@better-auth/core 1.3.27 → 1.3.29

package/src/social-providers/paypal.ts

@@ -0,0 +1,261 @@
+import { betterFetch } from "@better-fetch/fetch";
+import { BetterAuthError } from "../error";
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import { createAuthorizationURL } from "@better-auth/core/oauth2";
+import { logger } from "@better-auth/core/env";
+import { decodeJwt } from "jose";
+import { base64 } from "@better-auth/utils/base64";
+
+export interface PayPalProfile {
+	user_id: string;
+	name: string;
+	given_name: string;
+	family_name: string;
+	middle_name?: string;
+	picture?: string;
+	email: string;
+	email_verified: boolean;
+	gender?: string;
+	birthdate?: string;
+	zoneinfo?: string;
+	locale?: string;
+	phone_number?: string;
+	address?: {
+		street_address?: string;
+		locality?: string;
+		region?: string;
+		postal_code?: string;
+		country?: string;
+	};
+	verified_account?: boolean;
+	account_type?: string;
+	age_range?: string;
+	payer_id?: string;
+}
+
+export interface PayPalTokenResponse {
+	scope?: string;
+	access_token: string;
+	refresh_token?: string;
+	token_type: "Bearer";
+	id_token?: string;
+	expires_in: number;
+	nonce?: string;
+}
+
+export interface PayPalOptions extends ProviderOptions<PayPalProfile> {
+	clientId: string;
+	/**
+	 * PayPal environment - 'sandbox' for testing, 'live' for production
+	 * @default 'sandbox'
+	 */
+	environment?: "sandbox" | "live";
+	/**
+	 * Whether to request shipping address information
+	 * @default false
+	 */
+	requestShippingAddress?: boolean;
+}
+
+export const paypal = (options: PayPalOptions) => {
+	const environment = options.environment || "sandbox";
+	const isSandbox = environment === "sandbox";
+
+	const authorizationEndpoint = isSandbox
+		? "https://www.sandbox.paypal.com/signin/authorize"
+		: "https://www.paypal.com/signin/authorize";
+
+	const tokenEndpoint = isSandbox
+		? "https://api-m.sandbox.paypal.com/v1/oauth2/token"
+		: "https://api-m.paypal.com/v1/oauth2/token";
+
+	const userInfoEndpoint = isSandbox
+		? "https://api-m.sandbox.paypal.com/v1/identity/oauth2/userinfo"
+		: "https://api-m.paypal.com/v1/identity/oauth2/userinfo";
+
+	return {
+		id: "paypal",
+		name: "PayPal",
+		async createAuthorizationURL({ state, codeVerifier, redirectURI }) {
+			if (!options.clientId || !options.clientSecret) {
+				logger.error(
+					"Client Id and Client Secret is required for PayPal. Make sure to provide them in the options.",
+				);
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
+
+			/**
+			 * Log in with PayPal doesn't use traditional OAuth2 scopes
+			 * Instead, permissions are configured in the PayPal Developer Dashboard
+			 * We don't pass any scopes to avoid "invalid scope" errors
+			 **/
+
+			const _scopes: string[] = [];
+
+			const url = await createAuthorizationURL({
+				id: "paypal",
+				options,
+				authorizationEndpoint,
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+				prompt: options.prompt,
+			});
+			return url;
+		},
+
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			/**
+			 * PayPal requires Basic Auth for token exchange
+			 **/
+
+			const credentials = base64.encode(
+				`${options.clientId}:${options.clientSecret}`,
+			);
+
+			try {
+				const response = await betterFetch(tokenEndpoint, {
+					method: "POST",
+					headers: {
+						Authorization: `Basic ${credentials}`,
+						Accept: "application/json",
+						"Accept-Language": "en_US",
+						"Content-Type": "application/x-www-form-urlencoded",
+					},
+					body: new URLSearchParams({
+						grant_type: "authorization_code",
+						code: code,
+						redirect_uri: redirectURI,
+					}).toString(),
+				});
+
+				if (!response.data) {
+					throw new BetterAuthError("FAILED_TO_GET_ACCESS_TOKEN");
+				}
+
+				const data = response.data as PayPalTokenResponse;
+
+				const result = {
+					accessToken: data.access_token,
+					refreshToken: data.refresh_token,
+					accessTokenExpiresAt: data.expires_in
+						? new Date(Date.now() + data.expires_in * 1000)
+						: undefined,
+					idToken: data.id_token,
+				};
+
+				return result;
+			} catch (error) {
+				logger.error("PayPal token exchange failed:", error);
+				throw new BetterAuthError("FAILED_TO_GET_ACCESS_TOKEN");
+			}
+		},
+
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					const credentials = base64.encode(
+						`${options.clientId}:${options.clientSecret}`,
+					);
+
+					try {
+						const response = await betterFetch(tokenEndpoint, {
+							method: "POST",
+							headers: {
+								Authorization: `Basic ${credentials}`,
+								Accept: "application/json",
+								"Accept-Language": "en_US",
+								"Content-Type": "application/x-www-form-urlencoded",
+							},
+							body: new URLSearchParams({
+								grant_type: "refresh_token",
+								refresh_token: refreshToken,
+							}).toString(),
+						});
+
+						if (!response.data) {
+							throw new BetterAuthError("FAILED_TO_REFRESH_ACCESS_TOKEN");
+						}
+
+						const data = response.data as any;
+						return {
+							accessToken: data.access_token,
+							refreshToken: data.refresh_token,
+							accessTokenExpiresAt: data.expires_in
+								? new Date(Date.now() + data.expires_in * 1000)
+								: undefined,
+						};
+					} catch (error) {
+						logger.error("PayPal token refresh failed:", error);
+						throw new BetterAuthError("FAILED_TO_REFRESH_ACCESS_TOKEN");
+					}
+				},
+
+		async verifyIdToken(token, nonce) {
+			if (options.disableIdTokenSignIn) {
+				return false;
+			}
+			if (options.verifyIdToken) {
+				return options.verifyIdToken(token, nonce);
+			}
+			try {
+				const payload = decodeJwt(token);
+				return !!payload.sub;
+			} catch (error) {
+				logger.error("Failed to verify PayPal ID token:", error);
+				return false;
+			}
+		},
+
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+
+			if (!token.accessToken) {
+				logger.error("Access token is required to fetch PayPal user info");
+				return null;
+			}
+
+			try {
+				const response = await betterFetch<PayPalProfile>(
+					`${userInfoEndpoint}?schema=paypalv1.1`,
+					{
+						headers: {
+							Authorization: `Bearer ${token.accessToken}`,
+							Accept: "application/json",
+						},
+					},
+				);
+
+				if (!response.data) {
+					logger.error("Failed to fetch user info from PayPal");
+					return null;
+				}
+
+				const userInfo = response.data;
+				const userMap = await options.mapProfileToUser?.(userInfo);
+
+				const result = {
+					user: {
+						id: userInfo.user_id,
+						name: userInfo.name,
+						email: userInfo.email,
+						image: userInfo.picture,
+						emailVerified: userInfo.email_verified,
+						...userMap,
+					},
+					data: userInfo,
+				};
+
+				return result;
+			} catch (error) {
+				logger.error("Failed to fetch user info from PayPal:", error);
+				return null;
+			}
+		},
+
+		options,
+	} satisfies OAuthProvider<PayPalProfile>;
+};

package/src/social-providers/reddit.ts

@@ -0,0 +1,122 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import {
+	createAuthorizationURL,
+	getOAuth2Tokens,
+	refreshAccessToken,
+} from "@better-auth/core/oauth2";
+import { base64 } from "@better-auth/utils/base64";
+
+export interface RedditProfile {
+	id: string;
+	name: string;
+	icon_img: string | null;
+	has_verified_email: boolean;
+	oauth_client_id: string;
+	verified: boolean;
+}
+
+export interface RedditOptions extends ProviderOptions<RedditProfile> {
+	clientId: string;
+	duration?: string;
+}
+
+export const reddit = (options: RedditOptions) => {
+	return {
+		id: "reddit",
+		name: "Reddit",
+		createAuthorizationURL({ state, scopes, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : ["identity"];
+			options.scope && _scopes.push(...options.scope);
+			scopes && _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "reddit",
+				options,
+				authorizationEndpoint: "https://www.reddit.com/api/v1/authorize",
+				scopes: _scopes,
+				state,
+				redirectURI,
+				duration: options.duration,
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			const body = new URLSearchParams({
+				grant_type: "authorization_code",
+				code,
+				redirect_uri: options.redirectURI || redirectURI,
+			});
+			const headers = {
+				"content-type": "application/x-www-form-urlencoded",
+				accept: "text/plain",
+				"user-agent": "better-auth",
+				Authorization: `Basic ${base64.encode(
+					`${options.clientId}:${options.clientSecret}`,
+				)}`,
+			};
+
+			const { data, error } = await betterFetch<object>(
+				"https://www.reddit.com/api/v1/access_token",
+				{
+					method: "POST",
+					headers,
+					body: body.toString(),
+				},
+			);
+
+			if (error) {
+				throw error;
+			}
+
+			return getOAuth2Tokens(data);
+		},
+
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						authentication: "basic",
+						tokenEndpoint: "https://www.reddit.com/api/v1/access_token",
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+
+			const { data: profile, error } = await betterFetch<RedditProfile>(
+				"https://oauth.reddit.com/api/v1/me",
+				{
+					headers: {
+						Authorization: `Bearer ${token.accessToken}`,
+						"User-Agent": "better-auth",
+					},
+				},
+			);
+
+			if (error) {
+				return null;
+			}
+
+			const userMap = await options.mapProfileToUser?.(profile);
+
+			return {
+				user: {
+					id: profile.id,
+					name: profile.name,
+					email: profile.oauth_client_id,
+					emailVerified: profile.has_verified_email,
+					image: profile.icon_img?.split("?")[0]!,
+					...userMap,
+				},
+				data: profile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<RedditProfile>;
+};

package/src/social-providers/roblox.ts

@@ -0,0 +1,110 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import {
+	validateAuthorizationCode,
+	refreshAccessToken,
+} from "@better-auth/core/oauth2";
+
+export interface RobloxProfile extends Record<string, any> {
+	/** the user's id */
+	sub: string;
+	/** the user's username */
+	preferred_username: string;
+	/** the user's display name, will return the same value as the preferred_username if not set */
+	nickname: string;
+	/** the user's display name, again, will return the same value as the preferred_username if not set */
+	name: string;
+	/** the account creation date as a unix timestamp in seconds */
+	created_at: number;
+	/** the user's profile URL */
+	profile: string;
+	/** the user's avatar URL */
+	picture: string;
+}
+
+export interface RobloxOptions extends ProviderOptions<RobloxProfile> {
+	clientId: string;
+	prompt?:
+		| "none"
+		| "consent"
+		| "login"
+		| "select_account"
+		| "select_account consent";
+}
+
+export const roblox = (options: RobloxOptions) => {
+	return {
+		id: "roblox",
+		name: "Roblox",
+		createAuthorizationURL({ state, scopes, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : ["openid", "profile"];
+			options.scope && _scopes.push(...options.scope);
+			scopes && _scopes.push(...scopes);
+			return new URL(
+				`https://apis.roblox.com/oauth/v1/authorize?scope=${_scopes.join(
+					"+",
+				)}&response_type=code&client_id=${
+					options.clientId
+				}&redirect_uri=${encodeURIComponent(
+					options.redirectURI || redirectURI,
+				)}&state=${state}&prompt=${options.prompt || "select_account consent"}`,
+			);
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI: options.redirectURI || redirectURI,
+				options,
+				tokenEndpoint: "https://apis.roblox.com/oauth/v1/token",
+				authentication: "post",
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint: "https://apis.roblox.com/oauth/v1/token",
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			const { data: profile, error } = await betterFetch<RobloxProfile>(
+				"https://apis.roblox.com/oauth/v1/userinfo",
+				{
+					headers: {
+						authorization: `Bearer ${token.accessToken}`,
+					},
+				},
+			);
+
+			if (error) {
+				return null;
+			}
+
+			const userMap = await options.mapProfileToUser?.(profile);
+
+			return {
+				user: {
+					id: profile.sub,
+					name: profile.nickname || profile.preferred_username || "",
+					image: profile.picture,
+					email: profile.preferred_username || null, // Roblox does not provide email
+					emailVerified: true,
+					...userMap,
+				},
+				data: {
+					...profile,
+				},
+			};
+		},
+		options,
+	} satisfies OAuthProvider<RobloxProfile>;
+};

package/src/social-providers/salesforce.ts

@@ -0,0 +1,157 @@
+import { betterFetch } from "@better-fetch/fetch";
+import { BetterAuthError } from "../error";
+import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import {
+	createAuthorizationURL,
+	validateAuthorizationCode,
+} from "@better-auth/core/oauth2";
+import { logger } from "@better-auth/core/env";
+import { refreshAccessToken } from "@better-auth/core/oauth2";
+
+export interface SalesforceProfile {
+	sub: string;
+	user_id: string;
+	organization_id: string;
+	preferred_username?: string;
+	email: string;
+	email_verified?: boolean;
+	name: string;
+	given_name?: string;
+	family_name?: string;
+	zoneinfo?: string;
+	photos?: {
+		picture?: string;
+		thumbnail?: string;
+	};
+}
+
+export interface SalesforceOptions extends ProviderOptions<SalesforceProfile> {
+	clientId: string;
+	environment?: "sandbox" | "production";
+	loginUrl?: string;
+	/**
+	 * Override the redirect URI if auto-detection fails.
+	 * Should match the Callback URL configured in your Salesforce Connected App.
+	 * @example "http://localhost:3000/api/auth/callback/salesforce"
+	 */
+	redirectURI?: string;
+}
+
+export const salesforce = (options: SalesforceOptions) => {
+	const environment = options.environment ?? "production";
+	const isSandbox = environment === "sandbox";
+	const authorizationEndpoint = options.loginUrl
+		? `https://${options.loginUrl}/services/oauth2/authorize`
+		: isSandbox
+			? "https://test.salesforce.com/services/oauth2/authorize"
+			: "https://login.salesforce.com/services/oauth2/authorize";
+
+	const tokenEndpoint = options.loginUrl
+		? `https://${options.loginUrl}/services/oauth2/token`
+		: isSandbox
+			? "https://test.salesforce.com/services/oauth2/token"
+			: "https://login.salesforce.com/services/oauth2/token";
+
+	const userInfoEndpoint = options.loginUrl
+		? `https://${options.loginUrl}/services/oauth2/userinfo`
+		: isSandbox
+			? "https://test.salesforce.com/services/oauth2/userinfo"
+			: "https://login.salesforce.com/services/oauth2/userinfo";
+
+	return {
+		id: "salesforce",
+		name: "Salesforce",
+
+		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+			if (!options.clientId || !options.clientSecret) {
+				logger.error(
+					"Client Id and Client Secret are required for Salesforce. Make sure to provide them in the options.",
+				);
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
+			if (!codeVerifier) {
+				throw new BetterAuthError("codeVerifier is required for Salesforce");
+			}
+
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["openid", "email", "profile"];
+			options.scope && _scopes.push(...options.scope);
+			scopes && _scopes.push(...scopes);
+
+			return createAuthorizationURL({
+				id: "salesforce",
+				options,
+				authorizationEndpoint,
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI: options.redirectURI || redirectURI,
+			});
+		},
+
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI: options.redirectURI || redirectURI,
+				options,
+				tokenEndpoint,
+			});
+		},
+
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint,
+					});
+				},
+
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+
+			try {
+				const { data: user } = await betterFetch<SalesforceProfile>(
+					userInfoEndpoint,
+					{
+						headers: {
+							Authorization: `Bearer ${token.accessToken}`,
+						},
+					},
+				);
+
+				if (!user) {
+					logger.error("Failed to fetch user info from Salesforce");
+					return null;
+				}
+
+				const userMap = await options.mapProfileToUser?.(user);
+
+				return {
+					user: {
+						id: user.user_id,
+						name: user.name,
+						email: user.email,
+						image: user.photos?.picture || user.photos?.thumbnail,
+						emailVerified: user.email_verified ?? false,
+						...userMap,
+					},
+					data: user,
+				};
+			} catch (error) {
+				logger.error("Failed to fetch user info from Salesforce:", error);
+				return null;
+			}
+		},
+
+		options,
+	} satisfies OAuthProvider<SalesforceProfile>;
+};