@better-auth/core 1.3.27 → 1.3.29

package/src/social-providers/kakao.ts

@@ -0,0 +1,178 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import {
+	createAuthorizationURL,
+	validateAuthorizationCode,
+	refreshAccessToken,
+} from "@better-auth/core/oauth2";
+
+interface Partner {
+	/** Partner-specific ID (consent required: kakaotalk_message) */
+	uuid?: string;
+}
+
+interface Profile {
+	/** Nickname (consent required: profile/nickname) */
+	nickname?: string;
+	/** Thumbnail image URL (consent required: profile/profile image) */
+	thumbnail_image_url?: string;
+	/** Profile image URL (consent required: profile/profile image) */
+	profile_image_url?: string;
+	/** Whether the profile image is the default */
+	is_default_image?: boolean;
+	/** Whether the nickname is the default */
+	is_default_nickname?: boolean;
+}
+
+interface KakaoAccount {
+	/** Consent required: profile info (nickname/profile image) */
+	profile_needs_agreement?: boolean;
+	/** Consent required: nickname */
+	profile_nickname_needs_agreement?: boolean;
+	/** Consent required: profile image */
+	profile_image_needs_agreement?: boolean;
+	/** Profile info */
+	profile?: Profile;
+	/** Consent required: name */
+	name_needs_agreement?: boolean;
+	/** Name */
+	name?: string;
+	/** Consent required: email */
+	email_needs_agreement?: boolean;
+	/** Email valid */
+	is_email_valid?: boolean;
+	/** Email verified */
+	is_email_verified?: boolean;
+	/** Email */
+	email?: string;
+	/** Consent required: age range */
+	age_range_needs_agreement?: boolean;
+	/** Age range */
+	age_range?: string;
+	/** Consent required: birth year */
+	birthyear_needs_agreement?: boolean;
+	/** Birth year (YYYY) */
+	birthyear?: string;
+	/** Consent required: birthday */
+	birthday_needs_agreement?: boolean;
+	/** Birthday (MMDD) */
+	birthday?: string;
+	/** Birthday type (SOLAR/LUNAR) */
+	birthday_type?: string;
+	/** Whether birthday is in a leap month */
+	is_leap_month?: boolean;
+	/** Consent required: gender */
+	gender_needs_agreement?: boolean;
+	/** Gender (male/female) */
+	gender?: string;
+	/** Consent required: phone number */
+	phone_number_needs_agreement?: boolean;
+	/** Phone number */
+	phone_number?: string;
+	/** Consent required: CI */
+	ci_needs_agreement?: boolean;
+	/** CI (unique identifier) */
+	ci?: string;
+	/** CI authentication time (UTC) */
+	ci_authenticated_at?: string;
+}
+
+export interface KakaoProfile {
+	/** Kakao user ID */
+	id: number;
+	/**
+	 * Whether the user has signed up (only present if auto-connection is disabled)
+	 * false: preregistered, true: registered
+	 */
+	has_signed_up?: boolean;
+	/** UTC datetime when the user connected the service */
+	connected_at?: string;
+	/** UTC datetime when the user signed up via Kakao Sync */
+	synched_at?: string;
+	/** Custom user properties */
+	properties?: Record<string, any>;
+	/** Kakao account info */
+	kakao_account: KakaoAccount;
+	/** Partner info */
+	for_partner?: Partner;
+}
+
+export interface KakaoOptions extends ProviderOptions<KakaoProfile> {
+	clientId: string;
+}
+
+export const kakao = (options: KakaoOptions) => {
+	return {
+		id: "kakao",
+		name: "Kakao",
+		createAuthorizationURL({ state, scopes, redirectURI }) {
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["account_email", "profile_image", "profile_nickname"];
+			options.scope && _scopes.push(...options.scope);
+			scopes && _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "kakao",
+				options,
+				authorizationEndpoint: "https://kauth.kakao.com/oauth/authorize",
+				scopes: _scopes,
+				state,
+				redirectURI,
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://kauth.kakao.com/oauth/token",
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint: "https://kauth.kakao.com/oauth/token",
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			const { data: profile, error } = await betterFetch<KakaoProfile>(
+				"https://kapi.kakao.com/v2/user/me",
+				{
+					headers: {
+						Authorization: `Bearer ${token.accessToken}`,
+					},
+				},
+			);
+			if (error || !profile) {
+				return null;
+			}
+			const userMap = await options.mapProfileToUser?.(profile);
+			const account = profile.kakao_account || {};
+			const kakaoProfile = account.profile || {};
+			const user = {
+				id: String(profile.id),
+				name: kakaoProfile.nickname || account.name || undefined,
+				email: account.email,
+				image:
+					kakaoProfile.profile_image_url || kakaoProfile.thumbnail_image_url,
+				emailVerified: !!account.is_email_valid && !!account.is_email_verified,
+				...userMap,
+			};
+			return {
+				user,
+				data: profile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<KakaoProfile>;
+};

package/src/social-providers/kick.ts

@@ -0,0 +1,95 @@
+import { betterFetch } from "@better-fetch/fetch";
+import {
+	createAuthorizationURL,
+	validateAuthorizationCode,
+} from "@better-auth/core/oauth2";
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+
+export interface KickProfile {
+	/**
+	 * The user id of the user
+	 */
+	user_id: string;
+	/**
+	 * The name of the user
+	 */
+	name: string;
+	/**
+	 * The email of the user
+	 */
+	email: string;
+	/**
+	 * The picture of the user
+	 */
+	profile_picture: string;
+}
+
+export interface KickOptions extends ProviderOptions<KickProfile> {
+	clientId: string;
+}
+
+export const kick = (options: KickOptions) => {
+	return {
+		id: "kick",
+		name: "Kick",
+		createAuthorizationURL({ state, scopes, redirectURI, codeVerifier }) {
+			const _scopes = options.disableDefaultScope ? [] : ["user:read"];
+			options.scope && _scopes.push(...options.scope);
+			scopes && _scopes.push(...scopes);
+
+			return createAuthorizationURL({
+				id: "kick",
+				redirectURI,
+				options,
+				authorizationEndpoint: "https://id.kick.com/oauth/authorize",
+				scopes: _scopes,
+				codeVerifier,
+				state,
+			});
+		},
+		async validateAuthorizationCode({ code, redirectURI, codeVerifier }) {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://id.kick.com/oauth/token",
+				codeVerifier,
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+
+			const { data, error } = await betterFetch<{
+				data: KickProfile[];
+			}>("https://api.kick.com/public/v1/users", {
+				method: "GET",
+				headers: {
+					Authorization: `Bearer ${token.accessToken}`,
+				},
+			});
+
+			if (error) {
+				return null;
+			}
+
+			const profile = data.data[0]!;
+
+			const userMap = await options.mapProfileToUser?.(profile);
+
+			return {
+				user: {
+					id: profile.user_id,
+					name: profile.name,
+					email: profile.email,
+					image: profile.profile_picture,
+					emailVerified: true,
+					...userMap,
+				},
+				data: profile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<KickProfile>;
+};

package/src/social-providers/line.ts

@@ -0,0 +1,169 @@
+import { betterFetch } from "@better-fetch/fetch";
+import { decodeJwt } from "jose";
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import {
+	createAuthorizationURL,
+	refreshAccessToken,
+	validateAuthorizationCode,
+} from "@better-auth/core/oauth2";
+
+export interface LineIdTokenPayload {
+	iss: string;
+	sub: string;
+	aud: string;
+	exp: number;
+	iat: number;
+	name?: string;
+	picture?: string;
+	email?: string;
+	amr?: string[];
+	nonce?: string;
+}
+
+export interface LineUserInfo {
+	sub: string;
+	name?: string;
+	picture?: string;
+	email?: string;
+}
+
+export interface LineOptions
+	extends ProviderOptions<LineUserInfo | LineIdTokenPayload> {
+	clientId: string;
+}
+
+/**
+ * LINE Login v2.1
+ * - Authorization endpoint: https://access.line.me/oauth2/v2.1/authorize
+ * - Token endpoint: https://api.line.me/oauth2/v2.1/token
+ * - UserInfo endpoint: https://api.line.me/oauth2/v2.1/userinfo
+ * - Verify ID token: https://api.line.me/oauth2/v2.1/verify
+ *
+ * Docs: https://developers.line.biz/en/reference/line-login/#issue-access-token
+ */
+export const line = (options: LineOptions) => {
+	const authorizationEndpoint = "https://access.line.me/oauth2/v2.1/authorize";
+	const tokenEndpoint = "https://api.line.me/oauth2/v2.1/token";
+	const userInfoEndpoint = "https://api.line.me/oauth2/v2.1/userinfo";
+	const verifyIdTokenEndpoint = "https://api.line.me/oauth2/v2.1/verify";
+
+	return {
+		id: "line",
+		name: "LINE",
+		async createAuthorizationURL({
+			state,
+			scopes,
+			codeVerifier,
+			redirectURI,
+			loginHint,
+		}) {
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["openid", "profile", "email"];
+			options.scope && _scopes.push(...options.scope);
+			scopes && _scopes.push(...scopes);
+			return await createAuthorizationURL({
+				id: "line",
+				options,
+				authorizationEndpoint,
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+				loginHint,
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint,
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint,
+					});
+				},
+		async verifyIdToken(token, nonce) {
+			if (options.disableIdTokenSignIn) {
+				return false;
+			}
+			if (options.verifyIdToken) {
+				return options.verifyIdToken(token, nonce);
+			}
+			const body = new URLSearchParams();
+			body.set("id_token", token);
+			body.set("client_id", options.clientId);
+			if (nonce) body.set("nonce", nonce);
+			const { data, error } = await betterFetch<LineIdTokenPayload>(
+				verifyIdTokenEndpoint,
+				{
+					method: "POST",
+					headers: {
+						"content-type": "application/x-www-form-urlencoded",
+					},
+					body,
+				},
+			);
+			if (error || !data) {
+				return false;
+			}
+			// aud must match clientId; nonce (if provided) must also match
+			if (data.aud !== options.clientId) return false;
+			if (nonce && data.nonce && data.nonce !== nonce) return false;
+			return true;
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			let profile: LineUserInfo | LineIdTokenPayload | null = null;
+			// Prefer ID token if available
+			if (token.idToken) {
+				try {
+					profile = decodeJwt(token.idToken) as LineIdTokenPayload;
+				} catch {}
+			}
+			// Fallback to UserInfo endpoint
+			if (!profile) {
+				const { data } = await betterFetch<LineUserInfo>(userInfoEndpoint, {
+					headers: {
+						authorization: `Bearer ${token.accessToken}`,
+					},
+				});
+				profile = data || null;
+			}
+			if (!profile) return null;
+			const userMap = await options.mapProfileToUser?.(profile as any);
+			// ID preference order
+			const id = (profile as any).sub || (profile as any).userId;
+			const name = (profile as any).name || (profile as any).displayName;
+			const image =
+				(profile as any).picture || (profile as any).pictureUrl || undefined;
+			const email = (profile as any).email;
+			return {
+				user: {
+					id,
+					name,
+					email,
+					image,
+					// LINE does not expose email verification status in ID token/userinfo
+					emailVerified: false,
+					...userMap,
+				},
+				data: profile as any,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<LineUserInfo | LineIdTokenPayload, LineOptions>;
+};

package/src/social-providers/linear.ts

@@ -0,0 +1,120 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import {
+	createAuthorizationURL,
+	refreshAccessToken,
+	validateAuthorizationCode,
+} from "@better-auth/core/oauth2";
+
+interface LinearUser {
+	id: string;
+	name: string;
+	email: string;
+	avatarUrl?: string;
+	active: boolean;
+	createdAt: string;
+	updatedAt: string;
+}
+
+export interface LinearProfile {
+	data: {
+		viewer: LinearUser;
+	};
+}
+
+export interface LinearOptions extends ProviderOptions<LinearUser> {
+	clientId: string;
+}
+
+export const linear = (options: LinearOptions) => {
+	const tokenEndpoint = "https://api.linear.app/oauth/token";
+	return {
+		id: "linear",
+		name: "Linear",
+		createAuthorizationURL({ state, scopes, loginHint, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : ["read"];
+			options.scope && _scopes.push(...options.scope);
+			scopes && _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "linear",
+				options,
+				authorizationEndpoint: "https://linear.app/oauth/authorize",
+				scopes: _scopes,
+				state,
+				redirectURI,
+				loginHint,
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint,
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint,
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+
+			const { data: profile, error } = await betterFetch<LinearProfile>(
+				"https://api.linear.app/graphql",
+				{
+					method: "POST",
+					headers: {
+						"Content-Type": "application/json",
+						Authorization: `Bearer ${token.accessToken}`,
+					},
+					body: JSON.stringify({
+						query: `
+							query {
+								viewer {
+									id
+									name
+									email
+									avatarUrl
+									active
+									createdAt
+									updatedAt
+								}
+							}
+						`,
+					}),
+				},
+			);
+			if (error || !profile?.data?.viewer) {
+				return null;
+			}
+
+			const userData = profile.data.viewer;
+			const userMap = await options.mapProfileToUser?.(userData);
+
+			return {
+				user: {
+					id: profile.data.viewer.id,
+					name: profile.data.viewer.name,
+					email: profile.data.viewer.email,
+					image: profile.data.viewer.avatarUrl,
+					emailVerified: true,
+					...userMap,
+				},
+				data: userData,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<LinearUser>;
+};

package/src/social-providers/linkedin.ts

@@ -0,0 +1,110 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import {
+	createAuthorizationURL,
+	validateAuthorizationCode,
+	refreshAccessToken,
+} from "@better-auth/core/oauth2";
+
+export interface LinkedInProfile {
+	sub: string;
+	name: string;
+	given_name: string;
+	family_name: string;
+	picture: string;
+	locale: {
+		country: string;
+		language: string;
+	};
+	email: string;
+	email_verified: boolean;
+}
+
+export interface LinkedInOptions extends ProviderOptions<LinkedInProfile> {
+	clientId: string;
+}
+
+export const linkedin = (options: LinkedInOptions) => {
+	const authorizationEndpoint =
+		"https://www.linkedin.com/oauth/v2/authorization";
+	const tokenEndpoint = "https://www.linkedin.com/oauth/v2/accessToken";
+
+	return {
+		id: "linkedin",
+		name: "Linkedin",
+		createAuthorizationURL: async ({
+			state,
+			scopes,
+			redirectURI,
+			loginHint,
+		}) => {
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["profile", "email", "openid"];
+			options.scope && _scopes.push(...options.scope);
+			scopes && _scopes.push(...scopes);
+			return await createAuthorizationURL({
+				id: "linkedin",
+				options,
+				authorizationEndpoint,
+				scopes: _scopes,
+				state,
+				loginHint,
+				redirectURI,
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return await validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint,
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint,
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			const { data: profile, error } = await betterFetch<LinkedInProfile>(
+				"https://api.linkedin.com/v2/userinfo",
+				{
+					method: "GET",
+					headers: {
+						Authorization: `Bearer ${token.accessToken}`,
+					},
+				},
+			);
+
+			if (error) {
+				return null;
+			}
+
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.sub,
+					name: profile.name,
+					email: profile.email,
+					emailVerified: profile.email_verified || false,
+					image: profile.picture,
+					...userMap,
+				},
+				data: profile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<LinkedInProfile>;
+};