
* The schema of the user's Better-Auth instance.
*/
schema: BetterAuthDBSchema;
/**
* The options of the user's Better-Auth instance.
*/
options: Options;
}) => any;
/**
* Custom transform output function.
*
* This function is used to transform the output data before it is returned to the user.
*/
customTransformOutput?: (props: {
data: any;
/**
* The fields of the model.
*/
fieldAttributes: DBFieldAttribute;
/**
* The field to transform.
*/
field: string;
/**
* The fields to select.
*/
select: string[];
/**
* The model name.
*/
model: string;
/**
* The schema of the user's Better-Auth instance.
*/
schema: BetterAuthDBSchema;
/**
* The options of the user's Better-Auth instance.
*/
options: Options;
}) => any;
/**
* Custom ID generator function.
*
* By default, we can handle ID generation for you, however if the database your adapter is for only supports a specific custom id generation,
* then you can use this function to generate your own IDs.
*
*
* Notes:
* - If the user enabled `useNumberId`, then this option will be ignored. Unless this adapter config has `supportsNumericIds` set to `false`.
* - If `generateId` is `false` in the user's Better-Auth config, then this option will be ignored.
* - If `generateId` is a function, then it will override this option.
*
* @example
*
* ```ts
* customIdGenerator: ({ model }) => {
* return "my-super-unique-id";
* }
* ```
*/
customIdGenerator?: (props: { model: string }) => string;
/**
* Whether to disable the transform output.
* Do not use this option unless you know what you are doing.
* @default false
*/
disableTransformOutput?: boolean;
/**
* Whether to disable the transform input.
* Do not use this option unless you know what you are doing.
* @default false
*/
disableTransformInput?: boolean;
}
export type Where = {
/**
* @default eq
*/
operator?:
| "eq"
| "ne"
| "lt"
| "lte"
| "gt"
| "gte"
| "in"
| "not_in"
| "contains"
| "starts_with"
| "ends_with";
value: string | number | boolean | string[] | number[] | Date | null;
field: string;
/**
* @default AND
*/
connector?: "AND" | "OR";
};
export type DBTransactionAdapter<
Options extends BetterAuthOptions = BetterAuthOptions,
> = Omit<DBAdapter<Options>, "transaction">;
export type DBAdapter<Options extends BetterAuthOptions = BetterAuthOptions> = {
id: string;
create: <T extends Record<string, any>, R = T>(data: {
model: string;
data: Omit<T, "id">;
select?: string[];
/**
* By default, any `id` provided in `data` will be ignored.
*
* If you want to force the `id` to be the same as the `data.id`, set this to `true`.
*/
forceAllowId?: boolean;
}) => Promise<R>;
findOne: <T>(data: {
model: string;
where: Where[];
select?: string[];
}) => Promise<T | null>;
findMany: <T>(data: {
model: string;
where?: Where[];
limit?: number;
sortBy?: {
field: string;
direction: "asc" | "desc";
};
offset?: number;
}) => Promise<T[]>;
count: (data: { model: string; where?: Where[] }) => Promise<number>;
/**
* ⚠︎ Update may not return the updated data
* if multiple where clauses are provided
*/
update: <T>(data: {
model: string;
where: Where[];
update: Record<string, any>;
}) => Promise<T | null>;
updateMany: (data: {
model: string;
where: Where[];
update: Record<string, any>;
}) => Promise<number>;
delete: <T>(data: { model: string; where: Where[] }) => Promise<void>;
deleteMany: (data: { model: string; where: Where[] }) => Promise<number>;
/**
* Execute multiple operations in a transaction.
* If the adapter doesn't support transactions, operations will be executed sequentially.
*/
transaction: <R>(
callback: (trx: DBTransactionAdapter<Options>) => Promise<R>,
) => Promise<R>;
/**
*
* @param options
* @param file - file path if provided by the user
*/
createSchema?: (
options: Options,
file?: string,
) => Promise<DBAdapterSchemaCreation>;
options?: {
adapterConfig: DBAdapterFactoryConfig<Options>;
} & CustomAdapter["options"];
};
export type CleanedWhere = Required<Where>;
export interface CustomAdapter {
create: <T extends Record<string, any>>({
data,
model,
select,
}: {
model: string;
data: T;
select?: string[];
}) => Promise<T>;
update: <T>(data: {
model: string;
where: CleanedWhere[];
update: T;
}) => Promise<T | null>;
updateMany: (data: {
model: string;
where: CleanedWhere[];
update: Record<string, any>;
}) => Promise<number>;
findOne: <T>({
model,
where,
select,
}: {
model: string;
where: CleanedWhere[];
select?: string[];
}) => Promise<T | null>;
findMany: <T>({
model,
where,
limit,
sortBy,
offset,
}: {
model: string;
where?: CleanedWhere[];
limit: number;
sortBy?: { field: string; direction: "asc" | "desc" };
offset?: number;
}) => Promise<T[]>;
delete: ({
model,
where,
}: {
model: string;
where: CleanedWhere[];
}) => Promise<void>;
deleteMany: ({
model,
where,
}: {
model: string;
where: CleanedWhere[];
}) => Promise<number>;
count: ({
model,
where,
}: {
model: string;
where?: CleanedWhere[];
}) => Promise<number>;
createSchema?: (props: {
/**
* The file the user may have passed in to the `generate` command as the expected schema file output path.
*/
file?: string;
/**
* The tables from the user's Better-Auth instance schema.
*/
tables: BetterAuthDBSchema;
}) => Promise<DBAdapterSchemaCreation>;
/**
* Your adapter's options.
*/
options?: Record<string, any> | undefined;
}
export interface DBAdapterInstance<
Options extends BetterAuthOptions = BetterAuthOptions,
> {
(options: BetterAuthOptions): DBAdapter<Options>;
}
```
--------------------------------------------------------------------------------
/packages/cli/src/generators/drizzle.ts:
--------------------------------------------------------------------------------
```typescript
import {
getAuthTables,
type BetterAuthDBSchema,
type DBFieldAttribute,
} from "better-auth/db";
import type { BetterAuthOptions } from "better-auth/types";
import { existsSync } from "fs";
import type { SchemaGenerator } from "./types";
import prettier from "prettier";
export function convertToSnakeCase(str: string, camelCase?: boolean) {
if (camelCase) {
return str;
}
// Handle consecutive capitals (like ID, URL, API) by treating them as a single word
return str
.replace(/([A-Z]+)([A-Z][a-z])/g, "$1_$2") // Handle AABb -> AA_Bb
.replace(/([a-z\d])([A-Z])/g, "$1_$2") // Handle aBb -> a_Bb
.toLowerCase();
}
export const generateDrizzleSchema: SchemaGenerator = async ({
options,
file,
adapter,
}) => {
const tables = getAuthTables(options);
const filePath = file || "./auth-schema.ts";
const databaseType: "sqlite" | "mysql" | "pg" | undefined =
adapter.options?.provider;
if (!databaseType) {
throw new Error(
`Database provider type is undefined during Drizzle schema generation. Please define a \`provider\` in the Drizzle adapter config. Read more at https://better-auth.com/docs/adapters/drizzle`,
);
}
const fileExist = existsSync(filePath);
let code: string = generateImport({ databaseType, tables, options });
for (const tableKey in tables) {
const table = tables[tableKey]!;
const modelName = getModelName(table.modelName, adapter.options);
const fields = table.fields;
function getType(name: string, field: DBFieldAttribute) {
// Not possible to reach, it's here to make typescript happy
if (!databaseType) {
throw new Error(
`Database provider type is undefined during Drizzle schema generation. Please define a \`provider\` in the Drizzle adapter config. Read more at https://better-auth.com/docs/adapters/drizzle`,
);
}
name = convertToSnakeCase(name, adapter.options?.camelCase);
if (field.references?.field === "id") {
if (options.advanced?.database?.useNumberId) {
if (databaseType === "pg") {
return `integer('${name}')`;
} else if (databaseType === "mysql") {
return `int('${name}')`;
} else {
// using sqlite
return `integer('${name}')`;
}
}
if (field.references.field) {
if (databaseType === "mysql") {
return `varchar('${name}', { length: 36 })`;
}
}
return `text('${name}')`;
}
const type = field.type;
if (typeof type !== "string") {
if (Array.isArray(type) && type.every((x) => typeof x === "string")) {
return {
sqlite: `text({ enum: [${type.map((x) => `'${x}'`).join(", ")}] })`,
pg: `text('${name}', { enum: [${type.map((x) => `'${x}'`).join(", ")}] })`,
mysql: `mysqlEnum([${type.map((x) => `'${x}'`).join(", ")}])`,
}[databaseType];
} else {
throw new TypeError(
`Invalid field type for field ${name} in model ${modelName}`,
);
}
}
const typeMap: Record<
typeof type,
Record<typeof databaseType, string>
> = {
string: {
sqlite: `text('${name}')`,
pg: `text('${name}')`,
mysql: field.unique
? `varchar('${name}', { length: 255 })`
: field.references
? `varchar('${name}', { length: 36 })`
: `text('${name}')`,
},
boolean: {
sqlite: `integer('${name}', { mode: 'boolean' })`,
pg: `boolean('${name}')`,
mysql: `boolean('${name}')`,
},
number: {
sqlite: `integer('${name}')`,
pg: field.bigint
? `bigint('${name}', { mode: 'number' })`
: `integer('${name}')`,
mysql: field.bigint
? `bigint('${name}', { mode: 'number' })`
: `int('${name}')`,
},
date: {
sqlite: `integer('${name}', { mode: 'timestamp_ms' })`,
pg: `timestamp('${name}')`,
mysql: `timestamp('${name}', { fsp: 3 })`,
},
"number[]": {
sqlite: `integer('${name}').array()`,
pg: field.bigint
? `bigint('${name}', { mode: 'number' }).array()`
: `integer('${name}').array()`,
mysql: field.bigint
? `bigint('${name}', { mode: 'number' }).array()`
: `int('${name}').array()`,
},
"string[]": {
sqlite: `text('${name}').array()`,
pg: `text('${name}').array()`,
mysql: `text('${name}').array()`,
},
json: {
sqlite: `text('${name}')`,
pg: `jsonb('${name}')`,
mysql: `json('${name}')`,
},
} as const;
return typeMap[type][databaseType];
}
let id: string = "";
if (options.advanced?.database?.useNumberId) {
if (databaseType === "pg") {
id = `serial("id").primaryKey()`;
} else if (databaseType === "sqlite") {
id = `integer("id", { mode: "number" }).primaryKey({ autoIncrement: true })`;
} else {
id = `int("id").autoincrement().primaryKey()`;
}
} else {
if (databaseType === "mysql") {
id = `varchar('id', { length: 36 }).primaryKey()`;
} else if (databaseType === "pg") {
id = `text('id').primaryKey()`;
} else {
id = `text('id').primaryKey()`;
}
}
const schema = `export const ${modelName} = ${databaseType}Table("${convertToSnakeCase(
modelName,
adapter.options?.camelCase,
)}", {
id: ${id},
${Object.keys(fields)
.map((field) => {
const attr = fields[field]!;
const fieldName = attr.fieldName || field;
let type = getType(fieldName, attr);
if (
attr.defaultValue !== null &&
typeof attr.defaultValue !== "undefined"
) {
if (typeof attr.defaultValue === "function") {
if (
attr.type === "date" &&
attr.defaultValue.toString().includes("new Date()")
) {
if (databaseType === "sqlite") {
type += `.default(sql\`(cast(unixepoch('subsecond') * 1000 as integer))\`)`;
} else {
type += `.defaultNow()`;
}
} else {
// we are intentionally not adding .$defaultFn(${attr.defaultValue})
// this is because if the defaultValue is a function, it could have
// custom logic within that function that might not work in drizzle's context.
}
} else if (typeof attr.defaultValue === "string") {
type += `.default("${attr.defaultValue}")`;
} else {
type += `.default(${attr.defaultValue})`;
}
}
// Add .$onUpdate() for fields with onUpdate property
// Supported for all database types: PostgreSQL, MySQL, and SQLite
if (attr.onUpdate && attr.type === "date") {
if (typeof attr.onUpdate === "function") {
type += `.$onUpdate(${attr.onUpdate})`;
}
}
return `${fieldName}: ${type}${attr.required ? ".notNull()" : ""}${
attr.unique ? ".unique()" : ""
}${
attr.references
? `.references(()=> ${getModelName(
tables[attr.references.model]?.modelName ||
attr.references.model,
adapter.options,
)}.${fields[attr.references.field]?.fieldName || attr.references.field}, { onDelete: '${
attr.references.onDelete || "cascade"
}' })`
: ""
}`;
})
.join(",\n ")}
});`;
code += `\n${schema}\n`;
}
const formattedCode = await prettier.format(code, {
parser: "typescript",
});
return {
code: formattedCode,
fileName: filePath,
overwrite: fileExist,
};
};
function generateImport({
databaseType,
tables,
options,
}: {
databaseType: "sqlite" | "mysql" | "pg";
tables: BetterAuthDBSchema;
options: BetterAuthOptions;
}) {
const rootImports: string[] = [];
const coreImports: string[] = [];
let hasBigint = false;
let hasJson = false;
for (const table of Object.values(tables)) {
for (const field of Object.values(table.fields)) {
if (field.bigint) hasBigint = true;
if (field.type === "json") hasJson = true;
}
if (hasJson && hasBigint) break;
}
const useNumberId = options.advanced?.database?.useNumberId;
coreImports.push(`${databaseType}Table`);
coreImports.push(
databaseType === "mysql"
? "varchar, text"
: databaseType === "pg"
? "text"
: "text",
);
coreImports.push(
hasBigint ? (databaseType !== "sqlite" ? "bigint" : "") : "",
);
coreImports.push(databaseType !== "sqlite" ? "timestamp, boolean" : "");
if (databaseType === "mysql") {
// Only include int for MySQL if actually needed
const hasNonBigintNumber = Object.values(tables).some((table) =>
Object.values(table.fields).some(
(field) =>
(field.type === "number" || field.type === "number[]") &&
!field.bigint,
),
);
const needsInt = !!useNumberId || hasNonBigintNumber;
if (needsInt) {
coreImports.push("int");
}
const hasEnum = Object.values(tables).some((table) =>
Object.values(table.fields).some(
(field) =>
typeof field.type !== "string" &&
Array.isArray(field.type) &&
field.type.every((x) => typeof x === "string"),
),
);
if (hasEnum) {
coreImports.push("mysqlEnum");
}
} else if (databaseType === "pg") {
// Only include integer for PG if actually needed
const hasNonBigintNumber = Object.values(tables).some((table) =>
Object.values(table.fields).some(
(field) =>
(field.type === "number" || field.type === "number[]") &&
!field.bigint,
),
);
const hasFkToId = Object.values(tables).some((table) =>
Object.values(table.fields).some(
(field) => field.references?.field === "id",
),
);
// handles the references field with useNumberId
const needsInteger =
hasNonBigintNumber ||
(options.advanced?.database?.useNumberId && hasFkToId);
if (needsInteger) {
coreImports.push("integer");
}
} else {
coreImports.push("integer");
}
coreImports.push(useNumberId ? (databaseType === "pg" ? "serial" : "") : "");
//handle json last on the import order
if (hasJson) {
if (databaseType === "pg") coreImports.push("jsonb");
if (databaseType === "mysql") coreImports.push("json");
// sqlite uses text for JSON, so there's no need to handle this case
}
// Add sql import for SQLite timestamps with defaultNow
const hasSQLiteTimestamp =
databaseType === "sqlite" &&
Object.values(tables).some((table) =>
Object.values(table.fields).some(
(field) =>
field.type === "date" &&
field.defaultValue &&
typeof field.defaultValue === "function" &&
field.defaultValue.toString().includes("new Date()"),
),
);
if (hasSQLiteTimestamp) {
rootImports.push("sql");
}
return `${rootImports.length > 0 ? `import { ${rootImports.join(", ")} } from "drizzle-orm";\n` : ""}import { ${coreImports
.map((x) => x.trim())
.filter((x) => x !== "")
.join(", ")} } from "drizzle-orm/${databaseType}-core";\n`;
}
function getModelName(
modelName: string,
options: Record<string, any> | undefined,
) {
return options?.usePlural ? `${modelName}s` : modelName;
}
```