better_auth 0.1.1 → 0.3.0

data/lib/better_auth/social_providers/base.rb

@@ -0,0 +1,325 @@
+# frozen_string_literal: true
+
+require "base64"
+require "json"
+require "jwt"
+require "net/http"
+require "openssl"
+require "time"
+require "uri"
+
+module BetterAuth
+  module SocialProviders
+    module Base
+      module_function
+
+      def authorization_url(endpoint, params)
+        uri = URI(endpoint)
+        query = URI.decode_www_form(uri.query.to_s)
+        params.compact.each do |key, value|
+          next if value == ""
+
+          query << [key.to_s, Array(value).join(" ")]
+        end
+        uri.query = URI.encode_www_form(query)
+        uri.to_s
+      end
+
+      def oauth_provider(id:, name:, client_id:, authorization_endpoint:, token_endpoint:, profile_map:, client_secret: nil, user_info_endpoint: nil, scopes: [], scope_separator: " ", pkce: false, auth_params: {}, token_params: {}, user_info_method: :get, user_info_headers: {}, user_info_body: nil, **options)
+        opts = normalize_options(options.merge(client_id: client_id, client_secret: client_secret))
+        {
+          id: id,
+          name: name,
+          client_id: client_id,
+          client_secret: client_secret,
+          options: opts,
+          create_authorization_url: lambda do |data|
+            verifier = value(data, :code_verifier, :codeVerifier)
+            selected_scopes = selected_scopes(scopes, opts, data)
+            params = {
+              client_id: primary_client_id(client_id),
+              redirect_uri: opts[:redirect_uri] || value(data, :redirect_uri, :redirectURI),
+              response_type: "code",
+              scope: selected_scopes.empty? ? nil : selected_scopes.join(scope_separator),
+              state: value(data, :state),
+              code_challenge: (pkce && verifier) ? pkce_challenge(verifier) : nil,
+              code_challenge_method: (pkce && verifier) ? "S256" : nil,
+              login_hint: value(data, :loginHint, :login_hint),
+              prompt: opts[:prompt]
+            }.merge(resolve_hash(auth_params, data, opts))
+            authorization_url(option(opts, :authorization_endpoint, :authorizationEndpoint) || authorization_endpoint, params)
+          end,
+          validate_authorization_code: lambda do |data|
+            post_form_json(option(opts, :token_endpoint, :tokenEndpoint) || token_endpoint, {
+              client_id: primary_client_id(client_id),
+              client_secret: client_secret,
+              code: value(data, :code),
+              code_verifier: value(data, :code_verifier, :codeVerifier),
+              grant_type: "authorization_code",
+              redirect_uri: opts[:redirect_uri] || value(data, :redirect_uri, :redirectURI)
+            }.merge(resolve_hash(token_params, data, opts)))
+          end,
+          refresh_access_token: opts[:refresh_access_token] || lambda do |refresh_token|
+            refresh_access_token(
+              option(opts, :token_endpoint, :tokenEndpoint) || token_endpoint,
+              refresh_token,
+              client_id: primary_client_id(client_id),
+              client_secret: client_secret
+            )
+          end,
+          verify_id_token: opts[:verify_id_token] || lambda do |token, _nonce = nil|
+            return false if opts[:disable_id_token_sign_in]
+
+            !decode_jwt_payload(token).empty?
+          end,
+          get_user_info: lambda do |tokens|
+            custom = opts[:get_user_info]
+            profile = if custom
+              custom.call(tokens)
+            elsif user_info_endpoint
+              fetch_user_info(user_info_endpoint, tokens, method: user_info_method, headers: user_info_headers, body: user_info_body)
+            else
+              decode_jwt_payload(id_token(tokens))
+            end
+            return nil unless profile
+            return profile if provider_user_info?(profile)
+
+            mapped = profile_map.call(profile)
+            user_map = opts[:map_profile_to_user]&.call(profile) || {}
+            {user: mapped.merge(user_map), data: profile}
+          end
+        }
+      end
+
+      def pkce_challenge(verifier)
+        digest = OpenSSL::Digest.digest("SHA256", verifier.to_s)
+        Base64.urlsafe_encode64(digest, padding: false)
+      end
+
+      def post_form(url, form)
+        post_form_json(url, form)
+      end
+
+      def post_form_json(url, form, headers = {})
+        uri = URI(url)
+        request = Net::HTTP::Post.new(uri)
+        request.set_form_data(form.compact.transform_keys(&:to_s))
+        request["Accept"] = "application/json"
+        headers.each { |key, value| request[key.to_s] = value.to_s }
+        parse_response(request_json(uri, request))
+      end
+
+      def get_json(url, headers = {})
+        uri = URI(url)
+        request = Net::HTTP::Get.new(uri)
+        headers.each { |key, value| request[key.to_s] = value.to_s }
+        parse_response(request_json(uri, request))
+      end
+
+      def get_bytes(url, headers = {})
+        uri = URI(url)
+        request = Net::HTTP::Get.new(uri)
+        headers.each { |key, value| request[key.to_s] = value.to_s }
+        response = request_json(uri, request)
+        response.is_a?(Net::HTTPSuccess) ? response.body.to_s : nil
+      rescue URI::InvalidURIError, SocketError, SystemCallError
+        nil
+      end
+
+      def post_json(url, body = {}, headers = {})
+        uri = URI(url)
+        request = Net::HTTP::Post.new(uri)
+        headers.each { |key, value| request[key.to_s] = value.to_s }
+        request.set_form_data(body.compact.transform_keys(&:to_s))
+        parse_response(request_json(uri, request))
+      end
+
+      def fetch_user_info(endpoint, tokens, method: :get, headers: {}, body: nil)
+        resolved_headers = resolve_hash(headers, tokens, {})
+        resolved_body = resolve_hash(body || {}, tokens, {})
+        resolved_headers = {"Authorization" => "Bearer #{access_token(tokens)}"}.merge(resolved_headers)
+        (method == :post) ? post_json(endpoint, resolved_body, resolved_headers) : get_json(endpoint, resolved_headers)
+      end
+
+      def refresh_access_token(token_endpoint, refresh_token, client_id:, client_secret: nil, extra_params: {})
+        normalize_tokens(post_form_json(token_endpoint, {
+          client_id: client_id,
+          client_secret: client_secret,
+          grant_type: "refresh_token",
+          refresh_token: refresh_token
+        }.merge(extra_params || {})))
+      end
+
+      def normalize_tokens(tokens, now: Time.now)
+        data = stringify_keys(tokens || {})
+        result = {}
+        result["accessToken"] = data["accessToken"] || data["access_token"] if data["accessToken"] || data["access_token"]
+        result["refreshToken"] = data["refreshToken"] || data["refresh_token"] if data["refreshToken"] || data["refresh_token"]
+        result["idToken"] = data["idToken"] || data["id_token"] if data["idToken"] || data["id_token"]
+        result["tokenType"] = data["tokenType"] || data["token_type"] if data["tokenType"] || data["token_type"]
+        scope = data["scope"] || data["scopes"]
+        result["scope"] = Array(scope).join(",").tr(" ", ",").split(",").reject(&:empty?).join(",") if scope
+        result["accessTokenExpiresAt"] = time_from(data["accessTokenExpiresAt"] || data["access_token_expires_at"]) if data["accessTokenExpiresAt"] || data["access_token_expires_at"]
+        result["refreshTokenExpiresAt"] = time_from(data["refreshTokenExpiresAt"] || data["refresh_token_expires_at"]) if data["refreshTokenExpiresAt"] || data["refresh_token_expires_at"]
+        result["accessTokenExpiresAt"] ||= now + data["expires_in"].to_i if data["expires_in"]
+        result["refreshTokenExpiresAt"] ||= now + data["refresh_token_expires_in"].to_i if data["refresh_token_expires_in"]
+        data.each { |key, value| result[key] = value unless result.key?(key) || %w[access_token refresh_token id_token token_type expires_in refresh_token_expires_in scopes].include?(key) }
+        result
+      end
+
+      def access_token(tokens)
+        tokens[:access_token] || tokens["access_token"] || tokens[:accessToken] || tokens["accessToken"]
+      end
+
+      def id_token(tokens)
+        tokens[:id_token] || tokens["id_token"] || tokens[:idToken] || tokens["idToken"]
+      end
+
+      def value(hash, *keys)
+        return nil unless hash
+
+        keys.each do |key|
+          return hash[key] if hash.respond_to?(:key?) && hash.key?(key)
+
+          string_key = key.to_s
+          return hash[string_key] if hash.respond_to?(:key?) && hash.key?(string_key)
+        end
+        nil
+      end
+
+      def option(options, *keys)
+        value(options, *keys)
+      end
+
+      def normalize_options(options)
+        normalized = options.dup
+        {
+          clientId: :client_id,
+          clientSecret: :client_secret,
+          clientKey: :client_key,
+          disableDefaultScope: :disable_default_scope,
+          mapProfileToUser: :map_profile_to_user,
+          getUserInfo: :get_user_info,
+          verifyIdToken: :verify_id_token,
+          refreshAccessToken: :refresh_access_token,
+          disableIdTokenSignIn: :disable_id_token_sign_in,
+          disableImplicitSignUp: :disable_implicit_sign_up,
+          disableSignUp: :disable_sign_up,
+          authorizationEndpoint: :authorization_endpoint,
+          tokenEndpoint: :token_endpoint,
+          userInfoEndpoint: :user_info_endpoint,
+          emailsEndpoint: :emails_endpoint,
+          redirectURI: :redirect_uri,
+          jwksEndpoint: :jwks_endpoint,
+          appBundleIdentifier: :app_bundle_identifier,
+          profilePhotoSize: :profile_photo_size,
+          disableProfilePhoto: :disable_profile_photo,
+          tenantId: :tenant_id
+        }.each do |camel, snake|
+          normalized[snake] = normalized[camel] if normalized.key?(camel) && !normalized.key?(snake)
+        end
+        normalized
+      end
+
+      def selected_scopes(defaults, options, data)
+        scopes = options[:disable_default_scope] ? [] : Array(defaults).dup
+        scopes.concat(Array(options[:scope])) if options[:scope]
+        scopes.concat(Array(options[:scopes])) if options[:scopes]
+        request_scopes = value(data, :scopes)
+        scopes.concat(Array(request_scopes)) if request_scopes
+        scopes
+      end
+
+      def primary_client_id(client_id)
+        value = Array(client_id).first
+        raise Error, "CLIENT_ID_AND_SECRET_REQUIRED" if value.to_s.empty?
+
+        value
+      end
+
+      def apply_profile_mapping(user, profile, options)
+        user.merge(options[:map_profile_to_user]&.call(profile) || {})
+      end
+
+      def resolve_hash(value, data, options)
+        resolved = value.respond_to?(:call) ? value.call(data, options) : value
+        (resolved || {}).compact
+      end
+
+      def provider_user_info?(value)
+        value.is_a?(Hash) && (value.key?(:user) || value.key?("user"))
+      end
+
+      def decode_jwt_payload(token)
+        _header, payload, _signature = token.to_s.split(".", 3)
+        return {} unless payload
+
+        JSON.parse(Base64.urlsafe_decode64(padded_base64(payload)))
+      rescue JSON::ParserError, ArgumentError
+        {}
+      end
+
+      def verify_jwt_with_jwks(token, jwks:, jwks_endpoint:, algorithms:, issuers:, audience:, nonce: nil, max_age: 3600)
+        jwks_payload = jwks.respond_to?(:call) ? jwks.call : jwks
+        jwks_payload ||= fetch_jwks(jwks_endpoint)
+        return nil unless jwks_payload
+
+        options = {
+          algorithms: algorithms,
+          jwks: JWT::JWK::Set.new(stringify_keys(jwks_payload)),
+          aud: audience,
+          verify_aud: true
+        }
+        options[:iss] = issuers if issuers
+        options[:verify_iss] = true if issuers
+        payload, = JWT.decode(token.to_s, nil, true, options)
+        return nil if nonce && payload["nonce"] != nonce
+        return nil if max_age && payload["iat"] && payload["iat"].to_i < Time.now.to_i - max_age.to_i
+
+        payload
+      rescue JWT::DecodeError, JSON::ParserError, ArgumentError, OpenSSL::PKey::PKeyError
+        nil
+      end
+
+      def fetch_jwks(endpoint)
+        return nil if endpoint.to_s.empty?
+
+        get_json(endpoint)
+      end
+
+      def stringify_keys(hash)
+        hash.each_with_object({}) { |(key, value), memo| memo[key.to_s] = value }
+      end
+
+      def time_from(value)
+        return value if value.is_a?(Time)
+        return nil if value.nil? || value.to_s.empty?
+
+        Time.parse(value.to_s)
+      rescue ArgumentError
+        nil
+      end
+
+      def parse_response(response)
+        return nil unless response.is_a?(Net::HTTPSuccess)
+
+        body = response.body.to_s
+        return {} if body.empty?
+
+        JSON.parse(body)
+      rescue JSON::ParserError
+        URI.decode_www_form(body).to_h
+      end
+
+      def request_json(uri, request)
+        Net::HTTP.start(uri.hostname, uri.port, use_ssl: uri.scheme == "https", open_timeout: 5, read_timeout: 5) do |http|
+          http.request(request)
+        end
+      end
+
+      def padded_base64(value)
+        value + ("=" * ((4 - value.length % 4) % 4))
+      end
+    end
+  end
+end

data/lib/better_auth/social_providers/cognito.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def cognito(client_id:, client_secret: nil, scopes: ["openid", "profile", "email"], **options)
+      domain = (options[:domain] || options[:issuer] || "https://cognito-idp.#{options[:region] || "us-east-1"}.amazonaws.com").to_s.sub(%r{/+\z}, "")
+      Base.oauth_provider(
+        id: "cognito",
+        name: "Cognito",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "#{domain}/oauth2/authorize",
+        token_endpoint: "#{domain}/oauth2/token",
+        user_info_endpoint: "#{domain}/oauth2/userinfo",
+        scopes: scopes,
+        pkce: true,
+        profile_map: ->(profile) {
+          {
+            id: profile["sub"],
+            name: profile["name"] || profile["given_name"] || profile["username"] || "",
+            email: profile["email"],
+            image: profile["picture"],
+            emailVerified: !!profile["email_verified"]
+          }
+        },
+        **options
+      )
+    end
+  end
+end

data/lib/better_auth/social_providers/discord.rb

@@ -0,0 +1,81 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def discord(client_id:, client_secret:, scopes: ["identify", "email"], **options)
+      normalized = Base.normalize_options(options)
+      {
+        id: "discord",
+        name: "Discord",
+        client_id: client_id,
+        client_secret: client_secret,
+        create_authorization_url: lambda do |data|
+          selected_scopes = Base.selected_scopes(scopes, normalized, data)
+          params = {
+            client_id: client_id,
+            redirect_uri: data[:redirect_uri] || data[:redirectURI],
+            response_type: "code",
+            scope: selected_scopes,
+            state: data[:state],
+            prompt: options.fetch(:prompt, "none")
+          }
+          params[:permissions] = options[:permissions] if selected_scopes.include?("bot") && options.key?(:permissions)
+          Base.authorization_url("https://discord.com/api/oauth2/authorize", params)
+        end,
+        validate_authorization_code: lambda do |data|
+          Base.post_form("https://discord.com/api/oauth2/token", {
+            client_id: client_id,
+            client_secret: client_secret,
+            code: data[:code],
+            grant_type: "authorization_code",
+            redirect_uri: data[:redirect_uri] || data[:redirectURI]
+          })
+        end,
+        get_user_info: lambda do |tokens|
+          custom = normalized[:get_user_info]
+          next custom.call(tokens) if custom
+
+          profile = Base.get_json("https://discord.com/api/users/@me", "Authorization" => "Bearer #{Base.access_token(tokens)}")
+          image = discord_avatar_url(profile)
+          profile["image_url"] = image
+          user = Base.apply_profile_mapping(
+            {
+              id: profile["id"],
+              email: profile["email"],
+              name: profile["global_name"] || profile["username"] || "",
+              image: image,
+              emailVerified: !!profile["verified"]
+            },
+            profile,
+            normalized
+          )
+          {
+            user: user,
+            data: profile
+          }
+        end,
+        refresh_access_token: options[:refresh_access_token] || options[:refreshAccessToken] || lambda do |refresh_token|
+          Base.refresh_access_token("https://discord.com/api/oauth2/token", refresh_token, client_id: client_id, client_secret: client_secret)
+        end
+      }
+    end
+
+    def discord_avatar_url(profile)
+      avatar = profile["avatar"]
+      unless avatar
+        discriminator = profile["discriminator"].to_s
+        default_avatar_number = if discriminator == "0"
+          (profile["id"].to_i >> 22) % 6
+        else
+          discriminator.to_i % 5
+        end
+        return "https://cdn.discordapp.com/embed/avatars/#{default_avatar_number}.png"
+      end
+
+      format = avatar.start_with?("a_") ? "gif" : "png"
+      "https://cdn.discordapp.com/avatars/#{profile["id"]}/#{avatar}.#{format}"
+    end
+  end
+end

data/lib/better_auth/social_providers/dropbox.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def dropbox(client_id:, client_secret:, scopes: ["account_info.read"], **options)
+      Base.oauth_provider(
+        id: "dropbox",
+        name: "Dropbox",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://www.dropbox.com/oauth2/authorize",
+        token_endpoint: "https://api.dropboxapi.com/oauth2/token",
+        user_info_endpoint: "https://api.dropboxapi.com/2/users/get_current_account",
+        user_info_method: :post,
+        scopes: scopes,
+        pkce: true,
+        auth_params: ->(_data, opts) { {token_access_type: opts[:access_type] || opts[:accessType]} },
+        profile_map: ->(profile) {
+          {
+            id: profile["account_id"],
+            name: profile.dig("name", "display_name"),
+            email: profile["email"],
+            image: profile["profile_photo_url"],
+            emailVerified: !!profile["email_verified"]
+          }
+        },
+        **options
+      )
+    end
+  end
+end

data/lib/better_auth/social_providers/facebook.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def facebook(client_id:, client_secret:, scopes: ["email", "public_profile"], **options)
+      fields = Array(options[:fields] || %w[id name email picture email_verified]).join(",")
+      provider = Base.oauth_provider(
+        id: "facebook",
+        name: "Facebook",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://www.facebook.com/v24.0/dialog/oauth",
+        token_endpoint: "https://graph.facebook.com/v24.0/oauth/access_token",
+        user_info_endpoint: "https://graph.facebook.com/me?fields=#{URI.encode_www_form_component(fields)}",
+        scopes: scopes,
+        auth_params: ->(_data, opts) { {config_id: opts[:config_id] || opts[:configId]} },
+        profile_map: ->(profile) {
+          picture = profile.dig("picture", "data", "url") || profile["picture"]
+          {
+            id: profile["id"] || profile["sub"],
+            name: profile["name"],
+            email: profile["email"],
+            image: picture,
+            emailVerified: !!profile["email_verified"]
+          }
+        },
+        **options
+      )
+      provider[:verify_id_token] = provider[:options][:verify_id_token] || ->(token, _nonce = nil) { provider[:options][:disable_id_token_sign_in] ? false : !token.to_s.empty? }
+      provider
+    end
+  end
+end

data/lib/better_auth/social_providers/figma.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def figma(client_id:, client_secret:, scopes: ["current_user:read"], **options)
+      Base.oauth_provider(
+        id: "figma",
+        name: "Figma",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://www.figma.com/oauth",
+        token_endpoint: "https://api.figma.com/v1/oauth/token",
+        user_info_endpoint: "https://api.figma.com/v1/me",
+        scopes: scopes,
+        pkce: true,
+        profile_map: ->(profile) {
+          {
+            id: profile["id"],
+            name: profile["handle"],
+            email: profile["email"],
+            image: profile["img_url"],
+            emailVerified: false
+          }
+        },
+        **options
+      )
+    end
+  end
+end

data/lib/better_auth/social_providers/github.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def github(client_id:, client_secret:, scopes: ["read:user", "user:email"], **options)
+      normalized = Base.normalize_options(options)
+      token_endpoint = normalized[:token_endpoint] || "https://github.com/login/oauth/access_token"
+      user_info_endpoint = normalized[:user_info_endpoint] || "https://api.github.com/user"
+      emails_endpoint = normalized[:emails_endpoint] || "https://api.github.com/user/emails"
+      {
+        id: "github",
+        name: "GitHub",
+        client_id: client_id,
+        client_secret: client_secret,
+        create_authorization_url: lambda do |data|
+          Base.authorization_url(options[:authorization_endpoint] || "https://github.com/login/oauth/authorize", {
+            client_id: client_id,
+            redirect_uri: data[:redirect_uri] || data[:redirectURI],
+            scope: Base.selected_scopes(scopes, normalized, data),
+            state: data[:state],
+            login_hint: data[:loginHint] || data[:login_hint],
+            prompt: options[:prompt]
+          })
+        end,
+        validate_authorization_code: lambda do |data|
+          Base.post_form(token_endpoint, {
+            client_id: client_id,
+            client_secret: client_secret,
+            code: data[:code],
+            code_verifier: data[:code_verifier] || data[:codeVerifier],
+            redirect_uri: data[:redirect_uri] || data[:redirectURI]
+          })
+        end,
+        get_user_info: lambda do |tokens|
+          custom = normalized[:get_user_info]
+          next custom.call(tokens) if custom
+
+          headers = {
+            "Authorization" => "Bearer #{Base.access_token(tokens)}",
+            "Accept" => "application/json",
+            "User-Agent" => "better-auth"
+          }
+          profile = Base.get_json(user_info_endpoint, headers)
+          emails = Base.get_json(emails_endpoint, headers)
+          primary = Array(emails).find { |email| email["email"] == profile["email"] } ||
+            Array(emails).find { |email| email["primary"] } ||
+            Array(emails).first ||
+            {}
+
+          user = Base.apply_profile_mapping(
+            {
+              id: profile["id"].to_s,
+              email: profile["email"] || primary["email"],
+              name: profile["name"] || profile["login"],
+              image: profile["avatar_url"],
+              emailVerified: !!primary["verified"]
+            },
+            profile,
+            normalized
+          )
+          {
+            user: user,
+            data: profile
+          }
+        end,
+        refresh_access_token: options[:refresh_access_token] || options[:refreshAccessToken] || lambda do |refresh_token|
+          Base.refresh_access_token(token_endpoint, refresh_token, client_id: client_id, client_secret: client_secret)
+        end
+      }
+    end
+  end
+end

data/lib/better_auth/social_providers/gitlab.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def gitlab(client_id:, client_secret:, issuer: "https://gitlab.com", scopes: ["read_user"], **options)
+      base = issuer.to_s.sub(%r{/+\z}, "")
+      normalized = Base.normalize_options(options)
+      {
+        id: "gitlab",
+        name: "GitLab",
+        client_id: client_id,
+        client_secret: client_secret,
+        create_authorization_url: lambda do |data|
+          Base.authorization_url(options[:authorization_endpoint] || "#{base}/oauth/authorize", {
+            client_id: client_id,
+            redirect_uri: data[:redirect_uri] || data[:redirectURI],
+            response_type: "code",
+            scope: Base.selected_scopes(scopes, normalized, data),
+            state: data[:state],
+            code_challenge: (data[:code_verifier] || data[:codeVerifier]) && Base.pkce_challenge(data[:code_verifier] || data[:codeVerifier]),
+            code_challenge_method: (data[:code_verifier] || data[:codeVerifier]) && "S256",
+            login_hint: data[:loginHint] || data[:login_hint]
+          })
+        end,
+        validate_authorization_code: lambda do |data|
+          Base.post_form("#{base}/oauth/token", {
+            client_id: client_id,
+            client_secret: client_secret,
+            code: data[:code],
+            code_verifier: data[:code_verifier] || data[:codeVerifier],
+            grant_type: "authorization_code",
+            redirect_uri: data[:redirect_uri] || data[:redirectURI]
+          })
+        end,
+        get_user_info: lambda do |tokens|
+          custom = normalized[:get_user_info]
+          next custom.call(tokens) if custom
+
+          profile = Base.get_json("#{base}/api/v4/user", "Authorization" => "Bearer #{Base.access_token(tokens)}")
+          return nil if profile["state"] && profile["state"] != "active"
+          return nil if profile["locked"] == true
+
+          user = Base.apply_profile_mapping(
+            {
+              id: profile["id"].to_s,
+              email: profile["email"],
+              name: profile["name"] || profile["username"],
+              image: profile["avatar_url"],
+              emailVerified: !!profile["email_verified"]
+            },
+            profile,
+            normalized
+          )
+          {
+            user: user,
+            data: profile
+          }
+        end,
+        refresh_access_token: options[:refresh_access_token] || options[:refreshAccessToken] || lambda do |refresh_token|
+          Base.refresh_access_token("#{base}/oauth/token", refresh_token, client_id: client_id, client_secret: client_secret)
+        end
+      }
+    end
+  end
+end