import type { CookieOptions, EndpointContext } from "better-call"; import type { Account, BetterAuthDBSchema, ModelNames, SecondaryStorage, Session, User, Verification, } from "../db"; import type { DBAdapter, Where } from "../db/adapter"; import type { createLogger } from "../env"; import type { OAuthProvider } from "../oauth2"; import type { BetterAuthCookie, BetterAuthCookies } from "./cookie"; import type { Awaitable } from "./helper"; import type { BetterAuthOptions, BetterAuthRateLimitOptions, } from "./init-options"; import type { BetterAuthPlugin } from "./plugin"; export type GenericEndpointContext< Options extends BetterAuthOptions = BetterAuthOptions, > = EndpointContext & { context: AuthContext; }; export interface InternalAdapter< _Options extends BetterAuthOptions = BetterAuthOptions, > { createOAuthUser( user: Omit, account: Omit & Partial, ): Promise<{ user: User; account: Account }>; createUser>( user: Omit & Partial & Record, ): Promise; createAccount>( account: Omit & Partial & T, ): Promise; listSessions(userId: string): Promise; listUsers( limit?: number | undefined, offset?: number | undefined, sortBy?: { field: string; direction: "asc" | "desc" } | undefined, where?: Where[] | undefined, ): Promise; countTotalUsers(where?: Where[] | undefined): Promise; deleteUser(userId: string): Promise; createSession( userId: string, dontRememberMe?: boolean | undefined, override?: (Partial & Record) | undefined, overrideAll?: boolean | undefined, ): Promise; findSession(token: string): Promise<{ session: Session & Record; user: User & Record; } | null>; findSessions( sessionTokens: string[], ): Promise<{ session: Session; user: User }[]>; updateSession( sessionToken: string, session: Partial & Record, ): Promise; deleteSession(token: string): Promise; deleteAccounts(userId: string): Promise; deleteAccount(accountId: string): Promise; deleteSessions(userIdOrSessionTokens: string | string[]): Promise; findOAuthUser( email: string, accountId: string, providerId: string, ): Promise<{ user: User; linkedAccount: Account | null; accounts: Account[]; } | null>; findUserByEmail( email: string, options?: { includeAccounts: boolean } | undefined, ): Promise<{ user: User; accounts: Account[] } | null>; findUserById(userId: string): Promise; linkAccount( account: Omit & Partial, ): Promise; // Record is to take into account additional fields or plugin-added fields updateUser>( userId: string, data: Partial & Record, ): Promise; updateUserByEmail>( email: string, data: Partial>, ): Promise; updatePassword(userId: string, password: string): Promise; findAccounts(userId: string): Promise; findAccount(accountId: string): Promise; findAccountByProviderId( accountId: string, providerId: string, ): Promise; findAccountByUserId(userId: string): Promise; updateAccount(id: string, data: Partial): Promise; createVerificationValue( data: Omit & Partial, ): Promise; findVerificationValue(identifier: string): Promise; deleteVerificationValue(id: string): Promise; deleteVerificationByIdentifier(identifier: string): Promise; updateVerificationValue( id: string, data: Partial, ): Promise; } type CreateCookieGetterFn = ( cookieName: string, overrideAttributes?: Partial | undefined, ) => BetterAuthCookie; type CheckPasswordFn = ( userId: string, ctx: GenericEndpointContext, ) => Promise; export type PluginContext = { getPlugin: ( pluginId: Plugin["id"], ) => Plugin | null; }; export type InfoContext = { appName: string; baseURL: string; version: string; }; export type AuthContext = PluginContext & InfoContext & { options: Options; appName: string; baseURL: string; trustedOrigins: string[]; /** * Verifies whether url is a trusted origin according to the "trustedOrigins" configuration * @param url The url to verify against the "trustedOrigins" configuration * @param settings Specify supported pattern matching settings * @returns {boolean} true if the URL matches the origin pattern, false otherwise. */ isTrustedOrigin: ( url: string, settings?: { allowRelativePaths: boolean }, ) => boolean; oauthConfig: { /** * This is dangerous and should only be used in dev or staging environments. */ skipStateCookieCheck?: boolean | undefined; /** * Strategy for storing OAuth state * * - "cookie": Store state in an encrypted cookie (stateless) * - "database": Store state in the database * * @default "cookie" */ storeStateStrategy: "database" | "cookie"; }; /** * New session that will be set after the request * meaning: there is a `set-cookie` header that will set * the session cookie. This is the fetched session. And it's set * by `setNewSession` method. */ newSession: { session: Session & Record; user: User & Record; } | null; session: { session: Session & Record; user: User & Record; } | null; setNewSession: ( session: { session: Session & Record; user: User & Record; } | null, ) => void; socialProviders: OAuthProvider[]; authCookies: BetterAuthCookies; logger: ReturnType; rateLimit: { enabled: boolean; window: number; max: number; storage: "memory" | "database" | "secondary-storage"; } & Omit< BetterAuthRateLimitOptions, "enabled" | "window" | "max" | "storage" >; adapter: DBAdapter; internalAdapter: InternalAdapter; createAuthCookie: CreateCookieGetterFn; secret: string; sessionConfig: { updateAge: number; expiresIn: number; freshAge: number; cookieRefreshCache: | false | { enabled: true; updateAge: number; }; }; generateId: (options: { model: ModelNames; size?: number | undefined; }) => string | false; secondaryStorage: SecondaryStorage | undefined; password: { hash: (password: string) => Promise; verify: (data: { password: string; hash: string }) => Promise; config: { minPasswordLength: number; maxPasswordLength: number; }; checkPassword: CheckPasswordFn; }; tables: BetterAuthDBSchema; runMigrations: () => Promise; publishTelemetry: (event: { type: string; anonymousId?: string | undefined; payload: Record; }) => Promise; /** * Skip origin check for requests. * * - `true`: Skip for ALL requests (DANGEROUS - disables CSRF protection) * - `string[]`: Skip only for specific paths (e.g., SAML callbacks) * - `false`: Enable origin check (default) * * Paths support prefix matching (e.g., "/sso/saml2/callback" matches * "/sso/saml2/callback/provider-name"). * * @default false (true in test environments) */ skipOriginCheck: boolean | string[]; /** * This skips the CSRF check for all requests. * * This is inferred from the `options.advanced?. * disableCSRFCheck` option. * * @default false */ skipCSRFCheck: boolean; /** * Background task handler for deferred operations. * * This is inferred from the `options.advanced?.backgroundTasks?.handler` option. * Defaults to a no-op that just runs the promise. */ runInBackground: (promise: Promise) => void; /** * Runs a task in the background if `runInBackground` is configured, * otherwise awaits the task directly. * * This is useful for operations like sending emails where we want * to avoid blocking the response when possible (for timing attack * mitigation), but still ensure the operation completes. */ runInBackgroundOrAwait: ( promise: Promise | void, ) => Awaitable; };