@better-auth/core 1.3.27 → 1.3.29

package/src/social-providers/discord.ts

@@ -0,0 +1,172 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import {
+	refreshAccessToken,
+	validateAuthorizationCode,
+} from "@better-auth/core/oauth2";
+export interface DiscordProfile extends Record<string, any> {
+	/** the user's id (i.e. the numerical snowflake) */
+	id: string;
+	/** the user's username, not unique across the platform */
+	username: string;
+	/** the user's Discord-tag */
+	discriminator: string;
+	/** the user's display name, if it is set  */
+	global_name: string | null;
+	/**
+	 * the user's avatar hash:
+	 * https://discord.com/developers/docs/reference#image-formatting
+	 */
+	avatar: string | null;
+	/** whether the user belongs to an OAuth2 application */
+	bot?: boolean;
+	/**
+	 * whether the user is an Official Discord System user (part of the urgent
+	 * message system)
+	 */
+	system?: boolean;
+	/** whether the user has two factor enabled on their account */
+	mfa_enabled: boolean;
+	/**
+	 * the user's banner hash:
+	 * https://discord.com/developers/docs/reference#image-formatting
+	 */
+	banner: string | null;
+
+	/** the user's banner color encoded as an integer representation of hexadecimal color code */
+	accent_color: number | null;
+
+	/**
+	 * the user's chosen language option:
+	 * https://discord.com/developers/docs/reference#locales
+	 */
+	locale: string;
+	/** whether the email on this account has been verified */
+	verified: boolean;
+	/** the user's email */
+	email: string;
+	/**
+	 * the flags on a user's account:
+	 * https://discord.com/developers/docs/resources/user#user-object-user-flags
+	 */
+	flags: number;
+	/**
+	 * the type of Nitro subscription on a user's account:
+	 * https://discord.com/developers/docs/resources/user#user-object-premium-types
+	 */
+	premium_type: number;
+	/**
+	 * the public flags on a user's account:
+	 * https://discord.com/developers/docs/resources/user#user-object-user-flags
+	 */
+	public_flags: number;
+	/** undocumented field; corresponds to the user's custom nickname */
+	display_name: string | null;
+	/**
+	 * undocumented field; corresponds to the Discord feature where you can e.g.
+	 * put your avatar inside of an ice cube
+	 */
+	avatar_decoration: string | null;
+	/**
+	 * undocumented field; corresponds to the premium feature where you can
+	 * select a custom banner color
+	 */
+	banner_color: string | null;
+	/** undocumented field; the CDN URL of their profile picture */
+	image_url: string;
+}
+
+export interface DiscordOptions extends ProviderOptions<DiscordProfile> {
+	clientId: string;
+	prompt?: "none" | "consent";
+	permissions?: number;
+}
+
+export const discord = (options: DiscordOptions) => {
+	return {
+		id: "discord",
+		name: "Discord",
+		createAuthorizationURL({ state, scopes, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : ["identify", "email"];
+			scopes && _scopes.push(...scopes);
+			options.scope && _scopes.push(...options.scope);
+			const hasBotScope = _scopes.includes("bot");
+			const permissionsParam =
+				hasBotScope && options.permissions !== undefined
+					? `&permissions=${options.permissions}`
+					: "";
+			return new URL(
+				`https://discord.com/api/oauth2/authorize?scope=${_scopes.join(
+					"+",
+				)}&response_type=code&client_id=${
+					options.clientId
+				}&redirect_uri=${encodeURIComponent(
+					options.redirectURI || redirectURI,
+				)}&state=${state}&prompt=${
+					options.prompt || "none"
+				}${permissionsParam}`,
+			);
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://discord.com/api/oauth2/token",
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint: "https://discord.com/api/oauth2/token",
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			const { data: profile, error } = await betterFetch<DiscordProfile>(
+				"https://discord.com/api/users/@me",
+				{
+					headers: {
+						authorization: `Bearer ${token.accessToken}`,
+					},
+				},
+			);
+
+			if (error) {
+				return null;
+			}
+			if (profile.avatar === null) {
+				const defaultAvatarNumber =
+					profile.discriminator === "0"
+						? Number(BigInt(profile.id) >> BigInt(22)) % 6
+						: parseInt(profile.discriminator) % 5;
+				profile.image_url = `https://cdn.discordapp.com/embed/avatars/${defaultAvatarNumber}.png`;
+			} else {
+				const format = profile.avatar.startsWith("a_") ? "gif" : "png";
+				profile.image_url = `https://cdn.discordapp.com/avatars/${profile.id}/${profile.avatar}.${format}`;
+			}
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.id,
+					name: profile.global_name || profile.username || "",
+					email: profile.email,
+					emailVerified: profile.verified,
+					image: profile.image_url,
+					...userMap,
+				},
+				data: profile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<DiscordProfile>;
+};

package/src/social-providers/dropbox.ts

@@ -0,0 +1,112 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import {
+	createAuthorizationURL,
+	refreshAccessToken,
+	validateAuthorizationCode,
+} from "@better-auth/core/oauth2";
+
+export interface DropboxProfile {
+	account_id: string;
+	name: {
+		given_name: string;
+		surname: string;
+		familiar_name: string;
+		display_name: string;
+		abbreviated_name: string;
+	};
+	email: string;
+	email_verified: boolean;
+	profile_photo_url: string;
+}
+
+export interface DropboxOptions extends ProviderOptions<DropboxProfile> {
+	clientId: string;
+	accessType?: "offline" | "online" | "legacy";
+}
+
+export const dropbox = (options: DropboxOptions) => {
+	const tokenEndpoint = "https://api.dropboxapi.com/oauth2/token";
+
+	return {
+		id: "dropbox",
+		name: "Dropbox",
+		createAuthorizationURL: async ({
+			state,
+			scopes,
+			codeVerifier,
+			redirectURI,
+		}) => {
+			const _scopes = options.disableDefaultScope ? [] : ["account_info.read"];
+			options.scope && _scopes.push(...options.scope);
+			scopes && _scopes.push(...scopes);
+			const additionalParams: Record<string, string> = {};
+			if (options.accessType) {
+				additionalParams.token_access_type = options.accessType;
+			}
+			return await createAuthorizationURL({
+				id: "dropbox",
+				options,
+				authorizationEndpoint: "https://www.dropbox.com/oauth2/authorize",
+				scopes: _scopes,
+				state,
+				redirectURI,
+				codeVerifier,
+				additionalParams,
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return await validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint,
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint: "https://api.dropbox.com/oauth2/token",
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			const { data: profile, error } = await betterFetch<DropboxProfile>(
+				"https://api.dropboxapi.com/2/users/get_current_account",
+				{
+					method: "POST",
+					headers: {
+						Authorization: `Bearer ${token.accessToken}`,
+					},
+				},
+			);
+
+			if (error) {
+				return null;
+			}
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.account_id,
+					name: profile.name?.display_name,
+					email: profile.email,
+					emailVerified: profile.email_verified || false,
+					image: profile.profile_photo_url,
+					...userMap,
+				},
+				data: profile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<DropboxProfile>;
+};

package/src/social-providers/facebook.ts

@@ -0,0 +1,204 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import {
+	createAuthorizationURL,
+	validateAuthorizationCode,
+} from "@better-auth/core/oauth2";
+import { createRemoteJWKSet, jwtVerify, decodeJwt } from "jose";
+import { refreshAccessToken } from "@better-auth/core/oauth2";
+export interface FacebookProfile {
+	id: string;
+	name: string;
+	email: string;
+	email_verified: boolean;
+	picture: {
+		data: {
+			height: number;
+			is_silhouette: boolean;
+			url: string;
+			width: number;
+		};
+	};
+}
+
+export interface FacebookOptions extends ProviderOptions<FacebookProfile> {
+	clientId: string;
+	/**
+	 * Extend list of fields to retrieve from the Facebook user profile.
+	 *
+	 * @default ["id", "name", "email", "picture"]
+	 */
+	fields?: string[];
+
+	/**
+	 * The config id to use when undergoing oauth
+	 */
+	configId?: string;
+}
+
+export const facebook = (options: FacebookOptions) => {
+	return {
+		id: "facebook",
+		name: "Facebook",
+		async createAuthorizationURL({ state, scopes, redirectURI, loginHint }) {
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["email", "public_profile"];
+			options.scope && _scopes.push(...options.scope);
+			scopes && _scopes.push(...scopes);
+			return await createAuthorizationURL({
+				id: "facebook",
+				options,
+				authorizationEndpoint: "https://www.facebook.com/v21.0/dialog/oauth",
+				scopes: _scopes,
+				state,
+				redirectURI,
+				loginHint,
+				additionalParams: options.configId
+					? {
+							config_id: options.configId,
+						}
+					: {},
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://graph.facebook.com/oauth/access_token",
+			});
+		},
+		async verifyIdToken(token, nonce) {
+			if (options.disableIdTokenSignIn) {
+				return false;
+			}
+
+			if (options.verifyIdToken) {
+				return options.verifyIdToken(token, nonce);
+			}
+
+			/* limited login */
+			// check is limited token
+			if (token.split(".").length === 3) {
+				try {
+					const { payload: jwtClaims } = await jwtVerify(
+						token,
+						createRemoteJWKSet(
+							// https://developers.facebook.com/docs/facebook-login/limited-login/token/#jwks
+							new URL(
+								"https://limited.facebook.com/.well-known/oauth/openid/jwks/",
+							),
+						),
+						{
+							algorithms: ["RS256"],
+							audience: options.clientId,
+							issuer: "https://www.facebook.com",
+						},
+					);
+
+					if (nonce && jwtClaims.nonce !== nonce) {
+						return false;
+					}
+
+					return !!jwtClaims;
+				} catch (error) {
+					return false;
+				}
+			}
+
+			/* access_token */
+			return true;
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint:
+							"https://graph.facebook.com/v18.0/oauth/access_token",
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+
+			if (token.idToken && token.idToken.split(".").length === 3) {
+				const profile = decodeJwt(token.idToken) as {
+					sub: string;
+					email: string;
+					name: string;
+					picture: string;
+				};
+
+				const user = {
+					id: profile.sub,
+					name: profile.name,
+					email: profile.email,
+					picture: {
+						data: {
+							url: profile.picture,
+							height: 100,
+							width: 100,
+							is_silhouette: false,
+						},
+					},
+				};
+
+				// https://developers.facebook.com/docs/facebook-login/limited-login/permissions
+				const userMap = await options.mapProfileToUser?.({
+					...user,
+					email_verified: true,
+				});
+
+				return {
+					user: {
+						...user,
+						emailVerified: true,
+						...userMap,
+					},
+					data: profile,
+				};
+			}
+
+			const fields = [
+				"id",
+				"name",
+				"email",
+				"picture",
+				...(options?.fields || []),
+			];
+			const { data: profile, error } = await betterFetch<FacebookProfile>(
+				"https://graph.facebook.com/me?fields=" + fields.join(","),
+				{
+					auth: {
+						type: "Bearer",
+						token: token.accessToken,
+					},
+				},
+			);
+			if (error) {
+				return null;
+			}
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.id,
+					name: profile.name,
+					email: profile.email,
+					image: profile.picture.data.url,
+					emailVerified: profile.email_verified,
+					...userMap,
+				},
+				data: profile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<FacebookProfile>;
+};

package/src/social-providers/figma.ts

@@ -0,0 +1,115 @@
+import { betterFetch } from "@better-fetch/fetch";
+import { BetterAuthError } from "../error";
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import {
+	createAuthorizationURL,
+	validateAuthorizationCode,
+} from "@better-auth/core/oauth2";
+import { logger } from "@better-auth/core/env";
+import { refreshAccessToken } from "@better-auth/core/oauth2";
+
+export interface FigmaProfile {
+	id: string;
+	email: string;
+	handle: string;
+	img_url: string;
+}
+
+export interface FigmaOptions extends ProviderOptions<FigmaProfile> {
+	clientId: string;
+}
+
+export const figma = (options: FigmaOptions) => {
+	return {
+		id: "figma",
+		name: "Figma",
+		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+			if (!options.clientId || !options.clientSecret) {
+				logger.error(
+					"Client Id and Client Secret are required for Figma. Make sure to provide them in the options.",
+				);
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
+			if (!codeVerifier) {
+				throw new BetterAuthError("codeVerifier is required for Figma");
+			}
+
+			const _scopes = options.disableDefaultScope ? [] : ["file_read"];
+			options.scope && _scopes.push(...options.scope);
+			scopes && _scopes.push(...scopes);
+
+			const url = await createAuthorizationURL({
+				id: "figma",
+				options,
+				authorizationEndpoint: "https://www.figma.com/oauth",
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+			});
+
+			return url;
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://www.figma.com/api/oauth/token",
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint: "https://www.figma.com/api/oauth/token",
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+
+			try {
+				const { data: profile } = await betterFetch<FigmaProfile>(
+					"https://api.figma.com/v1/me",
+					{
+						headers: {
+							Authorization: `Bearer ${token.accessToken}`,
+						},
+					},
+				);
+
+				if (!profile) {
+					logger.error("Failed to fetch user from Figma");
+					return null;
+				}
+
+				const userMap = await options.mapProfileToUser?.(profile);
+
+				return {
+					user: {
+						id: profile.id,
+						name: profile.handle,
+						email: profile.email,
+						image: profile.img_url,
+						emailVerified: !!profile.email,
+						...userMap,
+					},
+					data: profile,
+				};
+			} catch (error) {
+				logger.error("Failed to fetch user info from Figma:", error);
+				return null;
+			}
+		},
+		options,
+	} satisfies OAuthProvider<FigmaProfile>;
+};