@better-auth/core 1.3.26 → 1.3.28

package/src/social-providers/cognito.ts

@@ -0,0 +1,269 @@
+import { betterFetch } from "@better-fetch/fetch";
+import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
+import { BetterAuthError } from "../error";
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import {
+	createAuthorizationURL,
+	validateAuthorizationCode,
+} from "@better-auth/core/oauth2";
+import { logger } from "@better-auth/core/env";
+import { refreshAccessToken } from "@better-auth/core/oauth2";
+import { APIError } from "better-call";
+
+export interface CognitoProfile {
+	sub: string;
+	email: string;
+	email_verified: boolean;
+	name: string;
+	given_name?: string;
+	family_name?: string;
+	picture?: string;
+	username?: string;
+	locale?: string;
+	phone_number?: string;
+	phone_number_verified?: boolean;
+	aud: string;
+	iss: string;
+	exp: number;
+	iat: number;
+	// Custom attributes from Cognito can be added here
+	[key: string]: any;
+}
+
+export interface CognitoOptions extends ProviderOptions<CognitoProfile> {
+	clientId: string;
+	/**
+	 * The Cognito domain (e.g., "your-app.auth.us-east-1.amazoncognito.com")
+	 */
+	domain: string;
+	/**
+	 * AWS region where User Pool is hosted (e.g., "us-east-1")
+	 */
+	region: string;
+	userPoolId: string;
+	requireClientSecret?: boolean;
+}
+
+export const cognito = (options: CognitoOptions) => {
+	if (!options.domain || !options.region || !options.userPoolId) {
+		logger.error(
+			"Domain, region and userPoolId are required for Amazon Cognito. Make sure to provide them in the options.",
+		);
+		throw new BetterAuthError("DOMAIN_AND_REGION_REQUIRED");
+	}
+
+	const cleanDomain = options.domain.replace(/^https?:\/\//, "");
+	const authorizationEndpoint = `https://${cleanDomain}/oauth2/authorize`;
+	const tokenEndpoint = `https://${cleanDomain}/oauth2/token`;
+	const userInfoEndpoint = `https://${cleanDomain}/oauth2/userinfo`;
+
+	return {
+		id: "cognito",
+		name: "Cognito",
+		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+			if (!options.clientId) {
+				logger.error(
+					"ClientId is required for Amazon Cognito. Make sure to provide them in the options.",
+				);
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
+
+			if (options.requireClientSecret && !options.clientSecret) {
+				logger.error(
+					"Client Secret is required when requireClientSecret is true. Make sure to provide it in the options.",
+				);
+				throw new BetterAuthError("CLIENT_SECRET_REQUIRED");
+			}
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["openid", "profile", "email"];
+			options.scope && _scopes.push(...options.scope);
+			scopes && _scopes.push(...scopes);
+
+			const url = await createAuthorizationURL({
+				id: "cognito",
+				options: {
+					...options,
+				},
+				authorizationEndpoint,
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+				prompt: options.prompt,
+			});
+			return url;
+		},
+
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint,
+			});
+		},
+
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint,
+					});
+				},
+
+		async verifyIdToken(token, nonce) {
+			if (options.disableIdTokenSignIn) {
+				return false;
+			}
+			if (options.verifyIdToken) {
+				return options.verifyIdToken(token, nonce);
+			}
+
+			try {
+				const decodedHeader = decodeProtectedHeader(token);
+				const { kid, alg: jwtAlg } = decodedHeader;
+				if (!kid || !jwtAlg) return false;
+
+				const publicKey = await getCognitoPublicKey(
+					kid,
+					options.region,
+					options.userPoolId,
+				);
+				const expectedIssuer = `https://cognito-idp.${options.region}.amazonaws.com/${options.userPoolId}`;
+
+				const { payload: jwtClaims } = await jwtVerify(token, publicKey, {
+					algorithms: [jwtAlg],
+					issuer: expectedIssuer,
+					audience: options.clientId,
+					maxTokenAge: "1h",
+				});
+
+				if (nonce && jwtClaims.nonce !== nonce) {
+					return false;
+				}
+				return true;
+			} catch (error) {
+				logger.error("Failed to verify ID token:", error);
+				return false;
+			}
+		},
+
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+
+			if (token.idToken) {
+				try {
+					const profile = decodeJwt<CognitoProfile>(token.idToken);
+					if (!profile) {
+						return null;
+					}
+					const name =
+						profile.name ||
+						profile.given_name ||
+						profile.username ||
+						profile.email;
+					const enrichedProfile = {
+						...profile,
+						name,
+					};
+					const userMap = await options.mapProfileToUser?.(enrichedProfile);
+
+					return {
+						user: {
+							id: profile.sub,
+							name: enrichedProfile.name,
+							email: profile.email,
+							image: profile.picture,
+							emailVerified: profile.email_verified,
+							...userMap,
+						},
+						data: enrichedProfile,
+					};
+				} catch (error) {
+					logger.error("Failed to decode ID token:", error);
+				}
+			}
+
+			if (token.accessToken) {
+				try {
+					const { data: userInfo } = await betterFetch<CognitoProfile>(
+						userInfoEndpoint,
+						{
+							headers: {
+								Authorization: `Bearer ${token.accessToken}`,
+							},
+						},
+					);
+
+					if (userInfo) {
+						const userMap = await options.mapProfileToUser?.(userInfo);
+						return {
+							user: {
+								id: userInfo.sub,
+								name: userInfo.name || userInfo.given_name || userInfo.username,
+								email: userInfo.email,
+								image: userInfo.picture,
+								emailVerified: userInfo.email_verified,
+								...userMap,
+							},
+							data: userInfo,
+						};
+					}
+				} catch (error) {
+					logger.error("Failed to fetch user info from Cognito:", error);
+				}
+			}
+
+			return null;
+		},
+
+		options,
+	} satisfies OAuthProvider<CognitoProfile>;
+};
+
+export const getCognitoPublicKey = async (
+	kid: string,
+	region: string,
+	userPoolId: string,
+) => {
+	const COGNITO_JWKS_URI = `https://cognito-idp.${region}.amazonaws.com/${userPoolId}/.well-known/jwks.json`;
+
+	try {
+		const { data } = await betterFetch<{
+			keys: Array<{
+				kid: string;
+				alg: string;
+				kty: string;
+				use: string;
+				n: string;
+				e: string;
+			}>;
+		}>(COGNITO_JWKS_URI);
+
+		if (!data?.keys) {
+			throw new APIError("BAD_REQUEST", {
+				message: "Keys not found",
+			});
+		}
+
+		const jwk = data.keys.find((key) => key.kid === kid);
+		if (!jwk) {
+			throw new Error(`JWK with kid ${kid} not found`);
+		}
+
+		return await importJWK(jwk, jwk.alg);
+	} catch (error) {
+		logger.error("Failed to fetch Cognito public key:", error);
+		throw error;
+	}
+};

package/src/social-providers/discord.ts

@@ -0,0 +1,172 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import {
+	refreshAccessToken,
+	validateAuthorizationCode,
+} from "@better-auth/core/oauth2";
+export interface DiscordProfile extends Record<string, any> {
+	/** the user's id (i.e. the numerical snowflake) */
+	id: string;
+	/** the user's username, not unique across the platform */
+	username: string;
+	/** the user's Discord-tag */
+	discriminator: string;
+	/** the user's display name, if it is set  */
+	global_name: string | null;
+	/**
+	 * the user's avatar hash:
+	 * https://discord.com/developers/docs/reference#image-formatting
+	 */
+	avatar: string | null;
+	/** whether the user belongs to an OAuth2 application */
+	bot?: boolean;
+	/**
+	 * whether the user is an Official Discord System user (part of the urgent
+	 * message system)
+	 */
+	system?: boolean;
+	/** whether the user has two factor enabled on their account */
+	mfa_enabled: boolean;
+	/**
+	 * the user's banner hash:
+	 * https://discord.com/developers/docs/reference#image-formatting
+	 */
+	banner: string | null;
+
+	/** the user's banner color encoded as an integer representation of hexadecimal color code */
+	accent_color: number | null;
+
+	/**
+	 * the user's chosen language option:
+	 * https://discord.com/developers/docs/reference#locales
+	 */
+	locale: string;
+	/** whether the email on this account has been verified */
+	verified: boolean;
+	/** the user's email */
+	email: string;
+	/**
+	 * the flags on a user's account:
+	 * https://discord.com/developers/docs/resources/user#user-object-user-flags
+	 */
+	flags: number;
+	/**
+	 * the type of Nitro subscription on a user's account:
+	 * https://discord.com/developers/docs/resources/user#user-object-premium-types
+	 */
+	premium_type: number;
+	/**
+	 * the public flags on a user's account:
+	 * https://discord.com/developers/docs/resources/user#user-object-user-flags
+	 */
+	public_flags: number;
+	/** undocumented field; corresponds to the user's custom nickname */
+	display_name: string | null;
+	/**
+	 * undocumented field; corresponds to the Discord feature where you can e.g.
+	 * put your avatar inside of an ice cube
+	 */
+	avatar_decoration: string | null;
+	/**
+	 * undocumented field; corresponds to the premium feature where you can
+	 * select a custom banner color
+	 */
+	banner_color: string | null;
+	/** undocumented field; the CDN URL of their profile picture */
+	image_url: string;
+}
+
+export interface DiscordOptions extends ProviderOptions<DiscordProfile> {
+	clientId: string;
+	prompt?: "none" | "consent";
+	permissions?: number;
+}
+
+export const discord = (options: DiscordOptions) => {
+	return {
+		id: "discord",
+		name: "Discord",
+		createAuthorizationURL({ state, scopes, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : ["identify", "email"];
+			scopes && _scopes.push(...scopes);
+			options.scope && _scopes.push(...options.scope);
+			const hasBotScope = _scopes.includes("bot");
+			const permissionsParam =
+				hasBotScope && options.permissions !== undefined
+					? `&permissions=${options.permissions}`
+					: "";
+			return new URL(
+				`https://discord.com/api/oauth2/authorize?scope=${_scopes.join(
+					"+",
+				)}&response_type=code&client_id=${
+					options.clientId
+				}&redirect_uri=${encodeURIComponent(
+					options.redirectURI || redirectURI,
+				)}&state=${state}&prompt=${
+					options.prompt || "none"
+				}${permissionsParam}`,
+			);
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://discord.com/api/oauth2/token",
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint: "https://discord.com/api/oauth2/token",
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			const { data: profile, error } = await betterFetch<DiscordProfile>(
+				"https://discord.com/api/users/@me",
+				{
+					headers: {
+						authorization: `Bearer ${token.accessToken}`,
+					},
+				},
+			);
+
+			if (error) {
+				return null;
+			}
+			if (profile.avatar === null) {
+				const defaultAvatarNumber =
+					profile.discriminator === "0"
+						? Number(BigInt(profile.id) >> BigInt(22)) % 6
+						: parseInt(profile.discriminator) % 5;
+				profile.image_url = `https://cdn.discordapp.com/embed/avatars/${defaultAvatarNumber}.png`;
+			} else {
+				const format = profile.avatar.startsWith("a_") ? "gif" : "png";
+				profile.image_url = `https://cdn.discordapp.com/avatars/${profile.id}/${profile.avatar}.${format}`;
+			}
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.id,
+					name: profile.global_name || profile.username || "",
+					email: profile.email,
+					emailVerified: profile.verified,
+					image: profile.image_url,
+					...userMap,
+				},
+				data: profile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<DiscordProfile>;
+};

package/src/social-providers/dropbox.ts

@@ -0,0 +1,112 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import {
+	createAuthorizationURL,
+	refreshAccessToken,
+	validateAuthorizationCode,
+} from "@better-auth/core/oauth2";
+
+export interface DropboxProfile {
+	account_id: string;
+	name: {
+		given_name: string;
+		surname: string;
+		familiar_name: string;
+		display_name: string;
+		abbreviated_name: string;
+	};
+	email: string;
+	email_verified: boolean;
+	profile_photo_url: string;
+}
+
+export interface DropboxOptions extends ProviderOptions<DropboxProfile> {
+	clientId: string;
+	accessType?: "offline" | "online" | "legacy";
+}
+
+export const dropbox = (options: DropboxOptions) => {
+	const tokenEndpoint = "https://api.dropboxapi.com/oauth2/token";
+
+	return {
+		id: "dropbox",
+		name: "Dropbox",
+		createAuthorizationURL: async ({
+			state,
+			scopes,
+			codeVerifier,
+			redirectURI,
+		}) => {
+			const _scopes = options.disableDefaultScope ? [] : ["account_info.read"];
+			options.scope && _scopes.push(...options.scope);
+			scopes && _scopes.push(...scopes);
+			const additionalParams: Record<string, string> = {};
+			if (options.accessType) {
+				additionalParams.token_access_type = options.accessType;
+			}
+			return await createAuthorizationURL({
+				id: "dropbox",
+				options,
+				authorizationEndpoint: "https://www.dropbox.com/oauth2/authorize",
+				scopes: _scopes,
+				state,
+				redirectURI,
+				codeVerifier,
+				additionalParams,
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return await validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint,
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint: "https://api.dropbox.com/oauth2/token",
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			const { data: profile, error } = await betterFetch<DropboxProfile>(
+				"https://api.dropboxapi.com/2/users/get_current_account",
+				{
+					method: "POST",
+					headers: {
+						Authorization: `Bearer ${token.accessToken}`,
+					},
+				},
+			);
+
+			if (error) {
+				return null;
+			}
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.account_id,
+					name: profile.name?.display_name,
+					email: profile.email,
+					emailVerified: profile.email_verified || false,
+					image: profile.profile_photo_url,
+					...userMap,
+				},
+				data: profile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<DropboxProfile>;
+};