@better-auth/core 1.3.27 → 1.3.29

package/src/social-providers/github.ts

@@ -0,0 +1,154 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import {
+	createAuthorizationURL,
+	refreshAccessToken,
+	validateAuthorizationCode,
+} from "@better-auth/core/oauth2";
+
+export interface GithubProfile {
+	login: string;
+	id: string;
+	node_id: string;
+	avatar_url: string;
+	gravatar_id: string;
+	url: string;
+	html_url: string;
+	followers_url: string;
+	following_url: string;
+	gists_url: string;
+	starred_url: string;
+	subscriptions_url: string;
+	organizations_url: string;
+	repos_url: string;
+	events_url: string;
+	received_events_url: string;
+	type: string;
+	site_admin: boolean;
+	name: string;
+	company: string;
+	blog: string;
+	location: string;
+	email: string;
+	hireable: boolean;
+	bio: string;
+	twitter_username: string;
+	public_repos: string;
+	public_gists: string;
+	followers: string;
+	following: string;
+	created_at: string;
+	updated_at: string;
+	private_gists: string;
+	total_private_repos: string;
+	owned_private_repos: string;
+	disk_usage: string;
+	collaborators: string;
+	two_factor_authentication: boolean;
+	plan: {
+		name: string;
+		space: string;
+		private_repos: string;
+		collaborators: string;
+	};
+}
+
+export interface GithubOptions extends ProviderOptions<GithubProfile> {
+	clientId: string;
+}
+export const github = (options: GithubOptions) => {
+	const tokenEndpoint = "https://github.com/login/oauth/access_token";
+	return {
+		id: "github",
+		name: "GitHub",
+		createAuthorizationURL({ state, scopes, loginHint, redirectURI }) {
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["read:user", "user:email"];
+			options.scope && _scopes.push(...options.scope);
+			scopes && _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "github",
+				options,
+				authorizationEndpoint: "https://github.com/login/oauth/authorize",
+				scopes: _scopes,
+				state,
+				redirectURI,
+				loginHint,
+				prompt: options.prompt,
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint,
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint: "https://github.com/login/oauth/access_token",
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			const { data: profile, error } = await betterFetch<GithubProfile>(
+				"https://api.github.com/user",
+				{
+					headers: {
+						"User-Agent": "better-auth",
+						authorization: `Bearer ${token.accessToken}`,
+					},
+				},
+			);
+			if (error) {
+				return null;
+			}
+			const { data: emails } = await betterFetch<
+				{
+					email: string;
+					primary: boolean;
+					verified: boolean;
+					visibility: "public" | "private";
+				}[]
+			>("https://api.github.com/user/emails", {
+				headers: {
+					Authorization: `Bearer ${token.accessToken}`,
+					"User-Agent": "better-auth",
+				},
+			});
+
+			if (!profile.email && emails) {
+				profile.email = (emails.find((e) => e.primary) ?? emails[0])
+					?.email as string;
+			}
+			const emailVerified =
+				emails?.find((e) => e.email === profile.email)?.verified ?? false;
+
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.id,
+					name: profile.name || profile.login,
+					email: profile.email,
+					image: profile.avatar_url,
+					emailVerified,
+					...userMap,
+				},
+				data: profile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<GithubProfile>;
+};

package/src/social-providers/gitlab.ts

@@ -0,0 +1,152 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import {
+	createAuthorizationURL,
+	validateAuthorizationCode,
+	refreshAccessToken,
+} from "@better-auth/core/oauth2";
+
+export interface GitlabProfile extends Record<string, any> {
+	id: number;
+	username: string;
+	email: string;
+	name: string;
+	state: string;
+	avatar_url: string;
+	web_url: string;
+	created_at: string;
+	bio: string;
+	location?: string;
+	public_email: string;
+	skype: string;
+	linkedin: string;
+	twitter: string;
+	website_url: string;
+	organization: string;
+	job_title: string;
+	pronouns: string;
+	bot: boolean;
+	work_information?: string;
+	followers: number;
+	following: number;
+	local_time: string;
+	last_sign_in_at: string;
+	confirmed_at: string;
+	theme_id: number;
+	last_activity_on: string;
+	color_scheme_id: number;
+	projects_limit: number;
+	current_sign_in_at: string;
+	identities: Array<{
+		provider: string;
+		extern_uid: string;
+	}>;
+	can_create_group: boolean;
+	can_create_project: boolean;
+	two_factor_enabled: boolean;
+	external: boolean;
+	private_profile: boolean;
+	commit_email: string;
+	shared_runners_minutes_limit: number;
+	extra_shared_runners_minutes_limit: number;
+}
+
+export interface GitlabOptions extends ProviderOptions<GitlabProfile> {
+	clientId: string;
+	issuer?: string;
+}
+
+const cleanDoubleSlashes = (input: string = "") => {
+	return input
+		.split("://")
+		.map((str) => str.replace(/\/{2,}/g, "/"))
+		.join("://");
+};
+
+const issuerToEndpoints = (issuer?: string) => {
+	let baseUrl = issuer || "https://gitlab.com";
+	return {
+		authorizationEndpoint: cleanDoubleSlashes(`${baseUrl}/oauth/authorize`),
+		tokenEndpoint: cleanDoubleSlashes(`${baseUrl}/oauth/token`),
+		userinfoEndpoint: cleanDoubleSlashes(`${baseUrl}/api/v4/user`),
+	};
+};
+
+export const gitlab = (options: GitlabOptions) => {
+	const { authorizationEndpoint, tokenEndpoint, userinfoEndpoint } =
+		issuerToEndpoints(options.issuer);
+	const issuerId = "gitlab";
+	const issuerName = "Gitlab";
+	return {
+		id: issuerId,
+		name: issuerName,
+		createAuthorizationURL: async ({
+			state,
+			scopes,
+			codeVerifier,
+			loginHint,
+			redirectURI,
+		}) => {
+			const _scopes = options.disableDefaultScope ? [] : ["read_user"];
+			options.scope && _scopes.push(...options.scope);
+			scopes && _scopes.push(...scopes);
+			return await createAuthorizationURL({
+				id: issuerId,
+				options,
+				authorizationEndpoint,
+				scopes: _scopes,
+				state,
+				redirectURI,
+				codeVerifier,
+				loginHint,
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI, codeVerifier }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				codeVerifier,
+				tokenEndpoint,
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint: tokenEndpoint,
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			const { data: profile, error } = await betterFetch<GitlabProfile>(
+				userinfoEndpoint,
+				{ headers: { authorization: `Bearer ${token.accessToken}` } },
+			);
+			if (error || profile.state !== "active" || profile.locked) {
+				return null;
+			}
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.id,
+					name: profile.name ?? profile.username,
+					email: profile.email,
+					image: profile.avatar_url,
+					emailVerified: true,
+					...userMap,
+				},
+				data: profile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<GitlabProfile>;
+};

package/src/social-providers/google.ts

@@ -0,0 +1,171 @@
+import { betterFetch } from "@better-fetch/fetch";
+import { decodeJwt } from "jose";
+import { BetterAuthError } from "../error";
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import {
+	createAuthorizationURL,
+	validateAuthorizationCode,
+} from "@better-auth/core/oauth2";
+import { logger } from "@better-auth/core/env";
+import { refreshAccessToken } from "@better-auth/core/oauth2";
+
+export interface GoogleProfile {
+	aud: string;
+	azp: string;
+	email: string;
+	email_verified: boolean;
+	exp: number;
+	/**
+	 * The family name of the user, or last name in most
+	 * Western languages.
+	 */
+	family_name: string;
+	/**
+	 * The given name of the user, or first name in most
+	 * Western languages.
+	 */
+	given_name: string;
+	hd?: string;
+	iat: number;
+	iss: string;
+	jti?: string;
+	locale?: string;
+	name: string;
+	nbf?: number;
+	picture: string;
+	sub: string;
+}
+
+export interface GoogleOptions extends ProviderOptions<GoogleProfile> {
+	clientId: string;
+	/**
+	 * The access type to use for the authorization code request
+	 */
+	accessType?: "offline" | "online";
+	/**
+	 * The display mode to use for the authorization code request
+	 */
+	display?: "page" | "popup" | "touch" | "wap";
+	/**
+	 * The hosted domain of the user
+	 */
+	hd?: string;
+}
+
+export const google = (options: GoogleOptions) => {
+	return {
+		id: "google",
+		name: "Google",
+		async createAuthorizationURL({
+			state,
+			scopes,
+			codeVerifier,
+			redirectURI,
+			loginHint,
+			display,
+		}) {
+			if (!options.clientId || !options.clientSecret) {
+				logger.error(
+					"Client Id and Client Secret is required for Google. Make sure to provide them in the options.",
+				);
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
+			if (!codeVerifier) {
+				throw new BetterAuthError("codeVerifier is required for Google");
+			}
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["email", "profile", "openid"];
+			options.scope && _scopes.push(...options.scope);
+			scopes && _scopes.push(...scopes);
+			const url = await createAuthorizationURL({
+				id: "google",
+				options,
+				authorizationEndpoint: "https://accounts.google.com/o/oauth2/auth",
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+				prompt: options.prompt,
+				accessType: options.accessType,
+				display: display || options.display,
+				loginHint,
+				hd: options.hd,
+				additionalParams: {
+					include_granted_scopes: "true",
+				},
+			});
+			return url;
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://oauth2.googleapis.com/token",
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint: "https://www.googleapis.com/oauth2/v4/token",
+					});
+				},
+		async verifyIdToken(token, nonce) {
+			if (options.disableIdTokenSignIn) {
+				return false;
+			}
+			if (options.verifyIdToken) {
+				return options.verifyIdToken(token, nonce);
+			}
+			const googlePublicKeyUrl = `https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=${token}`;
+			const { data: tokenInfo } = await betterFetch<{
+				aud: string;
+				iss: string;
+				email: string;
+				email_verified: boolean;
+				name: string;
+				picture: string;
+				sub: string;
+			}>(googlePublicKeyUrl);
+			if (!tokenInfo) {
+				return false;
+			}
+			const isValid =
+				tokenInfo.aud === options.clientId &&
+				(tokenInfo.iss === "https://accounts.google.com" ||
+					tokenInfo.iss === "accounts.google.com");
+			return isValid;
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			if (!token.idToken) {
+				return null;
+			}
+			const user = decodeJwt(token.idToken) as GoogleProfile;
+			const userMap = await options.mapProfileToUser?.(user);
+			return {
+				user: {
+					id: user.sub,
+					name: user.name,
+					email: user.email,
+					image: user.picture,
+					emailVerified: user.email_verified,
+					...userMap,
+				},
+				data: user,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<GoogleProfile>;
+};

package/src/social-providers/huggingface.ts

@@ -0,0 +1,116 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import {
+	createAuthorizationURL,
+	validateAuthorizationCode,
+	refreshAccessToken,
+} from "@better-auth/core/oauth2";
+
+export interface HuggingFaceProfile {
+	sub: string;
+	name: string;
+	preferred_username: string;
+	profile: string;
+	picture: string;
+	website?: string;
+	email?: string;
+	email_verified?: boolean;
+	isPro: boolean;
+	canPay?: boolean;
+	orgs?: {
+		sub: string;
+		name: string;
+		picture: string;
+		preferred_username: string;
+		isEnterprise: boolean | "plus";
+		canPay?: boolean;
+		roleInOrg?: "admin" | "write" | "contributor" | "read";
+		pendingSSO?: boolean;
+		missingMFA?: boolean;
+		resourceGroups?: {
+			sub: string;
+			name: string;
+			role: "admin" | "write" | "contributor" | "read";
+		}[];
+	};
+}
+
+export interface HuggingFaceOptions
+	extends ProviderOptions<HuggingFaceProfile> {
+	clientId: string;
+}
+
+export const huggingface = (options: HuggingFaceOptions) => {
+	return {
+		id: "huggingface",
+		name: "Hugging Face",
+		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["openid", "profile", "email"];
+			options.scope && _scopes.push(...options.scope);
+			scopes && _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "huggingface",
+				options,
+				authorizationEndpoint: "https://huggingface.co/oauth/authorize",
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://huggingface.co/oauth/token",
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint: "https://huggingface.co/oauth/token",
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			const { data: profile, error } = await betterFetch<HuggingFaceProfile>(
+				"https://huggingface.co/oauth/userinfo",
+				{
+					method: "GET",
+					headers: {
+						Authorization: `Bearer ${token.accessToken}`,
+					},
+				},
+			);
+			if (error) {
+				return null;
+			}
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.sub,
+					name: profile.name || profile.preferred_username,
+					email: profile.email,
+					image: profile.picture,
+					emailVerified: profile.email_verified ?? false,
+					...userMap,
+				},
+				data: profile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<HuggingFaceProfile>;
+};

package/src/social-providers/index.ts

@@ -0,0 +1,118 @@
+import * as z from "zod";
+import { apple } from "./apple";
+import { atlassian } from "./atlassian";
+import { cognito } from "./cognito";
+import { discord } from "./discord";
+import { facebook } from "./facebook";
+import { figma } from "./figma";
+import { github } from "./github";
+import { google } from "./google";
+import { kick } from "./kick";
+import { huggingface } from "./huggingface";
+import { microsoft } from "./microsoft-entra-id";
+import { slack } from "./slack";
+import { notion } from "./notion";
+import { spotify } from "./spotify";
+import { twitch } from "./twitch";
+import { twitter } from "./twitter";
+import { dropbox } from "./dropbox";
+import { linear } from "./linear";
+import { linkedin } from "./linkedin";
+import { gitlab } from "./gitlab";
+import { tiktok } from "./tiktok";
+import { reddit } from "./reddit";
+import { roblox } from "./roblox";
+import { salesforce } from "./salesforce";
+import { vk } from "./vk";
+import { zoom } from "./zoom";
+import { kakao } from "./kakao";
+import { naver } from "./naver";
+import { line } from "./line";
+import { paypal } from "./paypal";
+
+export const socialProviders = {
+	apple,
+	atlassian,
+	cognito,
+	discord,
+	facebook,
+	figma,
+	github,
+	microsoft,
+	google,
+	huggingface,
+	slack,
+	spotify,
+	twitch,
+	twitter,
+	dropbox,
+	kick,
+	linear,
+	linkedin,
+	gitlab,
+	tiktok,
+	reddit,
+	roblox,
+	salesforce,
+	vk,
+	zoom,
+	notion,
+	kakao,
+	naver,
+	line,
+	paypal,
+};
+
+export const socialProviderList = Object.keys(socialProviders) as [
+	"github",
+	...(keyof typeof socialProviders)[],
+];
+
+export const SocialProviderListEnum = z
+	.enum(socialProviderList)
+	.or(z.string()) as z.ZodType<SocialProviderList[number] | (string & {})>;
+
+export type SocialProvider = z.infer<typeof SocialProviderListEnum>;
+
+export type SocialProviders = {
+	[K in SocialProviderList[number]]?: Parameters<
+		(typeof socialProviders)[K]
+	>[0] & {
+		enabled?: boolean;
+	};
+};
+
+export * from "./apple";
+export * from "./atlassian";
+export * from "./cognito";
+export * from "./discord";
+export * from "./dropbox";
+export * from "./facebook";
+export * from "./figma";
+export * from "./github";
+export * from "./linear";
+export * from "./linkedin";
+export * from "./gitlab";
+export * from "./google";
+export * from "./kick";
+export * from "./linkedin";
+export * from "./microsoft-entra-id";
+export * from "./notion";
+export * from "./reddit";
+export * from "./roblox";
+export * from "./salesforce";
+export * from "./spotify";
+export * from "./tiktok";
+export * from "./twitch";
+export * from "./twitter";
+export * from "./vk";
+export * from "./zoom";
+export * from "./kick";
+export * from "./huggingface";
+export * from "./slack";
+export * from "./kakao";
+export * from "./naver";
+export * from "./line";
+export * from "./paypal";
+
+export type SocialProviderList = typeof socialProviderList;