@better-auth/core 1.3.26 → 1.3.28

package/src/social-providers/facebook.ts

@@ -0,0 +1,204 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import {
+	createAuthorizationURL,
+	validateAuthorizationCode,
+} from "@better-auth/core/oauth2";
+import { createRemoteJWKSet, jwtVerify, decodeJwt } from "jose";
+import { refreshAccessToken } from "@better-auth/core/oauth2";
+export interface FacebookProfile {
+	id: string;
+	name: string;
+	email: string;
+	email_verified: boolean;
+	picture: {
+		data: {
+			height: number;
+			is_silhouette: boolean;
+			url: string;
+			width: number;
+		};
+	};
+}
+
+export interface FacebookOptions extends ProviderOptions<FacebookProfile> {
+	clientId: string;
+	/**
+	 * Extend list of fields to retrieve from the Facebook user profile.
+	 *
+	 * @default ["id", "name", "email", "picture"]
+	 */
+	fields?: string[];
+
+	/**
+	 * The config id to use when undergoing oauth
+	 */
+	configId?: string;
+}
+
+export const facebook = (options: FacebookOptions) => {
+	return {
+		id: "facebook",
+		name: "Facebook",
+		async createAuthorizationURL({ state, scopes, redirectURI, loginHint }) {
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["email", "public_profile"];
+			options.scope && _scopes.push(...options.scope);
+			scopes && _scopes.push(...scopes);
+			return await createAuthorizationURL({
+				id: "facebook",
+				options,
+				authorizationEndpoint: "https://www.facebook.com/v21.0/dialog/oauth",
+				scopes: _scopes,
+				state,
+				redirectURI,
+				loginHint,
+				additionalParams: options.configId
+					? {
+							config_id: options.configId,
+						}
+					: {},
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://graph.facebook.com/oauth/access_token",
+			});
+		},
+		async verifyIdToken(token, nonce) {
+			if (options.disableIdTokenSignIn) {
+				return false;
+			}
+
+			if (options.verifyIdToken) {
+				return options.verifyIdToken(token, nonce);
+			}
+
+			/* limited login */
+			// check is limited token
+			if (token.split(".").length === 3) {
+				try {
+					const { payload: jwtClaims } = await jwtVerify(
+						token,
+						createRemoteJWKSet(
+							// https://developers.facebook.com/docs/facebook-login/limited-login/token/#jwks
+							new URL(
+								"https://limited.facebook.com/.well-known/oauth/openid/jwks/",
+							),
+						),
+						{
+							algorithms: ["RS256"],
+							audience: options.clientId,
+							issuer: "https://www.facebook.com",
+						},
+					);
+
+					if (nonce && jwtClaims.nonce !== nonce) {
+						return false;
+					}
+
+					return !!jwtClaims;
+				} catch (error) {
+					return false;
+				}
+			}
+
+			/* access_token */
+			return true;
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint:
+							"https://graph.facebook.com/v18.0/oauth/access_token",
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+
+			if (token.idToken && token.idToken.split(".").length === 3) {
+				const profile = decodeJwt(token.idToken) as {
+					sub: string;
+					email: string;
+					name: string;
+					picture: string;
+				};
+
+				const user = {
+					id: profile.sub,
+					name: profile.name,
+					email: profile.email,
+					picture: {
+						data: {
+							url: profile.picture,
+							height: 100,
+							width: 100,
+							is_silhouette: false,
+						},
+					},
+				};
+
+				// https://developers.facebook.com/docs/facebook-login/limited-login/permissions
+				const userMap = await options.mapProfileToUser?.({
+					...user,
+					email_verified: true,
+				});
+
+				return {
+					user: {
+						...user,
+						emailVerified: true,
+						...userMap,
+					},
+					data: profile,
+				};
+			}
+
+			const fields = [
+				"id",
+				"name",
+				"email",
+				"picture",
+				...(options?.fields || []),
+			];
+			const { data: profile, error } = await betterFetch<FacebookProfile>(
+				"https://graph.facebook.com/me?fields=" + fields.join(","),
+				{
+					auth: {
+						type: "Bearer",
+						token: token.accessToken,
+					},
+				},
+			);
+			if (error) {
+				return null;
+			}
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.id,
+					name: profile.name,
+					email: profile.email,
+					image: profile.picture.data.url,
+					emailVerified: profile.email_verified,
+					...userMap,
+				},
+				data: profile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<FacebookProfile>;
+};

package/src/social-providers/figma.ts

@@ -0,0 +1,115 @@
+import { betterFetch } from "@better-fetch/fetch";
+import { BetterAuthError } from "../error";
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import {
+	createAuthorizationURL,
+	validateAuthorizationCode,
+} from "@better-auth/core/oauth2";
+import { logger } from "@better-auth/core/env";
+import { refreshAccessToken } from "@better-auth/core/oauth2";
+
+export interface FigmaProfile {
+	id: string;
+	email: string;
+	handle: string;
+	img_url: string;
+}
+
+export interface FigmaOptions extends ProviderOptions<FigmaProfile> {
+	clientId: string;
+}
+
+export const figma = (options: FigmaOptions) => {
+	return {
+		id: "figma",
+		name: "Figma",
+		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+			if (!options.clientId || !options.clientSecret) {
+				logger.error(
+					"Client Id and Client Secret are required for Figma. Make sure to provide them in the options.",
+				);
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
+			if (!codeVerifier) {
+				throw new BetterAuthError("codeVerifier is required for Figma");
+			}
+
+			const _scopes = options.disableDefaultScope ? [] : ["file_read"];
+			options.scope && _scopes.push(...options.scope);
+			scopes && _scopes.push(...scopes);
+
+			const url = await createAuthorizationURL({
+				id: "figma",
+				options,
+				authorizationEndpoint: "https://www.figma.com/oauth",
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+			});
+
+			return url;
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://www.figma.com/api/oauth/token",
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint: "https://www.figma.com/api/oauth/token",
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+
+			try {
+				const { data: profile } = await betterFetch<FigmaProfile>(
+					"https://api.figma.com/v1/me",
+					{
+						headers: {
+							Authorization: `Bearer ${token.accessToken}`,
+						},
+					},
+				);
+
+				if (!profile) {
+					logger.error("Failed to fetch user from Figma");
+					return null;
+				}
+
+				const userMap = await options.mapProfileToUser?.(profile);
+
+				return {
+					user: {
+						id: profile.id,
+						name: profile.handle,
+						email: profile.email,
+						image: profile.img_url,
+						emailVerified: !!profile.email,
+						...userMap,
+					},
+					data: profile,
+				};
+			} catch (error) {
+				logger.error("Failed to fetch user info from Figma:", error);
+				return null;
+			}
+		},
+		options,
+	} satisfies OAuthProvider<FigmaProfile>;
+};

package/src/social-providers/github.ts

@@ -0,0 +1,154 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import {
+	createAuthorizationURL,
+	refreshAccessToken,
+	validateAuthorizationCode,
+} from "@better-auth/core/oauth2";
+
+export interface GithubProfile {
+	login: string;
+	id: string;
+	node_id: string;
+	avatar_url: string;
+	gravatar_id: string;
+	url: string;
+	html_url: string;
+	followers_url: string;
+	following_url: string;
+	gists_url: string;
+	starred_url: string;
+	subscriptions_url: string;
+	organizations_url: string;
+	repos_url: string;
+	events_url: string;
+	received_events_url: string;
+	type: string;
+	site_admin: boolean;
+	name: string;
+	company: string;
+	blog: string;
+	location: string;
+	email: string;
+	hireable: boolean;
+	bio: string;
+	twitter_username: string;
+	public_repos: string;
+	public_gists: string;
+	followers: string;
+	following: string;
+	created_at: string;
+	updated_at: string;
+	private_gists: string;
+	total_private_repos: string;
+	owned_private_repos: string;
+	disk_usage: string;
+	collaborators: string;
+	two_factor_authentication: boolean;
+	plan: {
+		name: string;
+		space: string;
+		private_repos: string;
+		collaborators: string;
+	};
+}
+
+export interface GithubOptions extends ProviderOptions<GithubProfile> {
+	clientId: string;
+}
+export const github = (options: GithubOptions) => {
+	const tokenEndpoint = "https://github.com/login/oauth/access_token";
+	return {
+		id: "github",
+		name: "GitHub",
+		createAuthorizationURL({ state, scopes, loginHint, redirectURI }) {
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["read:user", "user:email"];
+			options.scope && _scopes.push(...options.scope);
+			scopes && _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "github",
+				options,
+				authorizationEndpoint: "https://github.com/login/oauth/authorize",
+				scopes: _scopes,
+				state,
+				redirectURI,
+				loginHint,
+				prompt: options.prompt,
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint,
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint: "https://github.com/login/oauth/access_token",
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			const { data: profile, error } = await betterFetch<GithubProfile>(
+				"https://api.github.com/user",
+				{
+					headers: {
+						"User-Agent": "better-auth",
+						authorization: `Bearer ${token.accessToken}`,
+					},
+				},
+			);
+			if (error) {
+				return null;
+			}
+			const { data: emails } = await betterFetch<
+				{
+					email: string;
+					primary: boolean;
+					verified: boolean;
+					visibility: "public" | "private";
+				}[]
+			>("https://api.github.com/user/emails", {
+				headers: {
+					Authorization: `Bearer ${token.accessToken}`,
+					"User-Agent": "better-auth",
+				},
+			});
+
+			if (!profile.email && emails) {
+				profile.email = (emails.find((e) => e.primary) ?? emails[0])
+					?.email as string;
+			}
+			const emailVerified =
+				emails?.find((e) => e.email === profile.email)?.verified ?? false;
+
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.id,
+					name: profile.name || profile.login,
+					email: profile.email,
+					image: profile.avatar_url,
+					emailVerified,
+					...userMap,
+				},
+				data: profile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<GithubProfile>;
+};

package/src/social-providers/gitlab.ts

@@ -0,0 +1,152 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import {
+	createAuthorizationURL,
+	validateAuthorizationCode,
+	refreshAccessToken,
+} from "@better-auth/core/oauth2";
+
+export interface GitlabProfile extends Record<string, any> {
+	id: number;
+	username: string;
+	email: string;
+	name: string;
+	state: string;
+	avatar_url: string;
+	web_url: string;
+	created_at: string;
+	bio: string;
+	location?: string;
+	public_email: string;
+	skype: string;
+	linkedin: string;
+	twitter: string;
+	website_url: string;
+	organization: string;
+	job_title: string;
+	pronouns: string;
+	bot: boolean;
+	work_information?: string;
+	followers: number;
+	following: number;
+	local_time: string;
+	last_sign_in_at: string;
+	confirmed_at: string;
+	theme_id: number;
+	last_activity_on: string;
+	color_scheme_id: number;
+	projects_limit: number;
+	current_sign_in_at: string;
+	identities: Array<{
+		provider: string;
+		extern_uid: string;
+	}>;
+	can_create_group: boolean;
+	can_create_project: boolean;
+	two_factor_enabled: boolean;
+	external: boolean;
+	private_profile: boolean;
+	commit_email: string;
+	shared_runners_minutes_limit: number;
+	extra_shared_runners_minutes_limit: number;
+}
+
+export interface GitlabOptions extends ProviderOptions<GitlabProfile> {
+	clientId: string;
+	issuer?: string;
+}
+
+const cleanDoubleSlashes = (input: string = "") => {
+	return input
+		.split("://")
+		.map((str) => str.replace(/\/{2,}/g, "/"))
+		.join("://");
+};
+
+const issuerToEndpoints = (issuer?: string) => {
+	let baseUrl = issuer || "https://gitlab.com";
+	return {
+		authorizationEndpoint: cleanDoubleSlashes(`${baseUrl}/oauth/authorize`),
+		tokenEndpoint: cleanDoubleSlashes(`${baseUrl}/oauth/token`),
+		userinfoEndpoint: cleanDoubleSlashes(`${baseUrl}/api/v4/user`),
+	};
+};
+
+export const gitlab = (options: GitlabOptions) => {
+	const { authorizationEndpoint, tokenEndpoint, userinfoEndpoint } =
+		issuerToEndpoints(options.issuer);
+	const issuerId = "gitlab";
+	const issuerName = "Gitlab";
+	return {
+		id: issuerId,
+		name: issuerName,
+		createAuthorizationURL: async ({
+			state,
+			scopes,
+			codeVerifier,
+			loginHint,
+			redirectURI,
+		}) => {
+			const _scopes = options.disableDefaultScope ? [] : ["read_user"];
+			options.scope && _scopes.push(...options.scope);
+			scopes && _scopes.push(...scopes);
+			return await createAuthorizationURL({
+				id: issuerId,
+				options,
+				authorizationEndpoint,
+				scopes: _scopes,
+				state,
+				redirectURI,
+				codeVerifier,
+				loginHint,
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI, codeVerifier }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				codeVerifier,
+				tokenEndpoint,
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint: tokenEndpoint,
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			const { data: profile, error } = await betterFetch<GitlabProfile>(
+				userinfoEndpoint,
+				{ headers: { authorization: `Bearer ${token.accessToken}` } },
+			);
+			if (error || profile.state !== "active" || profile.locked) {
+				return null;
+			}
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.id,
+					name: profile.name ?? profile.username,
+					email: profile.email,
+					image: profile.avatar_url,
+					emailVerified: true,
+					...userMap,
+				},
+				data: profile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<GitlabProfile>;
+};