@better-auth/core 1.4.0-beta.6 → 1.4.0-beta.8

package/src/oauth2/oauth-provider.ts

@@ -0,0 +1,194 @@
+import type { LiteralString } from "../types";
+
+export interface OAuth2Tokens {
+	tokenType?: string;
+	accessToken?: string;
+	refreshToken?: string;
+	accessTokenExpiresAt?: Date;
+	refreshTokenExpiresAt?: Date;
+	scopes?: string[];
+	idToken?: string;
+}
+
+export type OAuth2UserInfo = {
+	id: string | number;
+	name?: string;
+	email?: string | null;
+	image?: string;
+	emailVerified: boolean;
+};
+
+export interface OAuthProvider<
+	T extends Record<string, any> = Record<string, any>,
+	O extends Record<string, any> = Partial<ProviderOptions>,
+> {
+	id: LiteralString;
+	createAuthorizationURL: (data: {
+		state: string;
+		codeVerifier: string;
+		scopes?: string[];
+		redirectURI: string;
+		display?: string;
+		loginHint?: string;
+	}) => Promise<URL> | URL;
+	name: string;
+	validateAuthorizationCode: (data: {
+		code: string;
+		redirectURI: string;
+		codeVerifier?: string;
+		deviceId?: string;
+	}) => Promise<OAuth2Tokens>;
+	getUserInfo: (
+		token: OAuth2Tokens & {
+			/**
+			 * The user object from the provider
+			 * This is only available for some providers like Apple
+			 */
+			user?: {
+				name?: {
+					firstName?: string;
+					lastName?: string;
+				};
+				email?: string;
+			};
+		},
+	) => Promise<{
+		user: OAuth2UserInfo;
+		data: T;
+	} | null>;
+	/**
+	 * Custom function to refresh a token
+	 */
+	refreshAccessToken?: (refreshToken: string) => Promise<OAuth2Tokens>;
+	revokeToken?: (token: string) => Promise<void>;
+	/**
+	 * Verify the id token
+	 * @param token - The id token
+	 * @param nonce - The nonce
+	 * @returns True if the id token is valid, false otherwise
+	 */
+	verifyIdToken?: (token: string, nonce?: string) => Promise<boolean>;
+	/**
+	 * Disable implicit sign up for new users. When set to true for the provider,
+	 * sign-in need to be called with with requestSignUp as true to create new users.
+	 */
+	disableImplicitSignUp?: boolean;
+	/**
+	 * Disable sign up for new users.
+	 */
+	disableSignUp?: boolean;
+	/**
+	 * Options for the provider
+	 */
+	options?: O;
+}
+
+export type ProviderOptions<Profile extends Record<string, any> = any> = {
+	/**
+	 * The client ID of your application.
+	 *
+	 * This is usually a string but can be any type depending on the provider.
+	 */
+	clientId?: unknown;
+	/**
+	 * The client secret of your application
+	 */
+	clientSecret?: string;
+	/**
+	 * The scopes you want to request from the provider
+	 */
+	scope?: string[];
+	/**
+	 * Remove default scopes of the provider
+	 */
+	disableDefaultScope?: boolean;
+	/**
+	 * The redirect URL for your application. This is where the provider will
+	 * redirect the user after the sign in process. Make sure this URL is
+	 * whitelisted in the provider's dashboard.
+	 */
+	redirectURI?: string;
+	/**
+	 * The client key of your application
+	 * Tiktok Social Provider uses this field instead of clientId
+	 */
+	clientKey?: string;
+	/**
+	 * Disable provider from allowing users to sign in
+	 * with this provider with an id token sent from the
+	 * client.
+	 */
+	disableIdTokenSignIn?: boolean;
+	/**
+	 * verifyIdToken function to verify the id token
+	 */
+	verifyIdToken?: (token: string, nonce?: string) => Promise<boolean>;
+	/**
+	 * Custom function to get user info from the provider
+	 */
+	getUserInfo?: (token: OAuth2Tokens) => Promise<{
+		user: {
+			id: string;
+			name?: string;
+			email?: string | null;
+			image?: string;
+			emailVerified: boolean;
+			[key: string]: any;
+		};
+		data: any;
+	}>;
+	/**
+	 * Custom function to refresh a token
+	 */
+	refreshAccessToken?: (refreshToken: string) => Promise<OAuth2Tokens>;
+	/**
+	 * Custom function to map the provider profile to a
+	 * user.
+	 */
+	mapProfileToUser?: (profile: Profile) =>
+		| {
+				id?: string;
+				name?: string;
+				email?: string | null;
+				image?: string;
+				emailVerified?: boolean;
+				[key: string]: any;
+		  }
+		| Promise<{
+				id?: string;
+				name?: string;
+				email?: string | null;
+				image?: string;
+				emailVerified?: boolean;
+				[key: string]: any;
+		  }>;
+	/**
+	 * Disable implicit sign up for new users. When set to true for the provider,
+	 * sign-in need to be called with with requestSignUp as true to create new users.
+	 */
+	disableImplicitSignUp?: boolean;
+	/**
+	 * Disable sign up for new users.
+	 */
+	disableSignUp?: boolean;
+	/**
+	 * The prompt to use for the authorization code request
+	 */
+	prompt?:
+		| "select_account"
+		| "consent"
+		| "login"
+		| "none"
+		| "select_account consent";
+	/**
+	 * The response mode to use for the authorization code request
+	 */
+	responseMode?: "query" | "form_post";
+	/**
+	 * If enabled, the user info will be overridden with the provider user info
+	 * This is useful if you want to use the provider user info to update the user info
+	 *
+	 * @default false
+	 */
+	overrideUserInfoOnSignIn?: boolean;
+};

package/src/oauth2/refresh-access-token.ts

@@ -0,0 +1,124 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuth2Tokens, ProviderOptions } from "./oauth-provider";
+import { base64 } from "@better-auth/utils/base64";
+
+export function createRefreshAccessTokenRequest({
+	refreshToken,
+	options,
+	authentication,
+	extraParams,
+	resource,
+}: {
+	refreshToken: string;
+	options: Partial<ProviderOptions>;
+	authentication?: "basic" | "post";
+	extraParams?: Record<string, string>;
+	resource?: string | string[];
+}) {
+	const body = new URLSearchParams();
+	const headers: Record<string, any> = {
+		"content-type": "application/x-www-form-urlencoded",
+		accept: "application/json",
+	};
+
+	body.set("grant_type", "refresh_token");
+	body.set("refresh_token", refreshToken);
+	// Use standard Base64 encoding for HTTP Basic Auth (OAuth2 spec, RFC 7617)
+	// Fixes compatibility with providers like Notion, Twitter, etc.
+	if (authentication === "basic") {
+		const primaryClientId = Array.isArray(options.clientId)
+			? options.clientId[0]
+			: options.clientId;
+		if (primaryClientId) {
+			headers["authorization"] =
+				"Basic " +
+				base64.encode(`${primaryClientId}:${options.clientSecret ?? ""}`);
+		} else {
+			headers["authorization"] =
+				"Basic " + base64.encode(`:${options.clientSecret ?? ""}`);
+		}
+	} else {
+		const primaryClientId = Array.isArray(options.clientId)
+			? options.clientId[0]
+			: options.clientId;
+		body.set("client_id", primaryClientId);
+		if (options.clientSecret) {
+			body.set("client_secret", options.clientSecret);
+		}
+	}
+
+	if (resource) {
+		if (typeof resource === "string") {
+			body.append("resource", resource);
+		} else {
+			for (const _resource of resource) {
+				body.append("resource", _resource);
+			}
+		}
+	}
+	if (extraParams) {
+		for (const [key, value] of Object.entries(extraParams)) {
+			body.set(key, value);
+		}
+	}
+
+	return {
+		body,
+		headers,
+	};
+}
+
+export async function refreshAccessToken({
+	refreshToken,
+	options,
+	tokenEndpoint,
+	authentication,
+	extraParams,
+}: {
+	refreshToken: string;
+	options: Partial<ProviderOptions>;
+	tokenEndpoint: string;
+	authentication?: "basic" | "post";
+	extraParams?: Record<string, string>;
+	/** @deprecated always "refresh_token" */
+	grantType?: string;
+}): Promise<OAuth2Tokens> {
+	const { body, headers } = createRefreshAccessTokenRequest({
+		refreshToken,
+		options,
+		authentication,
+		extraParams,
+	});
+
+	const { data, error } = await betterFetch<{
+		access_token: string;
+		refresh_token?: string;
+		expires_in?: number;
+		token_type?: string;
+		scope?: string;
+		id_token?: string;
+	}>(tokenEndpoint, {
+		method: "POST",
+		body,
+		headers,
+	});
+	if (error) {
+		throw error;
+	}
+	const tokens: OAuth2Tokens = {
+		accessToken: data.access_token,
+		refreshToken: data.refresh_token,
+		tokenType: data.token_type,
+		scopes: data.scope?.split(" "),
+		idToken: data.id_token,
+	};
+
+	if (data.expires_in) {
+		const now = new Date();
+		tokens.accessTokenExpiresAt = new Date(
+			now.getTime() + data.expires_in * 1000,
+		);
+	}
+
+	return tokens;
+}

package/src/oauth2/utils.ts

@@ -0,0 +1,36 @@
+import { base64Url } from "@better-auth/utils/base64";
+import type { OAuth2Tokens } from "./oauth-provider";
+
+export function getOAuth2Tokens(data: Record<string, any>): OAuth2Tokens {
+	const getDate = (seconds: number) => {
+		const now = new Date();
+		return new Date(now.getTime() + seconds * 1000);
+	};
+
+	return {
+		tokenType: data.token_type,
+		accessToken: data.access_token,
+		refreshToken: data.refresh_token,
+		accessTokenExpiresAt: data.expires_in
+			? getDate(data.expires_in)
+			: undefined,
+		refreshTokenExpiresAt: data.refresh_token_expires_in
+			? getDate(data.refresh_token_expires_in)
+			: undefined,
+		scopes: data?.scope
+			? typeof data.scope === "string"
+				? data.scope.split(" ")
+				: data.scope
+			: [],
+		idToken: data.id_token,
+	};
+}
+
+export async function generateCodeChallenge(codeVerifier: string) {
+	const encoder = new TextEncoder();
+	const data = encoder.encode(codeVerifier);
+	const hash = await crypto.subtle.digest("SHA-256", data);
+	return base64Url.encode(new Uint8Array(hash), {
+		padding: false,
+	});
+}

package/src/oauth2/validate-authorization-code.ts

@@ -0,0 +1,156 @@
+import { betterFetch } from "@better-fetch/fetch";
+import { jwtVerify } from "jose";
+import type { ProviderOptions } from "./index";
+import { getOAuth2Tokens } from "./index";
+import { base64 } from "@better-auth/utils/base64";
+
+export function createAuthorizationCodeRequest({
+	code,
+	codeVerifier,
+	redirectURI,
+	options,
+	authentication,
+	deviceId,
+	headers,
+	additionalParams = {},
+	resource,
+}: {
+	code: string;
+	redirectURI: string;
+	options: Partial<ProviderOptions>;
+	codeVerifier?: string;
+	deviceId?: string;
+	authentication?: "basic" | "post";
+	headers?: Record<string, string>;
+	additionalParams?: Record<string, string>;
+	resource?: string | string[];
+}) {
+	const body = new URLSearchParams();
+	const requestHeaders: Record<string, any> = {
+		"content-type": "application/x-www-form-urlencoded",
+		accept: "application/json",
+		"user-agent": "better-auth",
+		...headers,
+	};
+	body.set("grant_type", "authorization_code");
+	body.set("code", code);
+	codeVerifier && body.set("code_verifier", codeVerifier);
+	options.clientKey && body.set("client_key", options.clientKey);
+	deviceId && body.set("device_id", deviceId);
+	body.set("redirect_uri", options.redirectURI || redirectURI);
+	if (resource) {
+		if (typeof resource === "string") {
+			body.append("resource", resource);
+		} else {
+			for (const _resource of resource) {
+				body.append("resource", _resource);
+			}
+		}
+	}
+	// Use standard Base64 encoding for HTTP Basic Auth (OAuth2 spec, RFC 7617)
+	// Fixes compatibility with providers like Notion, Twitter, etc.
+	if (authentication === "basic") {
+		const primaryClientId = Array.isArray(options.clientId)
+			? options.clientId[0]
+			: options.clientId;
+		const encodedCredentials = base64.encode(
+			`${primaryClientId}:${options.clientSecret ?? ""}`,
+		);
+		requestHeaders["authorization"] = `Basic ${encodedCredentials}`;
+	} else {
+		const primaryClientId = Array.isArray(options.clientId)
+			? options.clientId[0]
+			: options.clientId;
+		body.set("client_id", primaryClientId);
+		if (options.clientSecret) {
+			body.set("client_secret", options.clientSecret);
+		}
+	}
+
+	for (const [key, value] of Object.entries(additionalParams)) {
+		if (!body.has(key)) body.append(key, value);
+	}
+
+	return {
+		body,
+		headers: requestHeaders,
+	};
+}
+
+export async function validateAuthorizationCode({
+	code,
+	codeVerifier,
+	redirectURI,
+	options,
+	tokenEndpoint,
+	authentication,
+	deviceId,
+	headers,
+	additionalParams = {},
+	resource,
+}: {
+	code: string;
+	redirectURI: string;
+	options: Partial<ProviderOptions>;
+	codeVerifier?: string;
+	deviceId?: string;
+	tokenEndpoint: string;
+	authentication?: "basic" | "post";
+	headers?: Record<string, string>;
+	additionalParams?: Record<string, string>;
+	resource?: string | string[];
+}) {
+	const { body, headers: requestHeaders } = createAuthorizationCodeRequest({
+		code,
+		codeVerifier,
+		redirectURI,
+		options,
+		authentication,
+		deviceId,
+		headers,
+		additionalParams,
+		resource,
+	});
+
+	const { data, error } = await betterFetch<object>(tokenEndpoint, {
+		method: "POST",
+		body: body,
+		headers: requestHeaders,
+	});
+
+	if (error) {
+		throw error;
+	}
+	const tokens = getOAuth2Tokens(data);
+	return tokens;
+}
+
+export async function validateToken(token: string, jwksEndpoint: string) {
+	const { data, error } = await betterFetch<{
+		keys: {
+			kid: string;
+			kty: string;
+			use: string;
+			n: string;
+			e: string;
+			x5c: string[];
+		}[];
+	}>(jwksEndpoint, {
+		method: "GET",
+		headers: {
+			accept: "application/json",
+			"user-agent": "better-auth",
+		},
+	});
+	if (error) {
+		throw error;
+	}
+	const keys = data["keys"];
+	const header = JSON.parse(atob(token.split(".")[0]!));
+	const key = keys.find((key) => key.kid === header.kid);
+	if (!key) {
+		throw new Error("Key not found");
+	}
+	const verified = await jwtVerify(token, key);
+	return verified;
+}

package/src/types/helper.ts

@@ -1 +1,6 @@
+type Primitive = string | number | symbol | bigint | boolean | null | undefined;
+
 export type LiteralString = "" | (string & Record<never, never>);
+export type LiteralUnion<LiteralType, BaseType extends Primitive> =
+	| LiteralType
+	| (BaseType & Record<never, never>);

package/src/types/index.ts

@@ -1 +1,2 @@
-export * from "./helper";
+export type * from "./helper";
+export type { BetterAuthAdvancedOptions, GenerateIdFn } from "./init-options";

package/src/types/init-options.ts

@@ -0,0 +1,119 @@
+import type { CookieOptions } from "better-call";
+import type { LiteralUnion } from "./helper";
+import type { Models } from "../db/type";
+
+export type GenerateIdFn = (options: {
+	model: LiteralUnion<Models, string>;
+	size?: number;
+}) => string | false;
+
+export type BetterAuthAdvancedOptions = {
+	/**
+	 * Ip address configuration
+	 */
+	ipAddress?: {
+		/**
+		 * List of headers to use for ip address
+		 *
+		 * Ip address is used for rate limiting and session tracking
+		 *
+		 * @example ["x-client-ip", "x-forwarded-for", "cf-connecting-ip"]
+		 *
+		 * @default
+		 * @link https://github.com/better-auth/better-auth/blob/main/packages/better-auth/src/utils/get-request-ip.ts#L8
+		 */
+		ipAddressHeaders?: string[];
+		/**
+		 * Disable ip tracking
+		 *
+		 * ⚠︎ This is a security risk and it may expose your application to abuse
+		 */
+		disableIpTracking?: boolean;
+	};
+	/**
+	 * Use secure cookies
+	 *
+	 * @default false
+	 */
+	useSecureCookies?: boolean;
+	/**
+	 * Disable trusted origins check
+	 *
+	 * ⚠︎ This is a security risk and it may expose your application to CSRF attacks
+	 */
+	disableCSRFCheck?: boolean;
+	/**
+	 * Configure cookies to be cross subdomains
+	 */
+	crossSubDomainCookies?: {
+		/**
+		 * Enable cross subdomain cookies
+		 */
+		enabled: boolean;
+		/**
+		 * Additional cookies to be shared across subdomains
+		 */
+		additionalCookies?: string[];
+		/**
+		 * The domain to use for the cookies
+		 *
+		 * By default, the domain will be the root
+		 * domain from the base URL.
+		 */
+		domain?: string;
+	};
+	/*
+	 * Allows you to change default cookie names and attributes
+	 *
+	 * default cookie names:
+	 * - "session_token"
+	 * - "session_data"
+	 * - "dont_remember"
+	 *
+	 * plugins can also add additional cookies
+	 */
+	cookies?: {
+		[key: string]: {
+			name?: string;
+			attributes?: CookieOptions;
+		};
+	};
+	defaultCookieAttributes?: CookieOptions;
+	/**
+	 * Prefix for cookies. If a cookie name is provided
+	 * in cookies config, this will be overridden.
+	 *
+	 * @default
+	 * ```txt
+	 * "appName" -> which defaults to "better-auth"
+	 * ```
+	 */
+	cookiePrefix?: string;
+	/**
+	 * Database configuration.
+	 */
+	database?: {
+		/**
+		 * The default number of records to return from the database
+		 * when using the `findMany` adapter method.
+		 *
+		 * @default 100
+		 */
+		defaultFindManyLimit?: number;
+		/**
+		 * If your database auto increments number ids, set this to `true`.
+		 *
+		 * Note: If enabled, we will not handle ID generation (including if you use `generateId`), and it would be expected that your database will provide the ID automatically.
+		 *
+		 * @default false
+		 */
+		useNumberId?: boolean;
+		/**
+		 * Custom generateId function.
+		 *
+		 * If not provided, random ids will be generated.
+		 * If set to false, the database's auto generated id will be used.
+		 */
+		generateId?: GenerateIdFn | false;
+	};
+};

package/tsconfig.json

@@ -4,7 +4,7 @@
     "rootDir": "./src",
     "outDir": "./dist",
     "lib": ["esnext", "dom", "dom.iterable"],
-    "types": []
+    "types": ["node"]
   },
   "include": ["src"]
 }