feat(admin): add support role with permissions for user updates and enforce role change validation (#6699)

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: Bekacru

packages/better-auth/src/api/routes/session.ts

@@ -597,11 +597,23 @@ export const listSessions = <Option extends BetterAuthOptions>() =>
 				const sessions = await ctx.context.internalAdapter.listSessions(
 					ctx.context.session.user.id,
 				);
-				const activeSessions = sessions.filter((session) => {
-					return session.expiresAt > new Date();
-				});
+				const activeSessions = sessions
+					.filter((session) => {
+						return session.expiresAt > new Date();
+					})
+					.map((session) => {
+						return {
+							...session,
+							token: undefined, // we don't need to return the token to the client
+							expiresAt: session.expiresAt.toISOString(),
+							createdAt: session.createdAt.toISOString(),
+							updatedAt: session.updatedAt.toISOString(),
+						};
+					});
 				return ctx.json(
-					activeSessions as unknown as Prettify<InferSession<Option>>[],
+					activeSessions as unknown as Prettify<
+						InferSession<Option> & { token: undefined }
+					>[],
 				);
 			} catch (e: any) {
 				ctx.context.logger.error(e);

packages/better-auth/src/plugins/admin/admin.test.ts

@@ -957,6 +957,10 @@ describe("access control", async (it) => {
 		user: ["read"],
 		order: ["read"],
 	});
+	const supportAc = ac.newRole({
+		user: ["update"],
+		order: ["update"],
+	});
 
 	const { signInWithTestUser, cookieSetter, auth, customFetchImpl } =
 		await getTestInstance(
@@ -967,6 +971,7 @@ describe("access control", async (it) => {
 						roles: {
 							admin: adminAc,
 							user: userAc,
+							support: supportAc,
 						},
 					}),
 				],
@@ -982,6 +987,14 @@ describe("access control", async (it) => {
 										},
 									};
 								}
+								if (user.name === "Support") {
+									return {
+										data: {
+											...user,
+											role: "support",
+										},
+									};
+								}
 							},
 						},
 					},
@@ -1001,6 +1014,7 @@ describe("access control", async (it) => {
 				roles: {
 					admin: adminAc,
 					user: userAc,
+					support: supportAc,
 				},
 			}),
 		],
@@ -1012,6 +1026,104 @@ describe("access control", async (it) => {
 
 	const { headers, user } = await signInWithTestUser();
 
+	it("should not allow role updates via update-user without user:set-role", async () => {
+		const supportHeaders = new Headers();
+		const { data: supportSignUp } = await client.signUp.email(
+			{
+				email: "support@test.com",
+				password: "password",
+				name: "Support",
+			},
+			{
+				onSuccess: cookieSetter(supportHeaders),
+			},
+		);
+		const supportUserId = supportSignUp?.user.id || "";
+
+		// Non-sensitive updates should still be allowed with `user:update`
+		const ok = await client.admin.updateUser(
+			{
+				userId: supportUserId,
+				data: {
+					name: "Support Updated",
+				},
+			},
+			{
+				headers: supportHeaders,
+			},
+		);
+		expect(ok.data?.name).toBe("Support Updated");
+
+		// But attempting to update `role` must be rejected without `user:set-role`.
+		const res = await client.admin.updateUser(
+			{
+				userId: supportUserId,
+				data: {
+					role: "admin",
+				},
+			},
+			{
+				headers: supportHeaders,
+			},
+		);
+		expect(res.error?.status).toBe(403);
+	});
+
+	it("should reject non-existent roles via update-user", async () => {
+		const { data: targetUserRes } = await client.signUp.email(
+			{
+				email: "role-target@test.com",
+				password: "password",
+				name: "Role Target",
+			},
+			{
+				onSuccess: cookieSetter(new Headers()),
+			},
+		);
+		const targetUserId = targetUserRes?.user.id || "";
+
+		const res = await client.admin.updateUser(
+			{
+				userId: targetUserId,
+				data: {
+					role: "non-existent-role",
+				},
+			},
+			{
+				headers,
+			},
+		);
+		expect(res.error?.status).toBe(400);
+	});
+
+	it("should allow role updates via update-user for valid roles with user:set-role", async () => {
+		const { data: targetUserRes } = await client.signUp.email(
+			{
+				email: "role-valid-target@test.com",
+				password: "password",
+				name: "Role Valid Target",
+			},
+			{
+				onSuccess: cookieSetter(new Headers()),
+			},
+		);
+		const targetUserId = targetUserRes?.user.id || "";
+
+		const res = await client.admin.updateUser(
+			{
+				userId: targetUserId,
+				data: {
+					role: "support",
+				},
+			},
+			{
+				headers,
+			},
+		);
+		expect(res.error).toBeNull();
+		expect(res.data?.role).toBe("support");
+	});
+
 	it("should validate on the client", async () => {
 		const canCreateOrder = client.admin.checkRolePermission({
 			role: "admin",

packages/better-auth/src/plugins/admin/error-codes.ts

@@ -29,4 +29,5 @@ export const ADMIN_ERROR_CODES = defineErrorCodes({
 	YOU_ARE_NOT_ALLOWED_TO_SET_NON_EXISTENT_VALUE:
 		"You are not allowed to set a non-existent role value",
 	YOU_CANNOT_IMPERSONATE_ADMINS: "You cannot impersonate admins",
+	INVALID_ROLE_TYPE: "Invalid role type",
 });

packages/better-auth/src/plugins/admin/routes.ts

@@ -460,8 +460,41 @@ export const adminUpdateUser = (opts: AdminOptions) =>
 					message: ADMIN_ERROR_CODES.NO_DATA_TO_UPDATE,
 				});
 			}
-			if (ctx.body.data?.role) {
-				ctx.body.data.role = parseRoles(ctx.body.data.role);
+
+			// Role changes must be guarded by `user:set-role` and validated against the role allow-list.
+			if (Object.prototype.hasOwnProperty.call(ctx.body.data, "role")) {
+				const canSetRole = hasPermission({
+					userId: ctx.context.session.user.id,
+					role: ctx.context.session.user.role,
+					options: opts,
+					permissions: {
+						user: ["set-role"],
+					},
+				});
+				if (!canSetRole) {
+					throw new APIError("FORBIDDEN", {
+						message: ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_CHANGE_USERS_ROLE,
+					});
+				}
+
+				const roleValue = (ctx.body.data as Record<string, any>).role;
+				const inputRoles = Array.isArray(roleValue) ? roleValue : [roleValue];
+				for (const role of inputRoles) {
+					if (typeof role !== "string") {
+						throw new APIError("BAD_REQUEST", {
+							message: ADMIN_ERROR_CODES.INVALID_ROLE_TYPE,
+						});
+					}
+					if (opts.roles && !opts.roles[role as keyof typeof opts.roles]) {
+						throw new APIError("BAD_REQUEST", {
+							message:
+								ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_SET_NON_EXISTENT_VALUE,
+						});
+					}
+				}
+				(ctx.body.data as Record<string, any>).role = parseRoles(
+					inputRoles as string[],
+				);
 			}
 			const updatedUser = await ctx.context.internalAdapter.updateUser(
 				ctx.body.userId,

packages/stripe/src/routes.ts

@@ -182,7 +182,7 @@ export const upgradeSubscription = (options: StripeOptions) => {
 					message: STRIPE_ERROR_CODES.SUBSCRIPTION_PLAN_NOT_FOUND,
 				});
 			}
-			const subscriptionToUpdate = ctx.body.subscriptionId
+			let subscriptionToUpdate = ctx.body.subscriptionId
 				? await ctx.context.adapter.findOne<Subscription>({
 						model: "subscription",
 						where: [
@@ -205,6 +205,14 @@ export const upgradeSubscription = (options: StripeOptions) => {
 						})
 					: null;
 
+			if (
+				ctx.body.subscriptionId &&
+				subscriptionToUpdate &&
+				subscriptionToUpdate.referenceId !== referenceId
+			) {
+				subscriptionToUpdate = null;
+			}
+
 			if (ctx.body.subscriptionId && !subscriptionToUpdate) {
 				throw new APIError("BAD_REQUEST", {
 					message: STRIPE_ERROR_CODES.SUBSCRIPTION_NOT_FOUND,
@@ -698,7 +706,7 @@ export const cancelSubscription = (options: StripeOptions) => {
 		},
 		async (ctx) => {
 			const referenceId = ctx.body?.referenceId || ctx.context.session.user.id;
-			const subscription = ctx.body.subscriptionId
+			let subscription = ctx.body.subscriptionId
 				? await ctx.context.adapter.findOne<Subscription>({
 						model: "subscription",
 						where: [
@@ -719,6 +727,15 @@ export const cancelSubscription = (options: StripeOptions) => {
 							),
 						);
 
+			// Ensure the specified subscription belongs to the (validated) referenceId.
+			if (
+				ctx.body.subscriptionId &&
+				subscription &&
+				subscription.referenceId !== referenceId
+			) {
+				subscription = undefined;
+			}
+
 			if (!subscription || !subscription.stripeCustomerId) {
 				throw ctx.error("BAD_REQUEST", {
 					message: STRIPE_ERROR_CODES.SUBSCRIPTION_NOT_FOUND,
@@ -847,7 +864,7 @@ export const restoreSubscription = (options: StripeOptions) => {
 		async (ctx) => {
 			const referenceId = ctx.body?.referenceId || ctx.context.session.user.id;
 
-			const subscription = ctx.body.subscriptionId
+			let subscription = ctx.body.subscriptionId
 				? await ctx.context.adapter.findOne<Subscription>({
 						model: "subscription",
 						where: [
@@ -872,6 +889,15 @@ export const restoreSubscription = (options: StripeOptions) => {
 								(sub) => sub.status === "active" || sub.status === "trialing",
 							),
 						);
+
+			// Ensure the specified subscription belongs to the (validated) referenceId.
+			if (
+				ctx.body.subscriptionId &&
+				subscription &&
+				subscription.referenceId !== referenceId
+			) {
+				subscription = undefined;
+			}
 			if (!subscription || !subscription.stripeCustomerId) {
 				throw ctx.error("BAD_REQUEST", {
 					message: STRIPE_ERROR_CODES.SUBSCRIPTION_NOT_FOUND,

packages/stripe/src/stripe.test.ts

@@ -227,6 +227,92 @@ describe("stripe", async () => {
 		});
 	});
 
+	it("should not allow cross-user subscriptionId operations (upgrade/cancel/restore)", async () => {
+		const userA = {
+			email: "user-a@email.com",
+			password: "password",
+			name: "User A",
+		};
+		const userARes = await authClient.signUp.email(userA, { throw: true });
+
+		const userAHeaders = new Headers();
+		await authClient.signIn.email(userA, {
+			throw: true,
+			onSuccess: setCookieToHeader(userAHeaders),
+		});
+		await authClient.subscription.upgrade({
+			plan: "starter",
+			fetchOptions: { headers: userAHeaders },
+		});
+
+		const userASub = await ctx.adapter.findOne<Subscription>({
+			model: "subscription",
+			where: [{ field: "referenceId", value: userARes.user.id }],
+		});
+		expect(userASub).toBeTruthy();
+
+		const userB = {
+			email: "user-b@email.com",
+			password: "password",
+			name: "User B",
+		};
+		await authClient.signUp.email(userB, { throw: true });
+		const userBHeaders = new Headers();
+		await authClient.signIn.email(userB, {
+			throw: true,
+			onSuccess: setCookieToHeader(userBHeaders),
+		});
+
+		mockStripe.checkout.sessions.create.mockClear();
+		mockStripe.billingPortal.sessions.create.mockClear();
+		mockStripe.subscriptions.list.mockClear();
+		mockStripe.subscriptions.update.mockClear();
+
+		const upgradeRes = await authClient.subscription.upgrade({
+			plan: "premium",
+			subscriptionId: userASub!.id,
+			fetchOptions: { headers: userBHeaders },
+		});
+		expect(upgradeRes.error?.message).toContain("Subscription not found");
+		expect(mockStripe.checkout.sessions.create).not.toHaveBeenCalled();
+		expect(mockStripe.billingPortal.sessions.create).not.toHaveBeenCalled();
+
+		const cancelHeaders = new Headers(userBHeaders);
+		cancelHeaders.set("content-type", "application/json");
+		const cancelResponse = await auth.handler(
+			new Request("http://localhost:3000/api/auth/subscription/cancel", {
+				method: "POST",
+				headers: cancelHeaders,
+				body: JSON.stringify({
+					subscriptionId: userASub!.id,
+					returnUrl: "/account",
+				}),
+			}),
+		);
+		expect(cancelResponse.status).toBe(400);
+		expect((await cancelResponse.json()).message).toContain(
+			"Subscription not found",
+		);
+		expect(mockStripe.billingPortal.sessions.create).not.toHaveBeenCalled();
+
+		const restoreHeaders = new Headers(userBHeaders);
+		restoreHeaders.set("content-type", "application/json");
+		const restoreResponse = await auth.handler(
+			new Request("http://localhost:3000/api/auth/subscription/restore", {
+				method: "POST",
+				headers: restoreHeaders,
+				body: JSON.stringify({
+					subscriptionId: userASub!.id,
+				}),
+			}),
+		);
+		expect(restoreResponse.status).toBe(400);
+		expect((await restoreResponse.json()).message).toContain(
+			"Subscription not found",
+		);
+		expect(mockStripe.subscriptions.update).not.toHaveBeenCalled();
+	});
+
 	it("should list active subscriptions", async () => {
 		const userRes = await authClient.signUp.email(
 			{