@better-auth/core 1.3.26 → 1.3.28

package/src/social-providers/salesforce.ts

@@ -0,0 +1,157 @@
+import { betterFetch } from "@better-fetch/fetch";
+import { BetterAuthError } from "../error";
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import {
+	createAuthorizationURL,
+	validateAuthorizationCode,
+} from "@better-auth/core/oauth2";
+import { logger } from "@better-auth/core/env";
+import { refreshAccessToken } from "@better-auth/core/oauth2";
+
+export interface SalesforceProfile {
+	sub: string;
+	user_id: string;
+	organization_id: string;
+	preferred_username?: string;
+	email: string;
+	email_verified?: boolean;
+	name: string;
+	given_name?: string;
+	family_name?: string;
+	zoneinfo?: string;
+	photos?: {
+		picture?: string;
+		thumbnail?: string;
+	};
+}
+
+export interface SalesforceOptions extends ProviderOptions<SalesforceProfile> {
+	clientId: string;
+	environment?: "sandbox" | "production";
+	loginUrl?: string;
+	/**
+	 * Override the redirect URI if auto-detection fails.
+	 * Should match the Callback URL configured in your Salesforce Connected App.
+	 * @example "http://localhost:3000/api/auth/callback/salesforce"
+	 */
+	redirectURI?: string;
+}
+
+export const salesforce = (options: SalesforceOptions) => {
+	const environment = options.environment ?? "production";
+	const isSandbox = environment === "sandbox";
+	const authorizationEndpoint = options.loginUrl
+		? `https://${options.loginUrl}/services/oauth2/authorize`
+		: isSandbox
+			? "https://test.salesforce.com/services/oauth2/authorize"
+			: "https://login.salesforce.com/services/oauth2/authorize";
+
+	const tokenEndpoint = options.loginUrl
+		? `https://${options.loginUrl}/services/oauth2/token`
+		: isSandbox
+			? "https://test.salesforce.com/services/oauth2/token"
+			: "https://login.salesforce.com/services/oauth2/token";
+
+	const userInfoEndpoint = options.loginUrl
+		? `https://${options.loginUrl}/services/oauth2/userinfo`
+		: isSandbox
+			? "https://test.salesforce.com/services/oauth2/userinfo"
+			: "https://login.salesforce.com/services/oauth2/userinfo";
+
+	return {
+		id: "salesforce",
+		name: "Salesforce",
+
+		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+			if (!options.clientId || !options.clientSecret) {
+				logger.error(
+					"Client Id and Client Secret are required for Salesforce. Make sure to provide them in the options.",
+				);
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
+			if (!codeVerifier) {
+				throw new BetterAuthError("codeVerifier is required for Salesforce");
+			}
+
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["openid", "email", "profile"];
+			options.scope && _scopes.push(...options.scope);
+			scopes && _scopes.push(...scopes);
+
+			return createAuthorizationURL({
+				id: "salesforce",
+				options,
+				authorizationEndpoint,
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI: options.redirectURI || redirectURI,
+			});
+		},
+
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI: options.redirectURI || redirectURI,
+				options,
+				tokenEndpoint,
+			});
+		},
+
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint,
+					});
+				},
+
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+
+			try {
+				const { data: user } = await betterFetch<SalesforceProfile>(
+					userInfoEndpoint,
+					{
+						headers: {
+							Authorization: `Bearer ${token.accessToken}`,
+						},
+					},
+				);
+
+				if (!user) {
+					logger.error("Failed to fetch user info from Salesforce");
+					return null;
+				}
+
+				const userMap = await options.mapProfileToUser?.(user);
+
+				return {
+					user: {
+						id: user.user_id,
+						name: user.name,
+						email: user.email,
+						image: user.photos?.picture || user.photos?.thumbnail,
+						emailVerified: user.email_verified ?? false,
+						...userMap,
+					},
+					data: user,
+				};
+			} catch (error) {
+				logger.error("Failed to fetch user info from Salesforce:", error);
+				return null;
+			}
+		},
+
+		options,
+	} satisfies OAuthProvider<SalesforceProfile>;
+};

package/src/social-providers/slack.ts

@@ -0,0 +1,114 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import {
+	validateAuthorizationCode,
+	refreshAccessToken,
+} from "@better-auth/core/oauth2";
+
+export interface SlackProfile extends Record<string, any> {
+	ok: boolean;
+	sub: string;
+	"https://slack.com/user_id": string;
+	"https://slack.com/team_id": string;
+	email: string;
+	email_verified: boolean;
+	date_email_verified: number;
+	name: string;
+	picture: string;
+	given_name: string;
+	family_name: string;
+	locale: string;
+	"https://slack.com/team_name": string;
+	"https://slack.com/team_domain": string;
+	"https://slack.com/user_image_24": string;
+	"https://slack.com/user_image_32": string;
+	"https://slack.com/user_image_48": string;
+	"https://slack.com/user_image_72": string;
+	"https://slack.com/user_image_192": string;
+	"https://slack.com/user_image_512": string;
+	"https://slack.com/team_image_34": string;
+	"https://slack.com/team_image_44": string;
+	"https://slack.com/team_image_68": string;
+	"https://slack.com/team_image_88": string;
+	"https://slack.com/team_image_102": string;
+	"https://slack.com/team_image_132": string;
+	"https://slack.com/team_image_230": string;
+	"https://slack.com/team_image_default": boolean;
+}
+
+export interface SlackOptions extends ProviderOptions<SlackProfile> {
+	clientId: string;
+}
+
+export const slack = (options: SlackOptions) => {
+	return {
+		id: "slack",
+		name: "Slack",
+		createAuthorizationURL({ state, scopes, redirectURI }) {
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["openid", "profile", "email"];
+			scopes && _scopes.push(...scopes);
+			options.scope && _scopes.push(...options.scope);
+			const url = new URL("https://slack.com/openid/connect/authorize");
+			url.searchParams.set("scope", _scopes.join(" "));
+			url.searchParams.set("response_type", "code");
+			url.searchParams.set("client_id", options.clientId);
+			url.searchParams.set("redirect_uri", options.redirectURI || redirectURI);
+			url.searchParams.set("state", state);
+			return url;
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://slack.com/api/openid.connect.token",
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint: "https://slack.com/api/openid.connect.token",
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			const { data: profile, error } = await betterFetch<SlackProfile>(
+				"https://slack.com/api/openid.connect.userInfo",
+				{
+					headers: {
+						authorization: `Bearer ${token.accessToken}`,
+					},
+				},
+			);
+
+			if (error) {
+				return null;
+			}
+
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile["https://slack.com/user_id"],
+					name: profile.name || "",
+					email: profile.email,
+					emailVerified: profile.email_verified,
+					image: profile.picture || profile["https://slack.com/user_image_512"],
+					...userMap,
+				},
+				data: profile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<SlackProfile>;
+};

package/src/social-providers/spotify.ts

@@ -0,0 +1,93 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import {
+	createAuthorizationURL,
+	validateAuthorizationCode,
+	refreshAccessToken,
+} from "@better-auth/core/oauth2";
+
+export interface SpotifyProfile {
+	id: string;
+	display_name: string;
+	email: string;
+	images: {
+		url: string;
+	}[];
+}
+
+export interface SpotifyOptions extends ProviderOptions<SpotifyProfile> {
+	clientId: string;
+}
+
+export const spotify = (options: SpotifyOptions) => {
+	return {
+		id: "spotify",
+		name: "Spotify",
+		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : ["user-read-email"];
+			options.scope && _scopes.push(...options.scope);
+			scopes && _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "spotify",
+				options,
+				authorizationEndpoint: "https://accounts.spotify.com/authorize",
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://accounts.spotify.com/api/token",
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint: "https://accounts.spotify.com/api/token",
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			const { data: profile, error } = await betterFetch<SpotifyProfile>(
+				"https://api.spotify.com/v1/me",
+				{
+					method: "GET",
+					headers: {
+						Authorization: `Bearer ${token.accessToken}`,
+					},
+				},
+			);
+			if (error) {
+				return null;
+			}
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.id,
+					name: profile.display_name,
+					email: profile.email,
+					image: profile.images[0]?.url,
+					emailVerified: false,
+					...userMap,
+				},
+				data: profile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<SpotifyProfile>;
+};

package/src/social-providers/tiktok.ts

@@ -0,0 +1,211 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import {
+	refreshAccessToken,
+	validateAuthorizationCode,
+} from "@better-auth/core/oauth2";
+
+/**
+ * [More info](https://developers.tiktok.com/doc/tiktok-api-v2-get-user-info/)
+ */
+export interface TiktokProfile extends Record<string, any> {
+	data: {
+		user: {
+			/**
+			 * The unique identification of the user in the current application.Open id
+			 * for the client.
+			 *
+			 * To return this field, add `fields=open_id` in the user profile request's query parameter.
+			 */
+			open_id: string;
+			/**
+			 * The unique identification of the user across different apps for the same developer.
+			 * For example, if a partner has X number of clients,
+			 * it will get X number of open_id for the same TikTok user,
+			 * but one persistent union_id for the particular user.
+			 *
+			 * To return this field, add `fields=union_id` in the user profile request's query parameter.
+			 */
+			union_id?: string;
+			/**
+			 * User's profile image.
+			 *
+			 * To return this field, add `fields=avatar_url` in the user profile request's query parameter.
+			 */
+			avatar_url?: string;
+			/**
+			 * User`s profile image in 100x100 size.
+			 *
+			 * To return this field, add `fields=avatar_url_100` in the user profile request's query parameter.
+			 */
+			avatar_url_100?: string;
+			/**
+			 * User's profile image with higher resolution
+			 *
+			 * To return this field, add `fields=avatar_url_100` in the user profile request's query parameter.
+			 */
+			avatar_large_url: string;
+			/**
+			 * User's profile name
+			 *
+			 * To return this field, add `fields=display_name` in the user profile request's query parameter.
+			 */
+			display_name: string;
+			/**
+			 * User's username.
+			 *
+			 * To return this field, add `fields=username` in the user profile request's query parameter.
+			 */
+			username: string;
+			/** @note Email is currently unsupported by TikTok  */
+			email?: string;
+			/**
+			 * User's bio description if there is a valid one.
+			 *
+			 * To return this field, add `fields=bio_description` in the user profile request's query parameter.
+			 */
+			bio_description?: string;
+			/**
+			 * The link to user's TikTok profile page.
+			 *
+			 * To return this field, add `fields=profile_deep_link` in the user profile request's query parameter.
+			 */
+			profile_deep_link?: string;
+			/**
+			 * Whether TikTok has provided a verified badge to the account after confirming
+			 * that it belongs to the user it represents.
+			 *
+			 * To return this field, add `fields=is_verified` in the user profile request's query parameter.
+			 */
+			is_verified?: boolean;
+			/**
+			 * User's followers count.
+			 *
+			 * To return this field, add `fields=follower_count` in the user profile request's query parameter.
+			 */
+			follower_count?: number;
+			/**
+			 * The number of accounts that the user is following.
+			 *
+			 * To return this field, add `fields=following_count` in the user profile request's query parameter.
+			 */
+			following_count?: number;
+			/**
+			 * The total number of likes received by the user across all of their videos.
+			 *
+			 * To return this field, add `fields=likes_count` in the user profile request's query parameter.
+			 */
+			likes_count?: number;
+			/**
+			 * The total number of publicly posted videos by the user.
+			 *
+			 * To return this field, add `fields=video_count` in the user profile request's query parameter.
+			 */
+			video_count?: number;
+		};
+	};
+	error?: {
+		/**
+		 * The error category in string.
+		 */
+		code?: string;
+		/**
+		 * The error message in string.
+		 */
+		message?: string;
+		/**
+		 * The error message in string.
+		 */
+		log_id?: string;
+	};
+}
+
+export interface TiktokOptions extends ProviderOptions {
+	// Client ID is not used in TikTok, we delete it from the options
+	clientId?: never;
+	clientSecret: string;
+	clientKey: string;
+}
+
+export const tiktok = (options: TiktokOptions) => {
+	return {
+		id: "tiktok",
+		name: "TikTok",
+		createAuthorizationURL({ state, scopes, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : ["user.info.profile"];
+			options.scope && _scopes.push(...options.scope);
+			scopes && _scopes.push(...scopes);
+			return new URL(
+				`https://www.tiktok.com/v2/auth/authorize?scope=${_scopes.join(
+					",",
+				)}&response_type=code&client_key=${options.clientKey}&redirect_uri=${encodeURIComponent(
+					options.redirectURI || redirectURI,
+				)}&state=${state}`,
+			);
+		},
+
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI: options.redirectURI || redirectURI,
+				options: {
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret,
+				},
+				tokenEndpoint: "https://open.tiktokapis.com/v2/oauth/token/",
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint: "https://open.tiktokapis.com/v2/oauth/token/",
+						authentication: "post",
+						extraParams: {
+							client_key: options.clientKey,
+						},
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+
+			const fields = [
+				"open_id",
+				"avatar_large_url",
+				"display_name",
+				"username",
+			];
+			const { data: profile, error } = await betterFetch<TiktokProfile>(
+				`https://open.tiktokapis.com/v2/user/info/?fields=${fields.join(",")}`,
+				{
+					headers: {
+						authorization: `Bearer ${token.accessToken}`,
+					},
+				},
+			);
+
+			if (error) {
+				return null;
+			}
+
+			return {
+				user: {
+					email: profile.data.user.email || profile.data.user.username,
+					id: profile.data.user.open_id,
+					name: profile.data.user.display_name || profile.data.user.username,
+					image: profile.data.user.avatar_large_url,
+					/** @note Tiktok does not provide emailVerified or even email*/
+					emailVerified: profile.data.user.email ? true : false,
+				},
+				data: profile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<TiktokProfile, TiktokOptions>;
+};

package/src/social-providers/twitch.ts

@@ -0,0 +1,111 @@
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import { logger } from "@better-auth/core/env";
+import {
+	createAuthorizationURL,
+	validateAuthorizationCode,
+	refreshAccessToken,
+} from "@better-auth/core/oauth2";
+import { decodeJwt } from "jose";
+
+/**
+ * @see https://dev.twitch.tv/docs/authentication/getting-tokens-oidc/#requesting-claims
+ */
+export interface TwitchProfile {
+	/**
+	 * The sub of the user
+	 */
+	sub: string;
+	/**
+	 * The preferred username of the user
+	 */
+	preferred_username: string;
+	/**
+	 * The email of the user
+	 */
+	email: string;
+	/**
+	 * Indicate if this user has a verified email.
+	 */
+	email_verified: boolean;
+	/**
+	 * The picture of the user
+	 */
+	picture: string;
+}
+
+export interface TwitchOptions extends ProviderOptions<TwitchProfile> {
+	clientId: string;
+	claims?: string[];
+}
+export const twitch = (options: TwitchOptions) => {
+	return {
+		id: "twitch",
+		name: "Twitch",
+		createAuthorizationURL({ state, scopes, redirectURI }) {
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["user:read:email", "openid"];
+			options.scope && _scopes.push(...options.scope);
+			scopes && _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "twitch",
+				redirectURI,
+				options,
+				authorizationEndpoint: "https://id.twitch.tv/oauth2/authorize",
+				scopes: _scopes,
+				state,
+				claims: options.claims || [
+					"email",
+					"email_verified",
+					"preferred_username",
+					"picture",
+				],
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://id.twitch.tv/oauth2/token",
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint: "https://id.twitch.tv/oauth2/token",
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			const idToken = token.idToken;
+			if (!idToken) {
+				logger.error("No idToken found in token");
+				return null;
+			}
+			const profile = decodeJwt(idToken) as TwitchProfile;
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.sub,
+					name: profile.preferred_username,
+					email: profile.email,
+					image: profile.picture,
+					emailVerified: profile.email_verified,
+					...userMap,
+				},
+				data: profile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<TwitchProfile>;
+};