@better-auth/core 1.3.26 → 1.3.28

package/src/oauth2/validate-authorization-code.ts

@@ -0,0 +1,156 @@
+import { betterFetch } from "@better-fetch/fetch";
+import { jwtVerify } from "jose";
+import type { ProviderOptions } from "./index";
+import { getOAuth2Tokens } from "./index";
+import { base64 } from "@better-auth/utils/base64";
+
+export function createAuthorizationCodeRequest({
+	code,
+	codeVerifier,
+	redirectURI,
+	options,
+	authentication,
+	deviceId,
+	headers,
+	additionalParams = {},
+	resource,
+}: {
+	code: string;
+	redirectURI: string;
+	options: Partial<ProviderOptions>;
+	codeVerifier?: string;
+	deviceId?: string;
+	authentication?: "basic" | "post";
+	headers?: Record<string, string>;
+	additionalParams?: Record<string, string>;
+	resource?: string | string[];
+}) {
+	const body = new URLSearchParams();
+	const requestHeaders: Record<string, any> = {
+		"content-type": "application/x-www-form-urlencoded",
+		accept: "application/json",
+		"user-agent": "better-auth",
+		...headers,
+	};
+	body.set("grant_type", "authorization_code");
+	body.set("code", code);
+	codeVerifier && body.set("code_verifier", codeVerifier);
+	options.clientKey && body.set("client_key", options.clientKey);
+	deviceId && body.set("device_id", deviceId);
+	body.set("redirect_uri", options.redirectURI || redirectURI);
+	if (resource) {
+		if (typeof resource === "string") {
+			body.append("resource", resource);
+		} else {
+			for (const _resource of resource) {
+				body.append("resource", _resource);
+			}
+		}
+	}
+	// Use standard Base64 encoding for HTTP Basic Auth (OAuth2 spec, RFC 7617)
+	// Fixes compatibility with providers like Notion, Twitter, etc.
+	if (authentication === "basic") {
+		const primaryClientId = Array.isArray(options.clientId)
+			? options.clientId[0]
+			: options.clientId;
+		const encodedCredentials = base64.encode(
+			`${primaryClientId}:${options.clientSecret ?? ""}`,
+		);
+		requestHeaders["authorization"] = `Basic ${encodedCredentials}`;
+	} else {
+		const primaryClientId = Array.isArray(options.clientId)
+			? options.clientId[0]
+			: options.clientId;
+		body.set("client_id", primaryClientId);
+		if (options.clientSecret) {
+			body.set("client_secret", options.clientSecret);
+		}
+	}
+
+	for (const [key, value] of Object.entries(additionalParams)) {
+		if (!body.has(key)) body.append(key, value);
+	}
+
+	return {
+		body,
+		headers: requestHeaders,
+	};
+}
+
+export async function validateAuthorizationCode({
+	code,
+	codeVerifier,
+	redirectURI,
+	options,
+	tokenEndpoint,
+	authentication,
+	deviceId,
+	headers,
+	additionalParams = {},
+	resource,
+}: {
+	code: string;
+	redirectURI: string;
+	options: Partial<ProviderOptions>;
+	codeVerifier?: string;
+	deviceId?: string;
+	tokenEndpoint: string;
+	authentication?: "basic" | "post";
+	headers?: Record<string, string>;
+	additionalParams?: Record<string, string>;
+	resource?: string | string[];
+}) {
+	const { body, headers: requestHeaders } = createAuthorizationCodeRequest({
+		code,
+		codeVerifier,
+		redirectURI,
+		options,
+		authentication,
+		deviceId,
+		headers,
+		additionalParams,
+		resource,
+	});
+
+	const { data, error } = await betterFetch<object>(tokenEndpoint, {
+		method: "POST",
+		body: body,
+		headers: requestHeaders,
+	});
+
+	if (error) {
+		throw error;
+	}
+	const tokens = getOAuth2Tokens(data);
+	return tokens;
+}
+
+export async function validateToken(token: string, jwksEndpoint: string) {
+	const { data, error } = await betterFetch<{
+		keys: {
+			kid: string;
+			kty: string;
+			use: string;
+			n: string;
+			e: string;
+			x5c: string[];
+		}[];
+	}>(jwksEndpoint, {
+		method: "GET",
+		headers: {
+			accept: "application/json",
+			"user-agent": "better-auth",
+		},
+	});
+	if (error) {
+		throw error;
+	}
+	const keys = data["keys"];
+	const header = JSON.parse(atob(token.split(".")[0]!));
+	const key = keys.find((key) => key.kid === header.kid);
+	if (!key) {
+		throw new Error("Key not found");
+	}
+	const verified = await jwtVerify(token, key);
+	return verified;
+}

package/src/social-providers/apple.ts

@@ -0,0 +1,213 @@
+import { betterFetch } from "@better-fetch/fetch";
+import { APIError } from "better-call";
+import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import {
+	refreshAccessToken,
+	createAuthorizationURL,
+	validateAuthorizationCode,
+} from "@better-auth/core/oauth2";
+export interface AppleProfile {
+	/**
+	 * The subject registered claim identifies the principal that’s the subject
+	 * of the identity token. Because this token is for your app, the value is
+	 * the unique identifier for the user.
+	 */
+	sub: string;
+	/**
+	 * A String value representing the user's email address.
+	 * The email address is either the user's real email address or the proxy
+	 * address, depending on their status private email relay service.
+	 */
+	email: string;
+	/**
+	 * A string or Boolean value that indicates whether the service verifies
+	 * the email. The value can either be a string ("true" or "false") or a
+	 * Boolean (true or false). The system may not verify email addresses for
+	 * Sign in with Apple at Work & School users, and this claim is "false" or
+	 * false for those users.
+	 */
+	email_verified: true | "true";
+	/**
+	 * A string or Boolean value that indicates whether the email that the user
+	 * shares is the proxy address. The value can either be a string ("true" or
+	 * "false") or a Boolean (true or false).
+	 */
+	is_private_email: boolean;
+	/**
+	 * An Integer value that indicates whether the user appears to be a real
+	 * person. Use the value of this claim to mitigate fraud. The possible
+	 * values are: 0 (or Unsupported), 1 (or Unknown), 2 (or LikelyReal). For
+	 * more information, see ASUserDetectionStatus. This claim is present only
+	 * in iOS 14 and later, macOS 11 and later, watchOS 7 and later, tvOS 14
+	 * and later. The claim isn’t present or supported for web-based apps.
+	 */
+	real_user_status: number;
+	/**
+	 * The user’s full name in the format provided during the authorization
+	 * process.
+	 */
+	name: string;
+	/**
+	 * The URL to the user's profile picture.
+	 */
+	picture: string;
+	user?: AppleNonConformUser;
+}
+
+/**
+ * This is the shape of the `user` query parameter that Apple sends the first
+ * time the user consents to the app.
+ * @see https://developer.apple.com/documentation/signinwithapplerestapi/request-an-authorization-to-the-sign-in-with-apple-server./
+ */
+export interface AppleNonConformUser {
+	name: {
+		firstName: string;
+		lastName: string;
+	};
+	email: string;
+}
+
+export interface AppleOptions extends ProviderOptions<AppleProfile> {
+	clientId: string;
+	appBundleIdentifier?: string;
+	audience?: string | string[];
+}
+
+export const apple = (options: AppleOptions) => {
+	const tokenEndpoint = "https://appleid.apple.com/auth/token";
+	return {
+		id: "apple",
+		name: "Apple",
+		async createAuthorizationURL({ state, scopes, redirectURI }) {
+			const _scope = options.disableDefaultScope ? [] : ["email", "name"];
+			options.scope && _scope.push(...options.scope);
+			scopes && _scope.push(...scopes);
+			const url = await createAuthorizationURL({
+				id: "apple",
+				options,
+				authorizationEndpoint: "https://appleid.apple.com/auth/authorize",
+				scopes: _scope,
+				state,
+				redirectURI,
+				responseMode: "form_post",
+				responseType: "code id_token",
+			});
+			return url;
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint,
+			});
+		},
+		async verifyIdToken(token, nonce) {
+			if (options.disableIdTokenSignIn) {
+				return false;
+			}
+			if (options.verifyIdToken) {
+				return options.verifyIdToken(token, nonce);
+			}
+			const decodedHeader = decodeProtectedHeader(token);
+			const { kid, alg: jwtAlg } = decodedHeader;
+			if (!kid || !jwtAlg) return false;
+			const publicKey = await getApplePublicKey(kid);
+			const { payload: jwtClaims } = await jwtVerify(token, publicKey, {
+				algorithms: [jwtAlg],
+				issuer: "https://appleid.apple.com",
+				audience:
+					options.audience && options.audience.length
+						? options.audience
+						: options.appBundleIdentifier
+							? options.appBundleIdentifier
+							: options.clientId,
+				maxTokenAge: "1h",
+			});
+			["email_verified", "is_private_email"].forEach((field) => {
+				if (jwtClaims[field] !== undefined) {
+					jwtClaims[field] = Boolean(jwtClaims[field]);
+				}
+			});
+			if (nonce && jwtClaims.nonce !== nonce) {
+				return false;
+			}
+			return !!jwtClaims;
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint: "https://appleid.apple.com/auth/token",
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			if (!token.idToken) {
+				return null;
+			}
+			const profile = decodeJwt<AppleProfile>(token.idToken);
+			if (!profile) {
+				return null;
+			}
+			const name = token.user
+				? `${token.user.name?.firstName} ${token.user.name?.lastName}`
+				: profile.name || profile.email;
+			const emailVerified =
+				typeof profile.email_verified === "boolean"
+					? profile.email_verified
+					: profile.email_verified === "true";
+			const enrichedProfile = {
+				...profile,
+				name,
+			};
+			const userMap = await options.mapProfileToUser?.(enrichedProfile);
+			return {
+				user: {
+					id: profile.sub,
+					name: enrichedProfile.name,
+					emailVerified: emailVerified,
+					email: profile.email,
+					...userMap,
+				},
+				data: enrichedProfile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<AppleProfile>;
+};
+
+export const getApplePublicKey = async (kid: string) => {
+	const APPLE_BASE_URL = "https://appleid.apple.com";
+	const JWKS_APPLE_URI = "/auth/keys";
+	const { data } = await betterFetch<{
+		keys: Array<{
+			kid: string;
+			alg: string;
+			kty: string;
+			use: string;
+			n: string;
+			e: string;
+		}>;
+	}>(`${APPLE_BASE_URL}${JWKS_APPLE_URI}`);
+	if (!data?.keys) {
+		throw new APIError("BAD_REQUEST", {
+			message: "Keys not found",
+		});
+	}
+	const jwk = data.keys.find((key) => key.kid === kid);
+	if (!jwk) {
+		throw new Error(`JWK with kid ${kid} not found`);
+	}
+	return await importJWK(jwk, jwk.alg);
+};

package/src/social-providers/atlassian.ts

@@ -0,0 +1,130 @@
+import { betterFetch } from "@better-fetch/fetch";
+import { BetterAuthError } from "../error";
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import {
+	createAuthorizationURL,
+	validateAuthorizationCode,
+} from "@better-auth/core/oauth2";
+import { logger } from "@better-auth/core/env";
+import { refreshAccessToken } from "@better-auth/core/oauth2";
+
+export interface AtlassianProfile {
+	account_type?: string;
+	account_id: string;
+	email?: string;
+	name: string;
+	picture?: string;
+	nickname?: string;
+	locale?: string;
+	extended_profile?: {
+		job_title?: string;
+		organization?: string;
+		department?: string;
+		location?: string;
+	};
+}
+export interface AtlassianOptions extends ProviderOptions<AtlassianProfile> {
+	clientId: string;
+}
+
+export const atlassian = (options: AtlassianOptions) => {
+	return {
+		id: "atlassian",
+		name: "Atlassian",
+
+		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+			if (!options.clientId || !options.clientSecret) {
+				logger.error("Client Id and Secret are required for Atlassian");
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
+			if (!codeVerifier) {
+				throw new BetterAuthError("codeVerifier is required for Atlassian");
+			}
+
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["read:jira-user", "offline_access"];
+			options.scope && _scopes.push(...options.scope);
+			scopes && _scopes.push(...scopes);
+
+			return createAuthorizationURL({
+				id: "atlassian",
+				options,
+				authorizationEndpoint: "https://auth.atlassian.com/authorize",
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+				additionalParams: {
+					audience: "api.atlassian.com",
+				},
+				prompt: options.prompt,
+			});
+		},
+
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://auth.atlassian.com/oauth/token",
+			});
+		},
+
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint: "https://auth.atlassian.com/oauth/token",
+					});
+				},
+
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+
+			if (!token.accessToken) {
+				return null;
+			}
+
+			try {
+				const { data: profile } = await betterFetch<{
+					account_id: string;
+					name: string;
+					email?: string;
+					picture?: string;
+				}>("https://api.atlassian.com/me", {
+					headers: { Authorization: `Bearer ${token.accessToken}` },
+				});
+
+				if (!profile) return null;
+
+				const userMap = await options.mapProfileToUser?.(profile);
+
+				return {
+					user: {
+						id: profile.account_id,
+						name: profile.name,
+						email: profile.email,
+						image: profile.picture,
+						emailVerified: false,
+						...userMap,
+					},
+					data: profile,
+				};
+			} catch (error) {
+				logger.error("Failed to fetch user info from Figma:", error);
+				return null;
+			}
+		},
+
+		options,
+	} satisfies OAuthProvider<AtlassianProfile>;
+};