refactor(auth): update better auth to 1.4 (#686)

2025-12-16 20:24:27 -06:00 · 2025-12-12 17:33:32 +01:00
parent 9d9be949b0
commit 95662d025f
15 changed files with 242 additions and 309 deletions
--- a/.changeset/fast-schools-pay.md
+++ b/.changeset/fast-schools-pay.md
@@ -0,0 +1,5 @@
+---
+"@papra/docker": patch
+---
+
+Enforcing the auth secret to be at least 32 characters long for security reasons
--- a/.changeset/few-peaches-peel.md
+++ b/.changeset/few-peaches-peel.md
@@ -0,0 +1,5 @@
+---
+"@papra/docker": patch
+---
+
+Now throw an error if AUTH_SECRET is not set in production mode
--- a/apps/papra-client/src/modules/auth/auth.demo.services.ts
+++ b/apps/papra-client/src/modules/auth/auth.demo.services.ts
@@ -17,7 +17,7 @@ export function createDemoAuthClient() {
    },
    signOut: () => Promise.resolve({}),
    signUp: () => Promise.resolve({}),
-    forgetPassword: () => Promise.resolve({}),
+    requestPasswordReset: () => Promise.resolve({}),
    resetPassword: () => Promise.resolve({}),
    sendVerificationEmail: () => Promise.resolve({}),
  };
--- a/apps/papra-client/src/modules/auth/auth.services.ts
+++ b/apps/papra-client/src/modules/auth/auth.services.ts
@@ -20,7 +20,7 @@ export function createAuthClient() {
    // we can't spread the client because it is a proxy object
    signIn: client.signIn,
    signUp: client.signUp,
-    forgetPassword: client.forgetPassword,
+    requestPasswordReset: client.requestPasswordReset,
    resetPassword: client.resetPassword,
    sendVerificationEmail: client.sendVerificationEmail,
    useSession: client.useSession,
@@ -41,7 +41,7 @@ export const {
  signIn,
  signUp,
  signOut,
-  forgetPassword,
+  requestPasswordReset,
  resetPassword,
  sendVerificationEmail,
 } = buildTimeConfig.isDemoMode
--- a/apps/papra-client/src/modules/auth/pages/request-password-reset.page.tsx
+++ b/apps/papra-client/src/modules/auth/pages/request-password-reset.page.tsx
@@ -9,7 +9,7 @@ import { createForm } from '@/modules/shared/form/form';
 import { Button } from '@/modules/ui/components/button';
 import { TextField, TextFieldLabel, TextFieldRoot } from '@/modules/ui/components/textfield';
 import { AuthLayout } from '../../ui/layouts/auth-layout.component';
-import { forgetPassword } from '../auth.services';
+import { requestPasswordReset } from '../auth.services';
 import { OpenEmailProvider } from '../components/open-email-provider.component';

 export const ResetPasswordForm: Component<{ onSubmit: (args: { email: string }) => Promise<void> }> = (props) => {
@@ -64,7 +64,7 @@ export const RequestPasswordResetPage: Component = () => {
  });

  const onPasswordResetRequested = async ({ email }: { email: string }) => {
-    const { error } = await forgetPassword({
+    const { error } = await requestPasswordReset({
      email,
      redirectTo: buildUrl({
        path: '/reset-password',
--- a/apps/papra-server/src/modules/app/auth/auth.config.models.test.ts
+++ b/apps/papra-server/src/modules/app/auth/auth.config.models.test.ts
@@ -0,0 +1,32 @@
+import { describe, expect, test } from 'vitest';
+import { ensureAuthSecretIsNotDefaultInProduction } from './auth.config.models';
+import { createAuthSecretIsDefaultError } from './auth.errors';
+
+describe('auth config models', () => {
+  describe('ensureAuthSecretIsNotDefaultInProduction', () => {
+    const defaultAuthSecret = 'papra-default-auth-secret-change-me';
+
+    test('throws an error if in production and auth secret is the default one', () => {
+      expect(() =>
+        ensureAuthSecretIsNotDefaultInProduction({
+          config: { auth: { secret: defaultAuthSecret }, env: 'production' },
+          defaultAuthSecret,
+        }),
+      ).toThrow(createAuthSecretIsDefaultError());
+
+      expect(() =>
+        ensureAuthSecretIsNotDefaultInProduction({
+          config: { auth: { secret: defaultAuthSecret }, env: 'dev' },
+          defaultAuthSecret,
+        }),
+      ).not.toThrow();
+
+      expect(() =>
+        ensureAuthSecretIsNotDefaultInProduction({
+          config: { auth: { secret: 'a-non-default-secure-secret' }, env: 'production' },
+          defaultAuthSecret,
+        }),
+      ).not.toThrow();
+    });
+  });
+});
--- a/apps/papra-server/src/modules/app/auth/auth.config.models.ts
+++ b/apps/papra-server/src/modules/app/auth/auth.config.models.ts
@@ -0,0 +1,14 @@
+import { DEFAULT_AUTH_SECRET } from './auth.constants';
+import { createAuthSecretIsDefaultError } from './auth.errors';
+
+export function ensureAuthSecretIsNotDefaultInProduction({
+  config,
+  defaultAuthSecret = DEFAULT_AUTH_SECRET,
+}: {
+  config: { auth: { secret: string }; env: string };
+  defaultAuthSecret?: string;
+}) {
+  if (config.env === 'production' && config.auth.secret === defaultAuthSecret) {
+    throw createAuthSecretIsDefaultError();
+  }
+}
--- a/apps/papra-server/src/modules/app/auth/auth.config.ts
+++ b/apps/papra-server/src/modules/app/auth/auth.config.ts
@@ -2,6 +2,7 @@ import type { ConfigDefinition } from 'figue';
 import { z } from 'zod';
 import { booleanishSchema } from '../../config/config.schemas';
 import { parseJson } from '../../intake-emails/intake-emails.schemas';
+import { DEFAULT_AUTH_SECRET } from './auth.constants';

 const customOAuthProviderSchema = z.object({
  providerId: z.string(),
@@ -26,9 +27,9 @@ const customOAuthProviderSchema = z.object({

 export const authConfig = {
  secret: {
-    doc: 'The secret for the auth',
-    schema: z.string(),
-    default: 'change-me-for-god-sake',
+    doc: 'The secret for the auth, it should be at least 32 characters long, you can generate a secure one using `openssl rand -hex 48`',
+    schema: z.string({ required_error: 'Please provide an auth secret using the AUTH_SECRET environment variable, you can use `openssl rand -hex 48` to generate a secure one' }).min(32),
+    default: DEFAULT_AUTH_SECRET,
    env: 'AUTH_SECRET',
  },
  isRegistrationEnabled: {
--- a/apps/papra-server/src/modules/app/auth/auth.constants.test.ts
+++ b/apps/papra-server/src/modules/app/auth/auth.constants.test.ts
@@ -0,0 +1,10 @@
+import { describe, expect, test } from 'vitest';
+import { DEFAULT_AUTH_SECRET } from './auth.constants';
+
+describe('auth constants', () => {
+  describe('default auth secret', () => {
+    test('the default auth secret should be at least 32 characters long', () => {
+      expect(DEFAULT_AUTH_SECRET.length).toBeGreaterThanOrEqual(32);
+    });
+  });
+});
--- a/apps/papra-server/src/modules/app/auth/auth.constants.ts
+++ b/apps/papra-server/src/modules/app/auth/auth.constants.ts
@@ -0,0 +1 @@
+export const DEFAULT_AUTH_SECRET = 'papra-default-auth-secret-change-me';
--- a/apps/papra-server/src/modules/app/auth/auth.errors.ts
+++ b/apps/papra-server/src/modules/app/auth/auth.errors.ts
@@ -17,3 +17,10 @@ export const createForbiddenEmailDomainError = createErrorFactory({
  code: 'auth.forbidden_email_domain',
  statusCode: 403,
 });
+
+export const createAuthSecretIsDefaultError = createErrorFactory({
+  code: 'auth.config.secret_is_default',
+  message: 'In production, the auth secret must not be the default one. Please set a secure auth secret using the AUTH_SECRET environment variable.',
+  statusCode: 500,
+  isInternal: true,
+});
--- a/apps/papra-server/src/modules/config/config.models.ts
+++ b/apps/papra-server/src/modules/config/config.models.ts
@@ -1,5 +1,8 @@
 import type { DeepPartial } from '@corentinth/chisels';
+import type { Logger } from '@crowlog/logger';
 import type { Config } from './config.types';
+import process from 'node:process';
+import { safelySync } from '@corentinth/chisels';
 import { merge, pick } from 'lodash-es';

 export function getPublicConfig({ config }: { config: Config }) {
@@ -45,3 +48,18 @@ export function getClientBaseUrl({ config }: { config: Config }) {
    clientBaseUrl: config.appBaseUrl ?? config.client.baseUrl,
  };
 }
+
+export function exitProcessDueToConfigError({ error, logger }: { error: Error; logger: Logger }): never {
+  logger.error({ error }, `Invalid configuration: ${error.message}`);
+  process.exit(1);
+}
+
+export function validateParsedConfig({ config, logger, validators }: { config: Config; logger: Logger; validators: ((args: { config: Config }) => void)[] }) {
+  for (const validator of validators) {
+    const [,error] = safelySync(() => validator({ config }));
+
+    if (error) {
+      exitProcessDueToConfigError({ error, logger });
+    }
+  }
+}
--- a/apps/papra-server/src/modules/config/config.ts
+++ b/apps/papra-server/src/modules/config/config.ts
@@ -1,11 +1,11 @@
 import type { ConfigDefinition } from 'figue';
 import process from 'node:process';
-import { safelySync } from '@corentinth/chisels';
+import { memoizeOnce, safelySync } from '@corentinth/chisels';
 import { loadConfig } from 'c12';
 import { defineConfig } from 'figue';
-import { memoize } from 'lodash-es';
 import { z } from 'zod';
 import { authConfig } from '../app/auth/auth.config';
+import { ensureAuthSecretIsNotDefaultInProduction } from '../app/auth/auth.config.models';
 import { databaseConfig } from '../app/database/database.config';
 import { documentSearchConfig } from '../documents/document-search/document-search.config';
 import { documentsConfig } from '../documents/documents.config';
@@ -20,6 +20,7 @@ import { isString } from '../shared/utils';
 import { subscriptionsConfig } from '../subscriptions/subscriptions.config';
 import { tasksConfig } from '../tasks/tasks.config';
 import { trackingConfig } from '../tracking/tracking.config';
+import { exitProcessDueToConfigError, validateParsedConfig } from './config.models';
 import { booleanishSchema, trustedOriginsSchema } from './config.schemas';

 export const configDefinition = {
@@ -137,18 +138,25 @@ export async function parseConfig({ env = process.env }: { env?: Record<string,
  const [configResult, configError] = safelySync(() => defineConfig(configDefinition, { envSource: env, defaults: configFromFile }));

  if (configError) {
-    logger.error({ error: configError }, `Invalid config: ${configError.message}`);
-    process.exit(1);
+    exitProcessDueToConfigError({ error: configError, logger });
  }

  const { config } = configResult;

+  validateParsedConfig({
+    config,
+    logger,
+    validators: [
+      ensureAuthSecretIsNotDefaultInProduction,
+    ],
+  });
+
  return { config };
 }

 // Permit to load the default config, regardless of environment variables, and config files
 // memoized to avoid re-parsing the config definition
-export const loadDryConfig = memoize(() => {
+export const loadDryConfig = memoizeOnce(() => {
  const { config } = defineConfig(configDefinition);

  return { config };
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -10,8 +10,8 @@ catalogs:
      specifier: ^6.2.0
      version: 6.2.0
    '@better-auth/expo':
-      specifier: 1.3.34
-      version: 1.3.34
+      specifier: 1.4.6
+      version: 1.4.6
    '@corentinth/chisels':
      specifier: 2.1.0
      version: 2.1.0
@@ -22,8 +22,8 @@ catalogs:
      specifier: ^4.0.3
      version: 4.0.3
    better-auth:
-      specifier: 1.3.34
-      version: 1.3.34
+      specifier: 1.4.6
+      version: 1.4.6
    eslint:
      specifier: ^9.39.1
      version: 9.39.1
@@ -134,7 +134,7 @@ importers:
    dependencies:
      '@better-auth/expo':
        specifier: 'catalog:'
-        version: 1.3.34(better-auth@1.3.34(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(expo-constants@18.0.10)(expo-crypto@15.0.7(expo@54.0.23))(expo-linking@8.0.8)(expo-secure-store@15.0.7(expo@54.0.23))(expo-web-browser@15.0.9(expo@54.0.23)(react-native@0.81.5(@babel/core@7.28.4)(@react-native-community/cli@20.0.2(typescript@5.9.3))(@types/react@19.1.17)(react@19.1.0)))
+        version: 1.4.6(@better-auth/core@1.4.6(@better-auth/utils@0.3.0)(@better-fetch/fetch@1.1.18)(better-call@1.1.5(zod@4.1.12))(jose@6.1.0)(kysely@0.28.8)(nanostores@1.0.1))(better-auth@1.4.6(react-dom@19.1.0(react@19.1.0))(react@19.1.0)(solid-js@1.9.9)(vue@3.5.13(typescript@5.9.3)))(expo-constants@18.0.10)(expo-linking@8.0.8)(expo-web-browser@15.0.9(expo@54.0.23)(react-native@0.81.5(@babel/core@7.28.4)(@react-native-community/cli@20.0.2(typescript@5.9.3))(@types/react@19.1.17)(react@19.1.0)))
      '@corentinth/chisels':
        specifier: 'catalog:'
        version: 2.1.0
@@ -161,7 +161,7 @@ importers:
        version: 5.90.9(react@19.1.0)
      better-auth:
        specifier: 'catalog:'
-        version: 1.3.34(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
+        version: 1.4.6(react-dom@19.1.0(react@19.1.0))(react@19.1.0)(solid-js@1.9.9)(vue@3.5.13(typescript@5.9.3))
      expo:
        specifier: ~54.0.22
        version: 54.0.23(@babel/core@7.28.4)(@expo/metro-runtime@6.1.2)(expo-router@6.0.14)(graphql@16.8.1)(react-native@0.81.5(@babel/core@7.28.4)(@react-native-community/cli@20.0.2(typescript@5.9.3))(@types/react@19.1.17)(react@19.1.0))(react@19.1.0)
@@ -303,7 +303,7 @@ importers:
        version: 8.21.3(solid-js@1.9.9)
      better-auth:
        specifier: 'catalog:'
-        version: 1.3.34(react@19.1.0)(solid-js@1.9.9)
+        version: 1.4.6(react-dom@19.1.0(react@19.1.0))(react@19.1.0)(solid-js@1.9.9)(vue@3.5.13(typescript@5.9.3))
      class-variance-authority:
        specifier: ^0.7.1
        version: 0.7.1
@@ -397,7 +397,7 @@ importers:
        version: 12.27.0
      '@better-auth/expo':
        specifier: 'catalog:'
-        version: 1.3.34(better-auth@1.3.34(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(expo-constants@18.0.10)(expo-crypto@15.0.7(expo@54.0.23))(expo-linking@8.0.8)(expo-secure-store@15.0.7(expo@54.0.23))(expo-web-browser@15.0.9(expo@54.0.23)(react-native@0.81.5(@babel/core@7.28.4)(@react-native-community/cli@20.0.2(typescript@5.9.3))(@types/react@19.1.17)(react@19.1.0)))
+        version: 1.4.6(@better-auth/core@1.4.6(@better-auth/utils@0.3.0)(@better-fetch/fetch@1.1.18)(better-call@1.1.5(zod@3.25.67))(jose@6.1.0)(kysely@0.28.8)(nanostores@1.0.1))(better-auth@1.4.6(react-dom@19.1.0(react@19.1.0))(react@19.1.0)(solid-js@1.9.9)(vue@3.5.13(typescript@5.9.3)))(expo-constants@18.0.10)(expo-linking@8.0.8)(expo-web-browser@15.0.9(expo@54.0.23)(react-native@0.81.5(@babel/core@7.28.4)(@react-native-community/cli@20.0.2(typescript@5.9.3))(@types/react@19.1.17)(react@19.1.0)))
      '@cadence-mq/core':
        specifier: ^0.2.1
        version: 0.2.1
@@ -445,7 +445,7 @@ importers:
        version: 3.0.0
      better-auth:
        specifier: 'catalog:'
-        version: 1.3.34(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
+        version: 1.4.6(react-dom@19.1.0(react@19.1.0))(react@19.1.0)(solid-js@1.9.9)(vue@3.5.13(typescript@5.9.3))
      busboy:
        specifier: ^1.6.0
        version: 1.6.0
@@ -1648,28 +1648,39 @@ packages:
    resolution: {integrity: sha512-6zABk/ECA/QYSCQ1NGiVwwbQerUCZ+TQbp64Q3AgmfNvurHH0j8TtXa1qbShXA6qqkpAj4V5W8pP6mLe1mcMqA==}
    engines: {node: '>=18'}

-  '@better-auth/core@1.3.34':
-    resolution: {integrity: sha512-rt/Bgl0Xa8OQ2DUMKCZEJ8vL9kUw4NCJsBP9Sj9uRhbsK8NEMPiznUOFMkUY2FvrslvfKN7H/fivwyHz9c7HzQ==}
+  '@better-auth/core@1.4.6':
+    resolution: {integrity: sha512-cYjscr4wU5ZJPhk86JuUkecJT+LSYCFmUzYaitiLkizl+wCr1qdPFSEoAnRVZVTUEEoKpeS2XW69voBJ1NoB3g==}
    peerDependencies:
      '@better-auth/utils': 0.3.0
      '@better-fetch/fetch': 1.1.18
-      better-call: 1.0.19
+      better-call: 1.1.5
      jose: ^6.1.0
      kysely: ^0.28.5
      nanostores: ^1.0.1

-  '@better-auth/expo@1.3.34':
-    resolution: {integrity: sha512-/aWc4qg01+Nrto47U9iBS/jp7GO4OOChY0DxAo6Fn/U/QBmx/F7hcZ0DkbjzcUfWPBEpjefK97DALwf2VVgq6Q==}
+  '@better-auth/expo@1.4.6':
+    resolution: {integrity: sha512-/mIZQrCTKfAFSRrJK/T1+SrDtERby2bpi3riARawcfwAFgdPCs9XbVHUVVhLMhiUK+JdoRAms/sORtcWn9jZdA==}
    peerDependencies:
-      better-auth: 1.3.34
+      '@better-auth/core': 1.4.6
+      better-auth: 1.4.6
      expo-constants: '>=17.0.0'
-      expo-crypto: '>=13.0.0'
      expo-linking: '>=7.0.0'
-      expo-secure-store: '>=14.0.0'
+      expo-network: ^8.0.7
      expo-web-browser: '>=14.0.0'
+    peerDependenciesMeta:
+      expo-constants:
+        optional: true
+      expo-linking:
+        optional: true
+      expo-network:
+        optional: true
+      expo-web-browser:
+        optional: true

-  '@better-auth/telemetry@1.3.34':
-    resolution: {integrity: sha512-aQZ3wN90YMqV49diWxAMe1k7s2qb55KCsedCZne5PlgCjU4s3YtnqyjC5FEpzw2KY8l8rvR7DMAsDl13NjObKA==}
+  '@better-auth/telemetry@1.4.6':
+    resolution: {integrity: sha512-idc9MGJXxWA7zl2U9zsbdG6+2ZCeqWdPq1KeFSfyqGMFtI1VPQOx9YWLqNPOt31YnOX77ojZSraU2sb7IRdBMA==}
+    peerDependencies:
+      '@better-auth/core': 1.4.6

  '@better-auth/utils@0.3.0':
    resolution: {integrity: sha512-W+Adw6ZA6mgvnSnhOki270rwJ42t4XzSK6YWGF//BbVXL6SwCLWfyzBc1lN2m/4RM28KubdBKQ4X5VMoLRNPQw==}
@@ -3055,9 +3066,6 @@ packages:
  '@hapi/topo@5.1.0':
    resolution: {integrity: sha512-foQZKJig7Ob0BMAYBfcJk8d77QtOe7Wo4ox7ff1lQYoNNAb6jwcY1ncdoy2e9wQZzvNy7ODZCYJkK8kzmcAnAg==}

-  '@hexagon/base64@1.1.28':
-    resolution: {integrity: sha512-lhqDEAvWixy3bZ+UOYbPwUbBkwBq5C1LAJ/xPC8Oi+lL54oyakv/npbA0aU2hgCsx/1NUd4IBvV03+aUBWxerw==}
-
  '@hono/node-server@1.19.6':
    resolution: {integrity: sha512-Shz/KjlIeAhfiuE93NDKVdZ7HdBVLQAfdbaXEaoAVO3ic9ibRSLGIQGkcBbFyuLr+7/1D5ZCINM8B+6IvXeMtw==}
    engines: {node: '>=18.14.1'}
@@ -3315,9 +3323,6 @@ packages:
    peerDependencies:
      solid-js: ^1.8.8

-  '@levischuck/tiny-cbor@0.2.11':
-    resolution: {integrity: sha512-llBRm4dT4Z89aRsm6u2oEZ8tfwL/2l6BwpZ7JcyieouniDECM5AqNgr/y08zalEIvW3RSK4upYyybDcmjXqAow==}
-
  '@libsql/client@0.14.0':
    resolution: {integrity: sha512-/9HEKfn6fwXB5aTEEoMeFh4CtG0ZzbncBb1e++OCdVpgKZ/xyMsIVYXm0w7Pv4RUel803vE6LwniB3PqD72R0Q==}

@@ -3625,42 +3630,6 @@ packages:
    peerDependencies:
      solid-js: '>=1.5.0'

-  '@peculiar/asn1-android@2.3.15':
-    resolution: {integrity: sha512-8U2TIj59cRlSXTX2d0mzUKP7whfWGFMzTeC3qPgAbccXFrPNZLaDhpNEdG5U2QZ/tBv/IHlCJ8s+KYXpJeop6w==}
-
-  '@peculiar/asn1-cms@2.5.0':
-    resolution: {integrity: sha512-p0SjJ3TuuleIvjPM4aYfvYw8Fk1Hn/zAVyPJZTtZ2eE9/MIer6/18ROxX6N/e6edVSfvuZBqhxAj3YgsmSjQ/A==}
-
-  '@peculiar/asn1-csr@2.5.0':
-    resolution: {integrity: sha512-ioigvA6WSYN9h/YssMmmoIwgl3RvZlAYx4A/9jD2qaqXZwGcNlAxaw54eSx2QG1Yu7YyBC5Rku3nNoHrQ16YsQ==}
-
-  '@peculiar/asn1-ecc@2.5.0':
-    resolution: {integrity: sha512-t4eYGNhXtLRxaP50h3sfO6aJebUCDGQACoeexcelL4roMFRRVgB20yBIu2LxsPh/tdW9I282gNgMOyg3ywg/mg==}
-
-  '@peculiar/asn1-pfx@2.5.0':
-    resolution: {integrity: sha512-Vj0d0wxJZA+Ztqfb7W+/iu8Uasw6hhKtCdLKXLG/P3kEPIQpqGI4P4YXlROfl7gOCqFIbgsj1HzFIFwQ5s20ug==}
-
-  '@peculiar/asn1-pkcs8@2.5.0':
-    resolution: {integrity: sha512-L7599HTI2SLlitlpEP8oAPaJgYssByI4eCwQq2C9eC90otFpm8MRn66PpbKviweAlhinWQ3ZjDD2KIVtx7PaVw==}
-
-  '@peculiar/asn1-pkcs9@2.5.0':
-    resolution: {integrity: sha512-UgqSMBLNLR5TzEZ5ZzxR45Nk6VJrammxd60WMSkofyNzd3DQLSNycGWSK5Xg3UTYbXcDFyG8pA/7/y/ztVCa6A==}
-
-  '@peculiar/asn1-rsa@2.5.0':
-    resolution: {integrity: sha512-qMZ/vweiTHy9syrkkqWFvbT3eLoedvamcUdnnvwyyUNv5FgFXA3KP8td+ATibnlZ0EANW5PYRm8E6MJzEB/72Q==}
-
-  '@peculiar/asn1-schema@2.5.0':
-    resolution: {integrity: sha512-YM/nFfskFJSlHqv59ed6dZlLZqtZQwjRVJ4bBAiWV08Oc+1rSd5lDZcBEx0lGDHfSoH3UziI2pXt2UM33KerPQ==}
-
-  '@peculiar/asn1-x509-attr@2.5.0':
-    resolution: {integrity: sha512-9f0hPOxiJDoG/bfNLAFven+Bd4gwz/VzrCIIWc1025LEI4BXO0U5fOCTNDPbbp2ll+UzqKsZ3g61mpBp74gk9A==}
-
-  '@peculiar/asn1-x509@2.5.0':
-    resolution: {integrity: sha512-CpwtMCTJvfvYTFMuiME5IH+8qmDe3yEWzKHe7OOADbGfq7ohxeLaXwQo0q4du3qs0AII3UbLCvb9NF/6q0oTKQ==}
-
-  '@peculiar/x509@1.14.0':
-    resolution: {integrity: sha512-Yc4PDxN3OrxUPiXgU63c+ZRXKGE8YKF2McTciYhUHFtHVB0KMnjeFSU0qpztGhsp4P0uKix4+J2xEpIEDu8oXg==}
-
  '@petamoriken/float16@3.9.1':
    resolution: {integrity: sha512-j+ejhYwY6PeB+v1kn7lZFACUIG97u90WxMuGosILFsl9d4Ovi0sjk0GlPfoEcx+FzvXZDAfioD+NGnnPamXgMA==}

@@ -4452,13 +4421,6 @@ packages:
  '@sideway/pinpoint@2.0.0':
    resolution: {integrity: sha512-RNiOoTPkptFtSVzQevY/yWtZwf/RxyVnPy/OcA9HBM3MlGDnBEYL5B41H0MTn0Uec8Hi+2qUtTfG2WWZBmMejQ==}

-  '@simplewebauthn/browser@13.2.2':
-    resolution: {integrity: sha512-FNW1oLQpTJyqG5kkDg5ZsotvWgmBaC6jCHR7Ej0qUNep36Wl9tj2eZu7J5rP+uhXgHaLk+QQ3lqcw2vS5MX1IA==}
-
-  '@simplewebauthn/server@13.2.2':
-    resolution: {integrity: sha512-HcWLW28yTMGXpwE9VLx9J+N2KEUaELadLrkPEEI9tpI5la70xNEVEsu/C+m3u7uoq4FulLqZQhgBCzR9IZhFpA==}
-    engines: {node: '>=20.0.0'}
-
  '@sinclair/typebox@0.27.8':
    resolution: {integrity: sha512-+Fj43pSMwJs4KRrH/938Uf+uAELIgVBmQzg/q1YG10djyfA3TnrU8N8XzqCh/okZdszqBQTZf96idMfE5lnwTA==}

@@ -5691,10 +5653,6 @@ packages:
  asn1@0.2.6:
    resolution: {integrity: sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==}

-  asn1js@3.0.6:
-    resolution: {integrity: sha512-UOCGPYbl0tv8+006qks/dTgV9ajs97X2p0FAbyS2iyCRrmLSRolDaHdp+v/CLgnzHc3fVB+CwYiUmei7ndFcgA==}
-    engines: {node: '>=12.0.0'}
-
  ast-kit@2.1.1:
    resolution: {integrity: sha512-mfh6a7gKXE8pDlxTvqIc/syH/P3RkzbOF6LeHdcKztLEzYe6IMsRCL7N8vI7hqTGWNxpkCuuRTpT21xNWqhRtQ==}
    engines: {node: '>=20.18.0'}
@@ -5902,22 +5860,25 @@ packages:
  bcrypt-pbkdf@1.0.2:
    resolution: {integrity: sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==}

-  better-auth@1.3.34:
-    resolution: {integrity: sha512-LWA52SlvnUBJRbN8VLSTLILPomZY3zZAiLxVJCeSQ5uVmaIKkMBhERitkfJcXB9RJcfl4uP+3EqKkb6hX1/uiw==}
+  better-auth@1.4.6:
+    resolution: {integrity: sha512-5wEBzjolrQA26b4uT6FVVYICsE3SmE/MzrZtl8cb2a3TJtswpP8v3OVV5yTso+ef9z85swgZk0/qBzcULFWVtA==}
    peerDependencies:
      '@lynx-js/react': '*'
-      '@sveltejs/kit': '*'
-      next: '*'
-      react: '*'
-      react-dom: '*'
-      solid-js: '*'
-      svelte: '*'
-      vue: '*'
+      '@sveltejs/kit': ^2.0.0
+      '@tanstack/react-start': ^1.0.0
+      next: ^14.0.0 || ^15.0.0 || ^16.0.0
+      react: ^18.0.0 || ^19.0.0
+      react-dom: ^18.0.0 || ^19.0.0
+      solid-js: ^1.0.0
+      svelte: ^4.0.0 || ^5.0.0
+      vue: ^3.0.0
    peerDependenciesMeta:
      '@lynx-js/react':
        optional: true
      '@sveltejs/kit':
        optional: true
+      '@tanstack/react-start':
+        optional: true
      next:
        optional: true
      react:
@@ -5931,8 +5892,13 @@ packages:
      vue:
        optional: true

-  better-call@1.0.19:
-    resolution: {integrity: sha512-sI3GcA1SCVa3H+CDHl8W8qzhlrckwXOTKhqq3OOPXjgn5aTOMIqGY34zLY/pHA6tRRMjTUC3lz5Mi7EbDA24Kw==}
+  better-call@1.1.5:
+    resolution: {integrity: sha512-nQJ3S87v6wApbDwbZ++FrQiSiVxWvZdjaO+2v6lZJAG2WWggkB2CziUDjPciz3eAt9TqfRursIQMZIcpkBnvlw==}
+    peerDependencies:
+      zod: ^4.0.0
+    peerDependenciesMeta:
+      zod:
+        optional: true

  better-opn@3.0.2:
    resolution: {integrity: sha512-aVNobHnJqLiUelTaHat9DZ1qM2w0C0Eym4LPI/3JxOnSokGVdsl1T1kN7TFvsEAD8G47A6VKQ0TVHqbBnYMJlQ==}
@@ -7373,11 +7339,6 @@ packages:
      expo: '*'
      react-native: '*'

-  expo-crypto@15.0.7:
-    resolution: {integrity: sha512-FUo41TwwGT2e5rA45PsjezI868Ch3M6wbCZsmqTWdF/hr+HyPcrp1L//dsh/hsrsyrQdpY/U96Lu71/wXePJeg==}
-    peerDependencies:
-      expo: '*'
-
  expo-document-picker@14.0.7:
    resolution: {integrity: sha512-81Jh8RDD0GYBUoSTmIBq30hXXjmkDV1ZY2BNIp1+3HR5PDSh2WmdhD/Ezz5YFsv46hIXHsQc+Kh1q8vn6OLT9Q==}
    peerDependencies:
@@ -9377,6 +9338,10 @@ packages:
  ms@2.1.3:
    resolution: {integrity: sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==}

+  ms@4.0.0-nightly.202508271359:
+    resolution: {integrity: sha512-WC/Eo7NzFrOV/RRrTaI0fxKVbNCzEy76j2VqNV8SxDf9D69gSE2Lh0QwYvDlhiYmheBYExAvEAxVf5NoN0cj2A==}
+    engines: {node: '>=20'}
+
  multipasta@0.2.7:
    resolution: {integrity: sha512-KPA58d68KgGil15oDqXjkUBEBYc00XvbPj5/X+dyzeo/lWm9Nc25pQRlf1D+gv4OpK7NM0J1odrbu9JNNGvynA==}

@@ -10023,13 +9988,6 @@ packages:
    resolution: {integrity: sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==}
    engines: {node: '>=6'}

-  pvtsutils@1.3.6:
-    resolution: {integrity: sha512-PLgQXQ6H2FWCaeRak8vvk1GW462lMxB5s3Jm673N82zI4vqtVUPuZdffdZbPDFRoU8kAhItWFtPCWiPpp4/EDg==}
-
-  pvutils@1.1.3:
-    resolution: {integrity: sha512-pMpnA0qRdFp32b1sJl1wOJNxZLQ2cbQx+k6tjNtZ8CpvVhNqEPRgivZ2WOUev2YMajecdH7ctUPDvEe87nariQ==}
-    engines: {node: '>=6.0.0'}
-
  qrcode-terminal@0.11.0:
    resolution: {integrity: sha512-Uu7ii+FQy4Qf82G4xu7ShHhjhGahEpCWc3x8UavY3CTcWV+ufmmCtwkr7ZKsX42jdL0kr1B5FKUeqJvAn51jzQ==}
    hasBin: true
@@ -10258,9 +10216,6 @@ packages:
    resolution: {integrity: sha512-J8rn6v4DBb2nnFqkqwy6/NnTYMcgLA+sLr0iIO41qpv0n+ngb7ksag2tMRl0inb1bbO/esUwzW1vbJi7K0sI0g==}
    engines: {node: ^12.0.0 || ^14.0.0 || >=16.0.0}

-  reflect-metadata@0.2.2:
-    resolution: {integrity: sha512-urBwgfrvVP/eAyXx4hluJivBKzuEbSQs9rKWCrCkbSxNv8mxPcUZKeuoF3Uy4mJl3Lwprp6yy5/39VWigZ4K6Q==}
-
  reflect.getprototypeof@1.0.10:
    resolution: {integrity: sha512-00o4I+DVrefhv+nX0ulyi3biSHCPDe+yLv5o/p6d/UVlirijB8E16FtfwSAi4g3tcqrQ4lRAqQSoFEZJehYEcw==}
    engines: {node: '>= 0.4'}
@@ -10488,8 +10443,8 @@ packages:
    engines: {node: '>=18.0.0', npm: '>=8.0.0'}
    hasBin: true

-  rou3@0.5.1:
-    resolution: {integrity: sha512-OXMmJ3zRk2xeXFGfA3K+EOPHC5u7RDFG7lIOx0X1pdnhUkI8MdVrbV+sNsD80ElpUZ+MRHdyxPnFthq9VHs8uQ==}
+  rou3@0.7.11:
+    resolution: {integrity: sha512-ELguG3ENDw5NKNmWHO3OGEjcgdxkCNvnMR22gKHEgRXuwiriap5RIYdummOaOiqUNcC5yU5txGCHWNm7KlHuAA==}

  rrweb-cssom@0.8.0:
    resolution: {integrity: sha512-guoltQEx+9aMf2gDZ0s62EcV8lsXR+0w8915TC3ITdn2YueuNjdAYh/levpU9nFaoChh9RUS5ZdQMrKfVEN9tw==}
@@ -11277,9 +11232,6 @@ packages:
  tsee@1.3.4:
    resolution: {integrity: sha512-QD6huu+7aqZBjKjVgc4JaYRViICAlNefKiWuge5iUx3oYEz6a7f/uDBrAdwVmHCVetkhQ7MmNNd1HrF1LV7Rjg==}

-  tslib@1.14.1:
-    resolution: {integrity: sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg==}
-
  tslib@2.4.1:
    resolution: {integrity: sha512-tGyy4dAjRIEwI7BzsB0lynWgOpfqjUdq91XXAlIWD2OwKBH7oCl/GZG/HT4BOHrTlPMOASlMQ7veyTqpmRcrNA==}

@@ -11294,10 +11246,6 @@ packages:
    engines: {node: '>=18.0.0'}
    hasBin: true

-  tsyringe@4.10.0:
-    resolution: {integrity: sha512-axr3IdNuVIxnaK5XGEUFTu3YmAQ6lllgrvqfEoR16g/HGnYY/6We4oWENtAnzK6/LpJ2ur9PAb80RBt7/U4ugw==}
-    engines: {node: '>= 6.0.0'}
-
  tunnel-agent@0.6.0:
    resolution: {integrity: sha512-McnNiV1l8RYeY8tBgEpuodCC1mLUdbSN+CYBL7kJsJNInOP8UjDDEwdk6Mw60vdLLrr5NHKZhMAOSrR2NZuQ+w==}

@@ -13722,37 +13670,57 @@ snapshots:

  '@bcoe/v8-coverage@1.0.2': {}

-  '@better-auth/core@1.3.34(@better-auth/utils@0.3.0)(@better-fetch/fetch@1.1.18)(better-call@1.0.19)(jose@6.1.0)(kysely@0.28.8)(nanostores@1.0.1)':
+  '@better-auth/core@1.4.6(@better-auth/utils@0.3.0)(@better-fetch/fetch@1.1.18)(better-call@1.1.5(zod@3.25.67))(jose@6.1.0)(kysely@0.28.8)(nanostores@1.0.1)':
    dependencies:
      '@better-auth/utils': 0.3.0
      '@better-fetch/fetch': 1.1.18
-      better-call: 1.0.19
+      '@standard-schema/spec': 1.0.0
+      better-call: 1.1.5(zod@3.25.67)
      jose: 6.1.0
      kysely: 0.28.8
      nanostores: 1.0.1
      zod: 4.1.12

-  '@better-auth/expo@1.3.34(better-auth@1.3.34(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(expo-constants@18.0.10)(expo-crypto@15.0.7(expo@54.0.23))(expo-linking@8.0.8)(expo-secure-store@15.0.7(expo@54.0.23))(expo-web-browser@15.0.9(expo@54.0.23)(react-native@0.81.5(@babel/core@7.28.4)(@react-native-community/cli@20.0.2(typescript@5.9.3))(@types/react@19.1.17)(react@19.1.0)))':
+  '@better-auth/core@1.4.6(@better-auth/utils@0.3.0)(@better-fetch/fetch@1.1.18)(better-call@1.1.5(zod@4.1.12))(jose@6.1.0)(kysely@0.28.8)(nanostores@1.0.1)':
    dependencies:
-      '@better-fetch/fetch': 1.1.18
-      better-auth: 1.3.34(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
-      expo-constants: 18.0.10(expo@54.0.23)(react-native@0.81.5(@babel/core@7.28.4)(@react-native-community/cli@20.0.2(typescript@5.9.3))(@types/react@19.1.17)(react@19.1.0))
-      expo-crypto: 15.0.7(expo@54.0.23)
-      expo-linking: 8.0.8(expo@54.0.23)(react-native@0.81.5(@babel/core@7.28.4)(@react-native-community/cli@20.0.2(typescript@5.9.3))(@types/react@19.1.17)(react@19.1.0))(react@19.1.0)
-      expo-secure-store: 15.0.7(expo@54.0.23)
-      expo-web-browser: 15.0.9(expo@54.0.23)(react-native@0.81.5(@babel/core@7.28.4)(@react-native-community/cli@20.0.2(typescript@5.9.3))(@types/react@19.1.17)(react@19.1.0))
-      zod: 4.1.12
-
-  '@better-auth/telemetry@1.3.34(better-call@1.0.19)(jose@6.1.0)(kysely@0.28.8)(nanostores@1.0.1)':
-    dependencies:
-      '@better-auth/core': 1.3.34(@better-auth/utils@0.3.0)(@better-fetch/fetch@1.1.18)(better-call@1.0.19)(jose@6.1.0)(kysely@0.28.8)(nanostores@1.0.1)
      '@better-auth/utils': 0.3.0
      '@better-fetch/fetch': 1.1.18
-    transitivePeerDependencies:
-      - better-call
-      - jose
-      - kysely
-      - nanostores
+      '@standard-schema/spec': 1.0.0
+      better-call: 1.1.5(zod@3.25.76)
+      jose: 6.1.0
+      kysely: 0.28.8
+      nanostores: 1.0.1
+      zod: 4.1.12
+
+  '@better-auth/expo@1.4.6(@better-auth/core@1.4.6(@better-auth/utils@0.3.0)(@better-fetch/fetch@1.1.18)(better-call@1.1.5(zod@3.25.67))(jose@6.1.0)(kysely@0.28.8)(nanostores@1.0.1))(better-auth@1.4.6(react-dom@19.1.0(react@19.1.0))(react@19.1.0)(solid-js@1.9.9)(vue@3.5.13(typescript@5.9.3)))(expo-constants@18.0.10)(expo-linking@8.0.8)(expo-web-browser@15.0.9(expo@54.0.23)(react-native@0.81.5(@babel/core@7.28.4)(@react-native-community/cli@20.0.2(typescript@5.9.3))(@types/react@19.1.17)(react@19.1.0)))':
+    dependencies:
+      '@better-auth/core': 1.4.6(@better-auth/utils@0.3.0)(@better-fetch/fetch@1.1.18)(better-call@1.1.5(zod@3.25.67))(jose@6.1.0)(kysely@0.28.8)(nanostores@1.0.1)
+      '@better-fetch/fetch': 1.1.18
+      better-auth: 1.4.6(react-dom@19.1.0(react@19.1.0))(react@19.1.0)(solid-js@1.9.9)(vue@3.5.13(typescript@5.9.3))
+      better-call: 1.1.5(zod@4.1.12)
+      zod: 4.1.12
+    optionalDependencies:
+      expo-constants: 18.0.10(expo@54.0.23)(react-native@0.81.5(@babel/core@7.28.4)(@react-native-community/cli@20.0.2(typescript@5.9.3))(@types/react@19.1.17)(react@19.1.0))
+      expo-linking: 8.0.8(expo@54.0.23)(react-native@0.81.5(@babel/core@7.28.4)(@react-native-community/cli@20.0.2(typescript@5.9.3))(@types/react@19.1.17)(react@19.1.0))(react@19.1.0)
+      expo-web-browser: 15.0.9(expo@54.0.23)(react-native@0.81.5(@babel/core@7.28.4)(@react-native-community/cli@20.0.2(typescript@5.9.3))(@types/react@19.1.17)(react@19.1.0))
+
+  '@better-auth/expo@1.4.6(@better-auth/core@1.4.6(@better-auth/utils@0.3.0)(@better-fetch/fetch@1.1.18)(better-call@1.1.5(zod@4.1.12))(jose@6.1.0)(kysely@0.28.8)(nanostores@1.0.1))(better-auth@1.4.6(react-dom@19.1.0(react@19.1.0))(react@19.1.0)(solid-js@1.9.9)(vue@3.5.13(typescript@5.9.3)))(expo-constants@18.0.10)(expo-linking@8.0.8)(expo-web-browser@15.0.9(expo@54.0.23)(react-native@0.81.5(@babel/core@7.28.4)(@react-native-community/cli@20.0.2(typescript@5.9.3))(@types/react@19.1.17)(react@19.1.0)))':
+    dependencies:
+      '@better-auth/core': 1.4.6(@better-auth/utils@0.3.0)(@better-fetch/fetch@1.1.18)(better-call@1.1.5(zod@4.1.12))(jose@6.1.0)(kysely@0.28.8)(nanostores@1.0.1)
+      '@better-fetch/fetch': 1.1.18
+      better-auth: 1.4.6(react-dom@19.1.0(react@19.1.0))(react@19.1.0)(solid-js@1.9.9)(vue@3.5.13(typescript@5.9.3))
+      better-call: 1.1.5(zod@4.1.12)
+      zod: 4.1.12
+    optionalDependencies:
+      expo-constants: 18.0.10(expo@54.0.23)(react-native@0.81.5(@babel/core@7.28.4)(@react-native-community/cli@20.0.2(typescript@5.9.3))(@types/react@19.1.17)(react@19.1.0))
+      expo-linking: 8.0.8(expo@54.0.23)(react-native@0.81.5(@babel/core@7.28.4)(@react-native-community/cli@20.0.2(typescript@5.9.3))(@types/react@19.1.17)(react@19.1.0))(react@19.1.0)
+      expo-web-browser: 15.0.9(expo@54.0.23)(react-native@0.81.5(@babel/core@7.28.4)(@react-native-community/cli@20.0.2(typescript@5.9.3))(@types/react@19.1.17)(react@19.1.0))
+
+  '@better-auth/telemetry@1.4.6(@better-auth/core@1.4.6(@better-auth/utils@0.3.0)(@better-fetch/fetch@1.1.18)(better-call@1.1.5(zod@4.1.12))(jose@6.1.0)(kysely@0.28.8)(nanostores@1.0.1))':
+    dependencies:
+      '@better-auth/core': 1.4.6(@better-auth/utils@0.3.0)(@better-fetch/fetch@1.1.18)(better-call@1.1.5(zod@4.1.12))(jose@6.1.0)(kysely@0.28.8)(nanostores@1.0.1)
+      '@better-auth/utils': 0.3.0
+      '@better-fetch/fetch': 1.1.18

  '@better-auth/utils@0.3.0': {}

@@ -15172,8 +15140,6 @@ snapshots:
    dependencies:
      '@hapi/hoek': 9.3.0

-  '@hexagon/base64@1.1.28': {}
-
  '@hono/node-server@1.19.6(hono@4.10.7)':
    dependencies:
      hono: 4.10.7
@@ -15469,8 +15435,6 @@ snapshots:
      '@solid-primitives/utils': 6.2.3(solid-js@1.9.9)
      solid-js: 1.9.9

-  '@levischuck/tiny-cbor@0.2.11': {}
-
  '@libsql/client@0.14.0':
    dependencies:
      '@libsql/core': 0.14.0
@@ -15843,102 +15807,6 @@ snapshots:
      - react
      - use-sync-external-store

-  '@peculiar/asn1-android@2.3.15':
-    dependencies:
-      '@peculiar/asn1-schema': 2.5.0
-      asn1js: 3.0.6
-      tslib: 2.8.1
-
-  '@peculiar/asn1-cms@2.5.0':
-    dependencies:
-      '@peculiar/asn1-schema': 2.5.0
-      '@peculiar/asn1-x509': 2.5.0
-      '@peculiar/asn1-x509-attr': 2.5.0
-      asn1js: 3.0.6
-      tslib: 2.8.1
-
-  '@peculiar/asn1-csr@2.5.0':
-    dependencies:
-      '@peculiar/asn1-schema': 2.5.0
-      '@peculiar/asn1-x509': 2.5.0
-      asn1js: 3.0.6
-      tslib: 2.8.1
-
-  '@peculiar/asn1-ecc@2.5.0':
-    dependencies:
-      '@peculiar/asn1-schema': 2.5.0
-      '@peculiar/asn1-x509': 2.5.0
-      asn1js: 3.0.6
-      tslib: 2.8.1
-
-  '@peculiar/asn1-pfx@2.5.0':
-    dependencies:
-      '@peculiar/asn1-cms': 2.5.0
-      '@peculiar/asn1-pkcs8': 2.5.0
-      '@peculiar/asn1-rsa': 2.5.0
-      '@peculiar/asn1-schema': 2.5.0
-      asn1js: 3.0.6
-      tslib: 2.8.1
-
-  '@peculiar/asn1-pkcs8@2.5.0':
-    dependencies:
-      '@peculiar/asn1-schema': 2.5.0
-      '@peculiar/asn1-x509': 2.5.0
-      asn1js: 3.0.6
-      tslib: 2.8.1
-
-  '@peculiar/asn1-pkcs9@2.5.0':
-    dependencies:
-      '@peculiar/asn1-cms': 2.5.0
-      '@peculiar/asn1-pfx': 2.5.0
-      '@peculiar/asn1-pkcs8': 2.5.0
-      '@peculiar/asn1-schema': 2.5.0
-      '@peculiar/asn1-x509': 2.5.0
-      '@peculiar/asn1-x509-attr': 2.5.0
-      asn1js: 3.0.6
-      tslib: 2.8.1
-
-  '@peculiar/asn1-rsa@2.5.0':
-    dependencies:
-      '@peculiar/asn1-schema': 2.5.0
-      '@peculiar/asn1-x509': 2.5.0
-      asn1js: 3.0.6
-      tslib: 2.8.1
-
-  '@peculiar/asn1-schema@2.5.0':
-    dependencies:
-      asn1js: 3.0.6
-      pvtsutils: 1.3.6
-      tslib: 2.8.1
-
-  '@peculiar/asn1-x509-attr@2.5.0':
-    dependencies:
-      '@peculiar/asn1-schema': 2.5.0
-      '@peculiar/asn1-x509': 2.5.0
-      asn1js: 3.0.6
-      tslib: 2.8.1
-
-  '@peculiar/asn1-x509@2.5.0':
-    dependencies:
-      '@peculiar/asn1-schema': 2.5.0
-      asn1js: 3.0.6
-      pvtsutils: 1.3.6
-      tslib: 2.8.1
-
-  '@peculiar/x509@1.14.0':
-    dependencies:
-      '@peculiar/asn1-cms': 2.5.0
-      '@peculiar/asn1-csr': 2.5.0
-      '@peculiar/asn1-ecc': 2.5.0
-      '@peculiar/asn1-pkcs9': 2.5.0
-      '@peculiar/asn1-rsa': 2.5.0
-      '@peculiar/asn1-schema': 2.5.0
-      '@peculiar/asn1-x509': 2.5.0
-      pvtsutils: 1.3.6
-      reflect-metadata: 0.2.2
-      tslib: 2.8.1
-      tsyringe: 4.10.0
-
  '@petamoriken/float16@3.9.1': {}

  '@pkgjs/parseargs@0.11.0':
@@ -16758,19 +16626,6 @@ snapshots:

  '@sideway/pinpoint@2.0.0': {}

-  '@simplewebauthn/browser@13.2.2': {}
-
-  '@simplewebauthn/server@13.2.2':
-    dependencies:
-      '@hexagon/base64': 1.1.28
-      '@levischuck/tiny-cbor': 0.2.11
-      '@peculiar/asn1-android': 2.3.15
-      '@peculiar/asn1-ecc': 2.5.0
-      '@peculiar/asn1-rsa': 2.5.0
-      '@peculiar/asn1-schema': 2.5.0
-      '@peculiar/asn1-x509': 2.5.0
-      '@peculiar/x509': 1.14.0
-
  '@sinclair/typebox@0.27.8': {}

  '@sindresorhus/base62@1.0.0': {}
@@ -18366,12 +18221,6 @@ snapshots:
    dependencies:
      safer-buffer: 2.1.2

-  asn1js@3.0.6:
-    dependencies:
-      pvtsutils: 1.3.6
-      pvutils: 1.1.3
-      tslib: 2.8.1
-
  ast-kit@2.1.1:
    dependencies:
      '@babel/parser': 7.28.5
@@ -18747,53 +18596,53 @@ snapshots:
    dependencies:
      tweetnacl: 0.14.5

-  better-auth@1.3.34(react-dom@19.1.0(react@19.1.0))(react@19.1.0):
+  better-auth@1.4.6(react-dom@19.1.0(react@19.1.0))(react@19.1.0)(solid-js@1.9.9)(vue@3.5.13(typescript@5.9.3)):
    dependencies:
-      '@better-auth/core': 1.3.34(@better-auth/utils@0.3.0)(@better-fetch/fetch@1.1.18)(better-call@1.0.19)(jose@6.1.0)(kysely@0.28.8)(nanostores@1.0.1)
-      '@better-auth/telemetry': 1.3.34(better-call@1.0.19)(jose@6.1.0)(kysely@0.28.8)(nanostores@1.0.1)
+      '@better-auth/core': 1.4.6(@better-auth/utils@0.3.0)(@better-fetch/fetch@1.1.18)(better-call@1.1.5(zod@4.1.12))(jose@6.1.0)(kysely@0.28.8)(nanostores@1.0.1)
+      '@better-auth/telemetry': 1.4.6(@better-auth/core@1.4.6(@better-auth/utils@0.3.0)(@better-fetch/fetch@1.1.18)(better-call@1.1.5(zod@4.1.12))(jose@6.1.0)(kysely@0.28.8)(nanostores@1.0.1))
      '@better-auth/utils': 0.3.0
      '@better-fetch/fetch': 1.1.18
      '@noble/ciphers': 2.0.1
      '@noble/hashes': 2.0.1
-      '@simplewebauthn/browser': 13.2.2
-      '@simplewebauthn/server': 13.2.2
-      better-call: 1.0.19
+      better-call: 1.1.5(zod@3.25.76)
      defu: 6.1.4
      jose: 6.1.0
      kysely: 0.28.8
+      ms: 4.0.0-nightly.202508271359
      nanostores: 1.0.1
      zod: 4.1.12
    optionalDependencies:
      react: 19.1.0
      react-dom: 19.1.0(react@19.1.0)
-
-  better-auth@1.3.34(react@19.1.0)(solid-js@1.9.9):
-    dependencies:
-      '@better-auth/core': 1.3.34(@better-auth/utils@0.3.0)(@better-fetch/fetch@1.1.18)(better-call@1.0.19)(jose@6.1.0)(kysely@0.28.8)(nanostores@1.0.1)
-      '@better-auth/telemetry': 1.3.34(better-call@1.0.19)(jose@6.1.0)(kysely@0.28.8)(nanostores@1.0.1)
-      '@better-auth/utils': 0.3.0
-      '@better-fetch/fetch': 1.1.18
-      '@noble/ciphers': 2.0.1
-      '@noble/hashes': 2.0.1
-      '@simplewebauthn/browser': 13.2.2
-      '@simplewebauthn/server': 13.2.2
-      better-call: 1.0.19
-      defu: 6.1.4
-      jose: 6.1.0
-      kysely: 0.28.8
-      nanostores: 1.0.1
-      zod: 4.1.12
-    optionalDependencies:
-      react: 19.1.0
      solid-js: 1.9.9
+      vue: 3.5.13(typescript@5.9.3)

-  better-call@1.0.19:
+  better-call@1.1.5(zod@3.25.67):
    dependencies:
      '@better-auth/utils': 0.3.0
      '@better-fetch/fetch': 1.1.18
-      rou3: 0.5.1
+      rou3: 0.7.11
      set-cookie-parser: 2.7.1
-      uncrypto: 0.1.3
+    optionalDependencies:
+      zod: 3.25.67
+
+  better-call@1.1.5(zod@3.25.76):
+    dependencies:
+      '@better-auth/utils': 0.3.0
+      '@better-fetch/fetch': 1.1.18
+      rou3: 0.7.11
+      set-cookie-parser: 2.7.1
+    optionalDependencies:
+      zod: 3.25.76
+
+  better-call@1.1.5(zod@4.1.12):
+    dependencies:
+      '@better-auth/utils': 0.3.0
+      '@better-fetch/fetch': 1.1.18
+      rou3: 0.7.11
+      set-cookie-parser: 2.7.1
+    optionalDependencies:
+      zod: 4.1.12

  better-opn@3.0.2:
    dependencies:
@@ -20556,11 +20405,6 @@ snapshots:
    transitivePeerDependencies:
      - supports-color

-  expo-crypto@15.0.7(expo@54.0.23):
-    dependencies:
-      base64-js: 1.5.1
-      expo: 54.0.23(@babel/core@7.28.4)(@expo/metro-runtime@6.1.2)(expo-router@6.0.14)(graphql@16.8.1)(react-native@0.81.5(@babel/core@7.28.4)(@react-native-community/cli@20.0.2(typescript@5.9.3))(@types/react@19.1.17)(react@19.1.0))(react@19.1.0)
-
  expo-document-picker@14.0.7(expo@54.0.23):
    dependencies:
      expo: 54.0.23(@babel/core@7.28.4)(@expo/metro-runtime@6.1.2)(expo-router@6.0.14)(graphql@16.8.1)(react-native@0.81.5(@babel/core@7.28.4)(@react-native-community/cli@20.0.2(typescript@5.9.3))(@types/react@19.1.17)(react@19.1.0))(react@19.1.0)
@@ -23311,6 +23155,8 @@ snapshots:

  ms@2.1.3: {}

+  ms@4.0.0-nightly.202508271359: {}
+
  multipasta@0.2.7: {}

  mute-stream@0.0.8: {}
@@ -23964,12 +23810,6 @@ snapshots:

  punycode@2.3.1: {}

-  pvtsutils@1.3.6:
-    dependencies:
-      tslib: 2.8.1
-
-  pvutils@1.1.3: {}
-
  qrcode-terminal@0.11.0: {}

  qrcode-terminal@0.12.0: {}
@@ -24292,8 +24132,6 @@ snapshots:
    dependencies:
      '@eslint-community/regexpp': 4.12.1

-  reflect-metadata@0.2.2: {}
-
  reflect.getprototypeof@1.0.10:
    dependencies:
      call-bind: 1.0.8
@@ -24656,7 +24494,7 @@ snapshots:
      '@rollup/rollup-win32-x64-msvc': 4.52.4
      fsevents: 2.3.3

-  rou3@0.5.1: {}
+  rou3@0.7.11: {}

  rrweb-cssom@0.8.0:
    optional: true
@@ -25598,8 +25436,6 @@ snapshots:
    dependencies:
      '@types/node': 12.20.55

-  tslib@1.14.1: {}
-
  tslib@2.4.1: {}

  tslib@2.6.2: {}
@@ -25613,10 +25449,6 @@ snapshots:
    optionalDependencies:
      fsevents: 2.3.3

-  tsyringe@4.10.0:
-    dependencies:
-      tslib: 1.14.1
-
  tunnel-agent@0.6.0:
    dependencies:
      safe-buffer: 5.1.2
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -4,11 +4,11 @@ packages:

 catalog:
  '@antfu/eslint-config': ^6.2.0
-  '@better-auth/expo': 1.3.34
+  '@better-auth/expo': 1.4.6
  '@corentinth/chisels': 2.1.0
  '@types/node': ^24.0.0
  '@vitest/coverage-v8': ^4.0.3
-  better-auth: 1.3.34
+  better-auth: 1.4.6
  eslint: ^9.39.1
  tsdown: ^0.13.4
  tsx: ^4.20.6
				`@@ -0,0 +1 @@`
				`export const DEFAULT_AUTH_SECRET = 'papra-default-auth-secret-change-me';`