@better-auth/core 1.3.26 → 1.3.28

package/src/social-providers/line.ts

@@ -0,0 +1,169 @@
+import { betterFetch } from "@better-fetch/fetch";
+import { decodeJwt } from "jose";
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import {
+	createAuthorizationURL,
+	refreshAccessToken,
+	validateAuthorizationCode,
+} from "@better-auth/core/oauth2";
+
+export interface LineIdTokenPayload {
+	iss: string;
+	sub: string;
+	aud: string;
+	exp: number;
+	iat: number;
+	name?: string;
+	picture?: string;
+	email?: string;
+	amr?: string[];
+	nonce?: string;
+}
+
+export interface LineUserInfo {
+	sub: string;
+	name?: string;
+	picture?: string;
+	email?: string;
+}
+
+export interface LineOptions
+	extends ProviderOptions<LineUserInfo | LineIdTokenPayload> {
+	clientId: string;
+}
+
+/**
+ * LINE Login v2.1
+ * - Authorization endpoint: https://access.line.me/oauth2/v2.1/authorize
+ * - Token endpoint: https://api.line.me/oauth2/v2.1/token
+ * - UserInfo endpoint: https://api.line.me/oauth2/v2.1/userinfo
+ * - Verify ID token: https://api.line.me/oauth2/v2.1/verify
+ *
+ * Docs: https://developers.line.biz/en/reference/line-login/#issue-access-token
+ */
+export const line = (options: LineOptions) => {
+	const authorizationEndpoint = "https://access.line.me/oauth2/v2.1/authorize";
+	const tokenEndpoint = "https://api.line.me/oauth2/v2.1/token";
+	const userInfoEndpoint = "https://api.line.me/oauth2/v2.1/userinfo";
+	const verifyIdTokenEndpoint = "https://api.line.me/oauth2/v2.1/verify";
+
+	return {
+		id: "line",
+		name: "LINE",
+		async createAuthorizationURL({
+			state,
+			scopes,
+			codeVerifier,
+			redirectURI,
+			loginHint,
+		}) {
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["openid", "profile", "email"];
+			options.scope && _scopes.push(...options.scope);
+			scopes && _scopes.push(...scopes);
+			return await createAuthorizationURL({
+				id: "line",
+				options,
+				authorizationEndpoint,
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+				loginHint,
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint,
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint,
+					});
+				},
+		async verifyIdToken(token, nonce) {
+			if (options.disableIdTokenSignIn) {
+				return false;
+			}
+			if (options.verifyIdToken) {
+				return options.verifyIdToken(token, nonce);
+			}
+			const body = new URLSearchParams();
+			body.set("id_token", token);
+			body.set("client_id", options.clientId);
+			if (nonce) body.set("nonce", nonce);
+			const { data, error } = await betterFetch<LineIdTokenPayload>(
+				verifyIdTokenEndpoint,
+				{
+					method: "POST",
+					headers: {
+						"content-type": "application/x-www-form-urlencoded",
+					},
+					body,
+				},
+			);
+			if (error || !data) {
+				return false;
+			}
+			// aud must match clientId; nonce (if provided) must also match
+			if (data.aud !== options.clientId) return false;
+			if (nonce && data.nonce && data.nonce !== nonce) return false;
+			return true;
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			let profile: LineUserInfo | LineIdTokenPayload | null = null;
+			// Prefer ID token if available
+			if (token.idToken) {
+				try {
+					profile = decodeJwt(token.idToken) as LineIdTokenPayload;
+				} catch {}
+			}
+			// Fallback to UserInfo endpoint
+			if (!profile) {
+				const { data } = await betterFetch<LineUserInfo>(userInfoEndpoint, {
+					headers: {
+						authorization: `Bearer ${token.accessToken}`,
+					},
+				});
+				profile = data || null;
+			}
+			if (!profile) return null;
+			const userMap = await options.mapProfileToUser?.(profile as any);
+			// ID preference order
+			const id = (profile as any).sub || (profile as any).userId;
+			const name = (profile as any).name || (profile as any).displayName;
+			const image =
+				(profile as any).picture || (profile as any).pictureUrl || undefined;
+			const email = (profile as any).email;
+			return {
+				user: {
+					id,
+					name,
+					email,
+					image,
+					// LINE does not expose email verification status in ID token/userinfo
+					emailVerified: false,
+					...userMap,
+				},
+				data: profile as any,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<LineUserInfo | LineIdTokenPayload, LineOptions>;
+};

package/src/social-providers/linear.ts

@@ -0,0 +1,120 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import {
+	createAuthorizationURL,
+	refreshAccessToken,
+	validateAuthorizationCode,
+} from "@better-auth/core/oauth2";
+
+interface LinearUser {
+	id: string;
+	name: string;
+	email: string;
+	avatarUrl?: string;
+	active: boolean;
+	createdAt: string;
+	updatedAt: string;
+}
+
+export interface LinearProfile {
+	data: {
+		viewer: LinearUser;
+	};
+}
+
+export interface LinearOptions extends ProviderOptions<LinearUser> {
+	clientId: string;
+}
+
+export const linear = (options: LinearOptions) => {
+	const tokenEndpoint = "https://api.linear.app/oauth/token";
+	return {
+		id: "linear",
+		name: "Linear",
+		createAuthorizationURL({ state, scopes, loginHint, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : ["read"];
+			options.scope && _scopes.push(...options.scope);
+			scopes && _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "linear",
+				options,
+				authorizationEndpoint: "https://linear.app/oauth/authorize",
+				scopes: _scopes,
+				state,
+				redirectURI,
+				loginHint,
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint,
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint,
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+
+			const { data: profile, error } = await betterFetch<LinearProfile>(
+				"https://api.linear.app/graphql",
+				{
+					method: "POST",
+					headers: {
+						"Content-Type": "application/json",
+						Authorization: `Bearer ${token.accessToken}`,
+					},
+					body: JSON.stringify({
+						query: `
+							query {
+								viewer {
+									id
+									name
+									email
+									avatarUrl
+									active
+									createdAt
+									updatedAt
+								}
+							}
+						`,
+					}),
+				},
+			);
+			if (error || !profile?.data?.viewer) {
+				return null;
+			}
+
+			const userData = profile.data.viewer;
+			const userMap = await options.mapProfileToUser?.(userData);
+
+			return {
+				user: {
+					id: profile.data.viewer.id,
+					name: profile.data.viewer.name,
+					email: profile.data.viewer.email,
+					image: profile.data.viewer.avatarUrl,
+					emailVerified: true,
+					...userMap,
+				},
+				data: userData,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<LinearUser>;
+};

package/src/social-providers/linkedin.ts

@@ -0,0 +1,110 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import {
+	createAuthorizationURL,
+	validateAuthorizationCode,
+	refreshAccessToken,
+} from "@better-auth/core/oauth2";
+
+export interface LinkedInProfile {
+	sub: string;
+	name: string;
+	given_name: string;
+	family_name: string;
+	picture: string;
+	locale: {
+		country: string;
+		language: string;
+	};
+	email: string;
+	email_verified: boolean;
+}
+
+export interface LinkedInOptions extends ProviderOptions<LinkedInProfile> {
+	clientId: string;
+}
+
+export const linkedin = (options: LinkedInOptions) => {
+	const authorizationEndpoint =
+		"https://www.linkedin.com/oauth/v2/authorization";
+	const tokenEndpoint = "https://www.linkedin.com/oauth/v2/accessToken";
+
+	return {
+		id: "linkedin",
+		name: "Linkedin",
+		createAuthorizationURL: async ({
+			state,
+			scopes,
+			redirectURI,
+			loginHint,
+		}) => {
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["profile", "email", "openid"];
+			options.scope && _scopes.push(...options.scope);
+			scopes && _scopes.push(...scopes);
+			return await createAuthorizationURL({
+				id: "linkedin",
+				options,
+				authorizationEndpoint,
+				scopes: _scopes,
+				state,
+				loginHint,
+				redirectURI,
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return await validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint,
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint,
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			const { data: profile, error } = await betterFetch<LinkedInProfile>(
+				"https://api.linkedin.com/v2/userinfo",
+				{
+					method: "GET",
+					headers: {
+						Authorization: `Bearer ${token.accessToken}`,
+					},
+				},
+			);
+
+			if (error) {
+				return null;
+			}
+
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.sub,
+					name: profile.name,
+					email: profile.email,
+					emailVerified: profile.email_verified || false,
+					image: profile.picture,
+					...userMap,
+				},
+				data: profile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<LinkedInProfile>;
+};

package/src/social-providers/microsoft-entra-id.ts

@@ -0,0 +1,243 @@
+import {
+	validateAuthorizationCode,
+	createAuthorizationURL,
+	refreshAccessToken,
+} from "@better-auth/core/oauth2";
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import { betterFetch } from "@better-fetch/fetch";
+import { logger } from "@better-auth/core/env";
+import { decodeJwt } from "jose";
+import { base64 } from "@better-auth/utils/base64";
+
+/**
+ * @see [Microsoft Identity Platform - Optional claims reference](https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims-reference)
+ */
+export interface MicrosoftEntraIDProfile extends Record<string, any> {
+	/** Identifies the intended recipient of the token */
+	aud: string;
+	/** Identifies the issuer, or "authorization server" that constructs and returns the token */
+	iss: string;
+	/** Indicates when the authentication for the token occurred */
+	iat: Date;
+	/** Records the identity provider that authenticated the subject of the token */
+	idp: string;
+	/** Identifies the time before which the JWT can't be accepted for processing */
+	nbf: Date;
+	/** Identifies the expiration time on or after which the JWT can't be accepted for processing */
+	exp: Date;
+	/** Code hash included in ID tokens when issued with an OAuth 2.0 authorization code */
+	c_hash: string;
+	/** Access token hash included in ID tokens when issued with an OAuth 2.0 access token */
+	at_hash: string;
+	/** Internal claim used to record data for token reuse */
+	aio: string;
+	/** The primary username that represents the user */
+	preferred_username: string;
+	/** User's email address */
+	email: string;
+	/** Human-readable value that identifies the subject of the token */
+	name: string;
+	/** Matches the parameter included in the original authorize request */
+	nonce: string;
+	/** User's profile picture */
+	picture: string;
+	/** Immutable identifier for the user account */
+	oid: string;
+	/** Set of roles assigned to the user */
+	roles: string[];
+	/** Internal claim used to revalidate tokens */
+	rh: string;
+	/** Subject identifier - unique to application ID */
+	sub: string;
+	/** Tenant ID the user is signing in to */
+	tid: string;
+	/** Unique identifier for a session */
+	sid: string;
+	/** Token identifier claim */
+	uti: string;
+	/** Indicates if user is in at least one group */
+	hasgroups: boolean;
+	/** User account status in tenant (0 = member, 1 = guest) */
+	acct: 0 | 1;
+	/** Auth Context IDs */
+	acrs: string;
+	/** Time when the user last authenticated */
+	auth_time: Date;
+	/** User's country/region */
+	ctry: string;
+	/** IP address of requesting client when inside VNET */
+	fwd: string;
+	/** Group claims */
+	groups: string;
+	/** Login hint for SSO */
+	login_hint: string;
+	/** Resource tenant's country/region */
+	tenant_ctry: string;
+	/** Region of the resource tenant */
+	tenant_region_scope: string;
+	/** UserPrincipalName */
+	upn: string;
+	/** User's verified primary email addresses */
+	verified_primary_email: string[];
+	/** User's verified secondary email addresses */
+	verified_secondary_email: string[];
+	/** VNET specifier information */
+	vnet: string;
+	/** Client Capabilities */
+	xms_cc: string;
+	/** Whether user's email domain is verified */
+	xms_edov: boolean;
+	/** Preferred data location for Multi-Geo tenants */
+	xms_pdl: string;
+	/** User preferred language */
+	xms_pl: string;
+	/** Tenant preferred language */
+	xms_tpl: string;
+	/** Zero-touch Deployment ID */
+	ztdid: string;
+	/** IP Address */
+	ipaddr: string;
+	/** On-premises Security Identifier */
+	onprem_sid: string;
+	/** Password Expiration Time */
+	pwd_exp: number;
+	/** Change Password URL */
+	pwd_url: string;
+	/** Inside Corporate Network flag */
+	in_corp: string;
+	/** User's family name/surname */
+	family_name: string;
+	/** User's given/first name */
+	given_name: string;
+}
+
+export interface MicrosoftOptions
+	extends ProviderOptions<MicrosoftEntraIDProfile> {
+	clientId: string;
+	/**
+	 * The tenant ID of the Microsoft account
+	 * @default "common"
+	 */
+	tenantId?: string;
+	/**
+	 * The authentication authority URL. Use the default "https://login.microsoftonline.com" for standard Entra ID or "https://<tenant-id>.ciamlogin.com" for CIAM scenarios.
+	 * @default "https://login.microsoftonline.com"
+	 */
+	authority?: string;
+	/**
+	 * The size of the profile photo
+	 * @default 48
+	 */
+	profilePhotoSize?: 48 | 64 | 96 | 120 | 240 | 360 | 432 | 504 | 648;
+	/**
+	 * Disable profile photo
+	 */
+	disableProfilePhoto?: boolean;
+}
+
+export const microsoft = (options: MicrosoftOptions) => {
+	const tenant = options.tenantId || "common";
+	const authority = options.authority || "https://login.microsoftonline.com";
+	const authorizationEndpoint = `${authority}/${tenant}/oauth2/v2.0/authorize`;
+	const tokenEndpoint = `${authority}/${tenant}/oauth2/v2.0/token`;
+	return {
+		id: "microsoft",
+		name: "Microsoft EntraID",
+		createAuthorizationURL(data) {
+			const scopes = options.disableDefaultScope
+				? []
+				: ["openid", "profile", "email", "User.Read", "offline_access"];
+			options.scope && scopes.push(...options.scope);
+			data.scopes && scopes.push(...data.scopes);
+			return createAuthorizationURL({
+				id: "microsoft",
+				options,
+				authorizationEndpoint,
+				state: data.state,
+				codeVerifier: data.codeVerifier,
+				scopes,
+				redirectURI: data.redirectURI,
+				prompt: options.prompt,
+				loginHint: data.loginHint,
+			});
+		},
+		validateAuthorizationCode({ code, codeVerifier, redirectURI }) {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint,
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			if (!token.idToken) {
+				return null;
+			}
+			const user = decodeJwt(token.idToken) as MicrosoftEntraIDProfile;
+			const profilePhotoSize = options.profilePhotoSize || 48;
+			await betterFetch<ArrayBuffer>(
+				`https://graph.microsoft.com/v1.0/me/photos/${profilePhotoSize}x${profilePhotoSize}/$value`,
+				{
+					headers: {
+						Authorization: `Bearer ${token.accessToken}`,
+					},
+					async onResponse(context) {
+						if (options.disableProfilePhoto || !context.response.ok) {
+							return;
+						}
+						try {
+							const response = context.response.clone();
+							const pictureBuffer = await response.arrayBuffer();
+							const pictureBase64 = base64.encode(pictureBuffer);
+							user.picture = `data:image/jpeg;base64, ${pictureBase64}`;
+						} catch (e) {
+							logger.error(
+								e && typeof e === "object" && "name" in e
+									? (e.name as string)
+									: "",
+								e,
+							);
+						}
+					},
+				},
+			);
+			const userMap = await options.mapProfileToUser?.(user);
+			return {
+				user: {
+					id: user.sub,
+					name: user.name,
+					email: user.email,
+					image: user.picture,
+					emailVerified: true,
+					...userMap,
+				},
+				data: user,
+			};
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					const scopes = options.disableDefaultScope
+						? []
+						: ["openid", "profile", "email", "User.Read", "offline_access"];
+					options.scope && scopes.push(...options.scope);
+
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientSecret: options.clientSecret,
+						},
+						extraParams: {
+							scope: scopes.join(" "), // Include the scopes in request to microsoft
+						},
+						tokenEndpoint,
+					});
+				},
+		options,
+	} satisfies OAuthProvider;
+};