@better-auth/core 1.3.27 → 1.3.29

package/src/oauth2/create-authorization-url.ts

@@ -0,0 +1,85 @@
+import type { ProviderOptions } from "./index";
+import { generateCodeChallenge } from "./utils";
+
+export async function createAuthorizationURL({
+	id,
+	options,
+	authorizationEndpoint,
+	state,
+	codeVerifier,
+	scopes,
+	claims,
+	redirectURI,
+	duration,
+	prompt,
+	accessType,
+	responseType,
+	display,
+	loginHint,
+	hd,
+	responseMode,
+	additionalParams,
+	scopeJoiner,
+}: {
+	id: string;
+	options: ProviderOptions;
+	redirectURI: string;
+	authorizationEndpoint: string;
+	state: string;
+	codeVerifier?: string;
+	scopes: string[];
+	claims?: string[];
+	duration?: string;
+	prompt?: string;
+	accessType?: string;
+	responseType?: string;
+	display?: string;
+	loginHint?: string;
+	hd?: string;
+	responseMode?: string;
+	additionalParams?: Record<string, string>;
+	scopeJoiner?: string;
+}) {
+	const url = new URL(authorizationEndpoint);
+	url.searchParams.set("response_type", responseType || "code");
+	const primaryClientId = Array.isArray(options.clientId)
+		? options.clientId[0]
+		: options.clientId;
+	url.searchParams.set("client_id", primaryClientId);
+	url.searchParams.set("state", state);
+	url.searchParams.set("scope", scopes.join(scopeJoiner || " "));
+	url.searchParams.set("redirect_uri", options.redirectURI || redirectURI);
+	duration && url.searchParams.set("duration", duration);
+	display && url.searchParams.set("display", display);
+	loginHint && url.searchParams.set("login_hint", loginHint);
+	prompt && url.searchParams.set("prompt", prompt);
+	hd && url.searchParams.set("hd", hd);
+	accessType && url.searchParams.set("access_type", accessType);
+	responseMode && url.searchParams.set("response_mode", responseMode);
+	if (codeVerifier) {
+		const codeChallenge = await generateCodeChallenge(codeVerifier);
+		url.searchParams.set("code_challenge_method", "S256");
+		url.searchParams.set("code_challenge", codeChallenge);
+	}
+	if (claims) {
+		const claimsObj = claims.reduce(
+			(acc, claim) => {
+				acc[claim] = null;
+				return acc;
+			},
+			{} as Record<string, null>,
+		);
+		url.searchParams.set(
+			"claims",
+			JSON.stringify({
+				id_token: { email: null, email_verified: null, ...claimsObj },
+			}),
+		);
+	}
+	if (additionalParams) {
+		Object.entries(additionalParams).forEach(([key, value]) => {
+			url.searchParams.set(key, value);
+		});
+	}
+	return url;
+}

package/src/oauth2/index.ts

@@ -0,0 +1,22 @@
+export type {
+	OAuth2Tokens,
+	OAuthProvider,
+	OAuth2UserInfo,
+	ProviderOptions,
+} from "./oauth-provider";
+
+export { generateCodeChallenge, getOAuth2Tokens } from "./utils";
+export { createAuthorizationURL } from "./create-authorization-url";
+export {
+	createAuthorizationCodeRequest,
+	validateAuthorizationCode,
+	validateToken,
+} from "./validate-authorization-code";
+export {
+	createRefreshAccessTokenRequest,
+	refreshAccessToken,
+} from "./refresh-access-token";
+export {
+	clientCredentialsToken,
+	createClientCredentialsTokenRequest,
+} from "./client-credentials-token";

package/src/oauth2/oauth-provider.ts

@@ -0,0 +1,194 @@
+import type { LiteralString } from "../types";
+
+export interface OAuth2Tokens {
+	tokenType?: string;
+	accessToken?: string;
+	refreshToken?: string;
+	accessTokenExpiresAt?: Date;
+	refreshTokenExpiresAt?: Date;
+	scopes?: string[];
+	idToken?: string;
+}
+
+export type OAuth2UserInfo = {
+	id: string | number;
+	name?: string;
+	email?: string | null;
+	image?: string;
+	emailVerified: boolean;
+};
+
+export interface OAuthProvider<
+	T extends Record<string, any> = Record<string, any>,
+	O extends Record<string, any> = Partial<ProviderOptions>,
+> {
+	id: LiteralString;
+	createAuthorizationURL: (data: {
+		state: string;
+		codeVerifier: string;
+		scopes?: string[];
+		redirectURI: string;
+		display?: string;
+		loginHint?: string;
+	}) => Promise<URL> | URL;
+	name: string;
+	validateAuthorizationCode: (data: {
+		code: string;
+		redirectURI: string;
+		codeVerifier?: string;
+		deviceId?: string;
+	}) => Promise<OAuth2Tokens>;
+	getUserInfo: (
+		token: OAuth2Tokens & {
+			/**
+			 * The user object from the provider
+			 * This is only available for some providers like Apple
+			 */
+			user?: {
+				name?: {
+					firstName?: string;
+					lastName?: string;
+				};
+				email?: string;
+			};
+		},
+	) => Promise<{
+		user: OAuth2UserInfo;
+		data: T;
+	} | null>;
+	/**
+	 * Custom function to refresh a token
+	 */
+	refreshAccessToken?: (refreshToken: string) => Promise<OAuth2Tokens>;
+	revokeToken?: (token: string) => Promise<void>;
+	/**
+	 * Verify the id token
+	 * @param token - The id token
+	 * @param nonce - The nonce
+	 * @returns True if the id token is valid, false otherwise
+	 */
+	verifyIdToken?: (token: string, nonce?: string) => Promise<boolean>;
+	/**
+	 * Disable implicit sign up for new users. When set to true for the provider,
+	 * sign-in need to be called with with requestSignUp as true to create new users.
+	 */
+	disableImplicitSignUp?: boolean;
+	/**
+	 * Disable sign up for new users.
+	 */
+	disableSignUp?: boolean;
+	/**
+	 * Options for the provider
+	 */
+	options?: O;
+}
+
+export type ProviderOptions<Profile extends Record<string, any> = any> = {
+	/**
+	 * The client ID of your application.
+	 *
+	 * This is usually a string but can be any type depending on the provider.
+	 */
+	clientId?: unknown;
+	/**
+	 * The client secret of your application
+	 */
+	clientSecret?: string;
+	/**
+	 * The scopes you want to request from the provider
+	 */
+	scope?: string[];
+	/**
+	 * Remove default scopes of the provider
+	 */
+	disableDefaultScope?: boolean;
+	/**
+	 * The redirect URL for your application. This is where the provider will
+	 * redirect the user after the sign in process. Make sure this URL is
+	 * whitelisted in the provider's dashboard.
+	 */
+	redirectURI?: string;
+	/**
+	 * The client key of your application
+	 * Tiktok Social Provider uses this field instead of clientId
+	 */
+	clientKey?: string;
+	/**
+	 * Disable provider from allowing users to sign in
+	 * with this provider with an id token sent from the
+	 * client.
+	 */
+	disableIdTokenSignIn?: boolean;
+	/**
+	 * verifyIdToken function to verify the id token
+	 */
+	verifyIdToken?: (token: string, nonce?: string) => Promise<boolean>;
+	/**
+	 * Custom function to get user info from the provider
+	 */
+	getUserInfo?: (token: OAuth2Tokens) => Promise<{
+		user: {
+			id: string;
+			name?: string;
+			email?: string | null;
+			image?: string;
+			emailVerified: boolean;
+			[key: string]: any;
+		};
+		data: any;
+	}>;
+	/**
+	 * Custom function to refresh a token
+	 */
+	refreshAccessToken?: (refreshToken: string) => Promise<OAuth2Tokens>;
+	/**
+	 * Custom function to map the provider profile to a
+	 * user.
+	 */
+	mapProfileToUser?: (profile: Profile) =>
+		| {
+				id?: string;
+				name?: string;
+				email?: string | null;
+				image?: string;
+				emailVerified?: boolean;
+				[key: string]: any;
+		  }
+		| Promise<{
+				id?: string;
+				name?: string;
+				email?: string | null;
+				image?: string;
+				emailVerified?: boolean;
+				[key: string]: any;
+		  }>;
+	/**
+	 * Disable implicit sign up for new users. When set to true for the provider,
+	 * sign-in need to be called with with requestSignUp as true to create new users.
+	 */
+	disableImplicitSignUp?: boolean;
+	/**
+	 * Disable sign up for new users.
+	 */
+	disableSignUp?: boolean;
+	/**
+	 * The prompt to use for the authorization code request
+	 */
+	prompt?:
+		| "select_account"
+		| "consent"
+		| "login"
+		| "none"
+		| "select_account consent";
+	/**
+	 * The response mode to use for the authorization code request
+	 */
+	responseMode?: "query" | "form_post";
+	/**
+	 * If enabled, the user info will be overridden with the provider user info
+	 * This is useful if you want to use the provider user info to update the user info
+	 *
+	 * @default false
+	 */
+	overrideUserInfoOnSignIn?: boolean;
+};

package/src/oauth2/refresh-access-token.ts

@@ -0,0 +1,124 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuth2Tokens, ProviderOptions } from "./oauth-provider";
+import { base64 } from "@better-auth/utils/base64";
+
+export function createRefreshAccessTokenRequest({
+	refreshToken,
+	options,
+	authentication,
+	extraParams,
+	resource,
+}: {
+	refreshToken: string;
+	options: Partial<ProviderOptions>;
+	authentication?: "basic" | "post";
+	extraParams?: Record<string, string>;
+	resource?: string | string[];
+}) {
+	const body = new URLSearchParams();
+	const headers: Record<string, any> = {
+		"content-type": "application/x-www-form-urlencoded",
+		accept: "application/json",
+	};
+
+	body.set("grant_type", "refresh_token");
+	body.set("refresh_token", refreshToken);
+	// Use standard Base64 encoding for HTTP Basic Auth (OAuth2 spec, RFC 7617)
+	// Fixes compatibility with providers like Notion, Twitter, etc.
+	if (authentication === "basic") {
+		const primaryClientId = Array.isArray(options.clientId)
+			? options.clientId[0]
+			: options.clientId;
+		if (primaryClientId) {
+			headers["authorization"] =
+				"Basic " +
+				base64.encode(`${primaryClientId}:${options.clientSecret ?? ""}`);
+		} else {
+			headers["authorization"] =
+				"Basic " + base64.encode(`:${options.clientSecret ?? ""}`);
+		}
+	} else {
+		const primaryClientId = Array.isArray(options.clientId)
+			? options.clientId[0]
+			: options.clientId;
+		body.set("client_id", primaryClientId);
+		if (options.clientSecret) {
+			body.set("client_secret", options.clientSecret);
+		}
+	}
+
+	if (resource) {
+		if (typeof resource === "string") {
+			body.append("resource", resource);
+		} else {
+			for (const _resource of resource) {
+				body.append("resource", _resource);
+			}
+		}
+	}
+	if (extraParams) {
+		for (const [key, value] of Object.entries(extraParams)) {
+			body.set(key, value);
+		}
+	}
+
+	return {
+		body,
+		headers,
+	};
+}
+
+export async function refreshAccessToken({
+	refreshToken,
+	options,
+	tokenEndpoint,
+	authentication,
+	extraParams,
+}: {
+	refreshToken: string;
+	options: Partial<ProviderOptions>;
+	tokenEndpoint: string;
+	authentication?: "basic" | "post";
+	extraParams?: Record<string, string>;
+	/** @deprecated always "refresh_token" */
+	grantType?: string;
+}): Promise<OAuth2Tokens> {
+	const { body, headers } = createRefreshAccessTokenRequest({
+		refreshToken,
+		options,
+		authentication,
+		extraParams,
+	});
+
+	const { data, error } = await betterFetch<{
+		access_token: string;
+		refresh_token?: string;
+		expires_in?: number;
+		token_type?: string;
+		scope?: string;
+		id_token?: string;
+	}>(tokenEndpoint, {
+		method: "POST",
+		body,
+		headers,
+	});
+	if (error) {
+		throw error;
+	}
+	const tokens: OAuth2Tokens = {
+		accessToken: data.access_token,
+		refreshToken: data.refresh_token,
+		tokenType: data.token_type,
+		scopes: data.scope?.split(" "),
+		idToken: data.id_token,
+	};
+
+	if (data.expires_in) {
+		const now = new Date();
+		tokens.accessTokenExpiresAt = new Date(
+			now.getTime() + data.expires_in * 1000,
+		);
+	}
+
+	return tokens;
+}

package/src/oauth2/utils.ts

@@ -0,0 +1,36 @@
+import { base64Url } from "@better-auth/utils/base64";
+import type { OAuth2Tokens } from "./oauth-provider";
+
+export function getOAuth2Tokens(data: Record<string, any>): OAuth2Tokens {
+	const getDate = (seconds: number) => {
+		const now = new Date();
+		return new Date(now.getTime() + seconds * 1000);
+	};
+
+	return {
+		tokenType: data.token_type,
+		accessToken: data.access_token,
+		refreshToken: data.refresh_token,
+		accessTokenExpiresAt: data.expires_in
+			? getDate(data.expires_in)
+			: undefined,
+		refreshTokenExpiresAt: data.refresh_token_expires_in
+			? getDate(data.refresh_token_expires_in)
+			: undefined,
+		scopes: data?.scope
+			? typeof data.scope === "string"
+				? data.scope.split(" ")
+				: data.scope
+			: [],
+		idToken: data.id_token,
+	};
+}
+
+export async function generateCodeChallenge(codeVerifier: string) {
+	const encoder = new TextEncoder();
+	const data = encoder.encode(codeVerifier);
+	const hash = await crypto.subtle.digest("SHA-256", data);
+	return base64Url.encode(new Uint8Array(hash), {
+		padding: false,
+	});
+}

package/src/oauth2/validate-authorization-code.ts

@@ -0,0 +1,156 @@
+import { betterFetch } from "@better-fetch/fetch";
+import { jwtVerify } from "jose";
+import type { ProviderOptions } from "./index";
+import { getOAuth2Tokens } from "./index";
+import { base64 } from "@better-auth/utils/base64";
+
+export function createAuthorizationCodeRequest({
+	code,
+	codeVerifier,
+	redirectURI,
+	options,
+	authentication,
+	deviceId,
+	headers,
+	additionalParams = {},
+	resource,
+}: {
+	code: string;
+	redirectURI: string;
+	options: Partial<ProviderOptions>;
+	codeVerifier?: string;
+	deviceId?: string;
+	authentication?: "basic" | "post";
+	headers?: Record<string, string>;
+	additionalParams?: Record<string, string>;
+	resource?: string | string[];
+}) {
+	const body = new URLSearchParams();
+	const requestHeaders: Record<string, any> = {
+		"content-type": "application/x-www-form-urlencoded",
+		accept: "application/json",
+		"user-agent": "better-auth",
+		...headers,
+	};
+	body.set("grant_type", "authorization_code");
+	body.set("code", code);
+	codeVerifier && body.set("code_verifier", codeVerifier);
+	options.clientKey && body.set("client_key", options.clientKey);
+	deviceId && body.set("device_id", deviceId);
+	body.set("redirect_uri", options.redirectURI || redirectURI);
+	if (resource) {
+		if (typeof resource === "string") {
+			body.append("resource", resource);
+		} else {
+			for (const _resource of resource) {
+				body.append("resource", _resource);
+			}
+		}
+	}
+	// Use standard Base64 encoding for HTTP Basic Auth (OAuth2 spec, RFC 7617)
+	// Fixes compatibility with providers like Notion, Twitter, etc.
+	if (authentication === "basic") {
+		const primaryClientId = Array.isArray(options.clientId)
+			? options.clientId[0]
+			: options.clientId;
+		const encodedCredentials = base64.encode(
+			`${primaryClientId}:${options.clientSecret ?? ""}`,
+		);
+		requestHeaders["authorization"] = `Basic ${encodedCredentials}`;
+	} else {
+		const primaryClientId = Array.isArray(options.clientId)
+			? options.clientId[0]
+			: options.clientId;
+		body.set("client_id", primaryClientId);
+		if (options.clientSecret) {
+			body.set("client_secret", options.clientSecret);
+		}
+	}
+
+	for (const [key, value] of Object.entries(additionalParams)) {
+		if (!body.has(key)) body.append(key, value);
+	}
+
+	return {
+		body,
+		headers: requestHeaders,
+	};
+}
+
+export async function validateAuthorizationCode({
+	code,
+	codeVerifier,
+	redirectURI,
+	options,
+	tokenEndpoint,
+	authentication,
+	deviceId,
+	headers,
+	additionalParams = {},
+	resource,
+}: {
+	code: string;
+	redirectURI: string;
+	options: Partial<ProviderOptions>;
+	codeVerifier?: string;
+	deviceId?: string;
+	tokenEndpoint: string;
+	authentication?: "basic" | "post";
+	headers?: Record<string, string>;
+	additionalParams?: Record<string, string>;
+	resource?: string | string[];
+}) {
+	const { body, headers: requestHeaders } = createAuthorizationCodeRequest({
+		code,
+		codeVerifier,
+		redirectURI,
+		options,
+		authentication,
+		deviceId,
+		headers,
+		additionalParams,
+		resource,
+	});
+
+	const { data, error } = await betterFetch<object>(tokenEndpoint, {
+		method: "POST",
+		body: body,
+		headers: requestHeaders,
+	});
+
+	if (error) {
+		throw error;
+	}
+	const tokens = getOAuth2Tokens(data);
+	return tokens;
+}
+
+export async function validateToken(token: string, jwksEndpoint: string) {
+	const { data, error } = await betterFetch<{
+		keys: {
+			kid: string;
+			kty: string;
+			use: string;
+			n: string;
+			e: string;
+			x5c: string[];
+		}[];
+	}>(jwksEndpoint, {
+		method: "GET",
+		headers: {
+			accept: "application/json",
+			"user-agent": "better-auth",
+		},
+	});
+	if (error) {
+		throw error;
+	}
+	const keys = data["keys"];
+	const header = JSON.parse(atob(token.split(".")[0]!));
+	const key = keys.find((key) => key.kid === header.kid);
+	if (!key) {
+		throw new Error("Key not found");
+	}
+	const verified = await jwtVerify(token, key);
+	return verified;
+}