@better-auth/core 1.4.0-beta.7 → 1.4.0-beta.8

package/dist/oauth2/index.mjs

@@ -0,0 +1,357 @@
+import { base64Url, base64 } from '@better-auth/utils/base64';
+import { betterFetch } from '@better-fetch/fetch';
+import { jwtVerify } from 'jose';
+
+function getOAuth2Tokens(data) {
+  const getDate = (seconds) => {
+    const now = /* @__PURE__ */ new Date();
+    return new Date(now.getTime() + seconds * 1e3);
+  };
+  return {
+    tokenType: data.token_type,
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token,
+    accessTokenExpiresAt: data.expires_in ? getDate(data.expires_in) : void 0,
+    refreshTokenExpiresAt: data.refresh_token_expires_in ? getDate(data.refresh_token_expires_in) : void 0,
+    scopes: data?.scope ? typeof data.scope === "string" ? data.scope.split(" ") : data.scope : [],
+    idToken: data.id_token
+  };
+}
+async function generateCodeChallenge(codeVerifier) {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(codeVerifier);
+  const hash = await crypto.subtle.digest("SHA-256", data);
+  return base64Url.encode(new Uint8Array(hash), {
+    padding: false
+  });
+}
+
+async function createAuthorizationURL({
+  id,
+  options,
+  authorizationEndpoint,
+  state,
+  codeVerifier,
+  scopes,
+  claims,
+  redirectURI,
+  duration,
+  prompt,
+  accessType,
+  responseType,
+  display,
+  loginHint,
+  hd,
+  responseMode,
+  additionalParams,
+  scopeJoiner
+}) {
+  const url = new URL(authorizationEndpoint);
+  url.searchParams.set("response_type", responseType || "code");
+  const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+  url.searchParams.set("client_id", primaryClientId);
+  url.searchParams.set("state", state);
+  url.searchParams.set("scope", scopes.join(scopeJoiner || " "));
+  url.searchParams.set("redirect_uri", options.redirectURI || redirectURI);
+  duration && url.searchParams.set("duration", duration);
+  display && url.searchParams.set("display", display);
+  loginHint && url.searchParams.set("login_hint", loginHint);
+  prompt && url.searchParams.set("prompt", prompt);
+  hd && url.searchParams.set("hd", hd);
+  accessType && url.searchParams.set("access_type", accessType);
+  responseMode && url.searchParams.set("response_mode", responseMode);
+  if (codeVerifier) {
+    const codeChallenge = await generateCodeChallenge(codeVerifier);
+    url.searchParams.set("code_challenge_method", "S256");
+    url.searchParams.set("code_challenge", codeChallenge);
+  }
+  if (claims) {
+    const claimsObj = claims.reduce(
+      (acc, claim) => {
+        acc[claim] = null;
+        return acc;
+      },
+      {}
+    );
+    url.searchParams.set(
+      "claims",
+      JSON.stringify({
+        id_token: { email: null, email_verified: null, ...claimsObj }
+      })
+    );
+  }
+  if (additionalParams) {
+    Object.entries(additionalParams).forEach(([key, value]) => {
+      url.searchParams.set(key, value);
+    });
+  }
+  return url;
+}
+
+function createAuthorizationCodeRequest({
+  code,
+  codeVerifier,
+  redirectURI,
+  options,
+  authentication,
+  deviceId,
+  headers,
+  additionalParams = {},
+  resource
+}) {
+  const body = new URLSearchParams();
+  const requestHeaders = {
+    "content-type": "application/x-www-form-urlencoded",
+    accept: "application/json",
+    "user-agent": "better-auth",
+    ...headers
+  };
+  body.set("grant_type", "authorization_code");
+  body.set("code", code);
+  codeVerifier && body.set("code_verifier", codeVerifier);
+  options.clientKey && body.set("client_key", options.clientKey);
+  deviceId && body.set("device_id", deviceId);
+  body.set("redirect_uri", options.redirectURI || redirectURI);
+  if (resource) {
+    if (typeof resource === "string") {
+      body.append("resource", resource);
+    } else {
+      for (const _resource of resource) {
+        body.append("resource", _resource);
+      }
+    }
+  }
+  if (authentication === "basic") {
+    const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+    const encodedCredentials = base64.encode(
+      `${primaryClientId}:${options.clientSecret ?? ""}`
+    );
+    requestHeaders["authorization"] = `Basic ${encodedCredentials}`;
+  } else {
+    const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+    body.set("client_id", primaryClientId);
+    if (options.clientSecret) {
+      body.set("client_secret", options.clientSecret);
+    }
+  }
+  for (const [key, value] of Object.entries(additionalParams)) {
+    if (!body.has(key)) body.append(key, value);
+  }
+  return {
+    body,
+    headers: requestHeaders
+  };
+}
+async function validateAuthorizationCode({
+  code,
+  codeVerifier,
+  redirectURI,
+  options,
+  tokenEndpoint,
+  authentication,
+  deviceId,
+  headers,
+  additionalParams = {},
+  resource
+}) {
+  const { body, headers: requestHeaders } = createAuthorizationCodeRequest({
+    code,
+    codeVerifier,
+    redirectURI,
+    options,
+    authentication,
+    deviceId,
+    headers,
+    additionalParams,
+    resource
+  });
+  const { data, error } = await betterFetch(tokenEndpoint, {
+    method: "POST",
+    body,
+    headers: requestHeaders
+  });
+  if (error) {
+    throw error;
+  }
+  const tokens = getOAuth2Tokens(data);
+  return tokens;
+}
+async function validateToken(token, jwksEndpoint) {
+  const { data, error } = await betterFetch(jwksEndpoint, {
+    method: "GET",
+    headers: {
+      accept: "application/json",
+      "user-agent": "better-auth"
+    }
+  });
+  if (error) {
+    throw error;
+  }
+  const keys = data["keys"];
+  const header = JSON.parse(atob(token.split(".")[0]));
+  const key = keys.find((key2) => key2.kid === header.kid);
+  if (!key) {
+    throw new Error("Key not found");
+  }
+  const verified = await jwtVerify(token, key);
+  return verified;
+}
+
+function createRefreshAccessTokenRequest({
+  refreshToken,
+  options,
+  authentication,
+  extraParams,
+  resource
+}) {
+  const body = new URLSearchParams();
+  const headers = {
+    "content-type": "application/x-www-form-urlencoded",
+    accept: "application/json"
+  };
+  body.set("grant_type", "refresh_token");
+  body.set("refresh_token", refreshToken);
+  if (authentication === "basic") {
+    const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+    if (primaryClientId) {
+      headers["authorization"] = "Basic " + base64.encode(`${primaryClientId}:${options.clientSecret ?? ""}`);
+    } else {
+      headers["authorization"] = "Basic " + base64.encode(`:${options.clientSecret ?? ""}`);
+    }
+  } else {
+    const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+    body.set("client_id", primaryClientId);
+    if (options.clientSecret) {
+      body.set("client_secret", options.clientSecret);
+    }
+  }
+  if (resource) {
+    if (typeof resource === "string") {
+      body.append("resource", resource);
+    } else {
+      for (const _resource of resource) {
+        body.append("resource", _resource);
+      }
+    }
+  }
+  if (extraParams) {
+    for (const [key, value] of Object.entries(extraParams)) {
+      body.set(key, value);
+    }
+  }
+  return {
+    body,
+    headers
+  };
+}
+async function refreshAccessToken({
+  refreshToken,
+  options,
+  tokenEndpoint,
+  authentication,
+  extraParams
+}) {
+  const { body, headers } = createRefreshAccessTokenRequest({
+    refreshToken,
+    options,
+    authentication,
+    extraParams
+  });
+  const { data, error } = await betterFetch(tokenEndpoint, {
+    method: "POST",
+    body,
+    headers
+  });
+  if (error) {
+    throw error;
+  }
+  const tokens = {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token,
+    tokenType: data.token_type,
+    scopes: data.scope?.split(" "),
+    idToken: data.id_token
+  };
+  if (data.expires_in) {
+    const now = /* @__PURE__ */ new Date();
+    tokens.accessTokenExpiresAt = new Date(
+      now.getTime() + data.expires_in * 1e3
+    );
+  }
+  return tokens;
+}
+
+function createClientCredentialsTokenRequest({
+  options,
+  scope,
+  authentication,
+  resource
+}) {
+  const body = new URLSearchParams();
+  const headers = {
+    "content-type": "application/x-www-form-urlencoded",
+    accept: "application/json"
+  };
+  body.set("grant_type", "client_credentials");
+  scope && body.set("scope", scope);
+  if (resource) {
+    if (typeof resource === "string") {
+      body.append("resource", resource);
+    } else {
+      for (const _resource of resource) {
+        body.append("resource", _resource);
+      }
+    }
+  }
+  if (authentication === "basic") {
+    const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+    const encodedCredentials = base64Url.encode(
+      `${primaryClientId}:${options.clientSecret}`
+    );
+    headers["authorization"] = `Basic ${encodedCredentials}`;
+  } else {
+    const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+    body.set("client_id", primaryClientId);
+    body.set("client_secret", options.clientSecret);
+  }
+  return {
+    body,
+    headers
+  };
+}
+async function clientCredentialsToken({
+  options,
+  tokenEndpoint,
+  scope,
+  authentication,
+  resource
+}) {
+  const { body, headers } = createClientCredentialsTokenRequest({
+    options,
+    scope,
+    authentication,
+    resource
+  });
+  const { data, error } = await betterFetch(tokenEndpoint, {
+    method: "POST",
+    body,
+    headers
+  });
+  if (error) {
+    throw error;
+  }
+  const tokens = {
+    accessToken: data.access_token,
+    tokenType: data.token_type,
+    scopes: data.scope?.split(" ")
+  };
+  if (data.expires_in) {
+    const now = /* @__PURE__ */ new Date();
+    tokens.accessTokenExpiresAt = new Date(
+      now.getTime() + data.expires_in * 1e3
+    );
+  }
+  return tokens;
+}
+
+export { clientCredentialsToken, createAuthorizationCodeRequest, createAuthorizationURL, createClientCredentialsTokenRequest, createRefreshAccessTokenRequest, generateCodeChallenge, getOAuth2Tokens, refreshAccessToken, validateAuthorizationCode, validateToken };

package/dist/shared/{core.CnvFgghY.d.cts → core.DeNN5HMO.d.cts}

@@ -113,5 +113,31 @@ type BetterAuthDBSchema = Record<string, {
      */
     order?: number;
 }>;
+interface SecondaryStorage {
+    /**
+     *
+     * @param key - Key to get
+     * @returns - Value of the key
+     */
+    get: (key: string) => Promise<unknown> | unknown;
+    set: (
+    /**
+     * Key to store
+     */
+    key: string, 
+    /**
+     * Value to store
+     */
+    value: string, 
+    /**
+     * Time to live in seconds
+     */
+    ttl?: number) => Promise<void | null | unknown> | void;
+    /**
+     *
+     * @param key - Key to delete
+     */
+    delete: (key: string) => Promise<void | null | string> | void;
+}
 
-export type { BetterAuthDBSchema as B, DBFieldAttribute as D, LiteralUnion as L, Models as M, LiteralString as a, DBFieldAttributeConfig as b, DBFieldType as c, DBPrimitive as d };
+export type { BetterAuthDBSchema as B, DBFieldAttribute as D, LiteralUnion as L, Models as M, SecondaryStorage as S, LiteralString as a, DBFieldAttributeConfig as b, DBFieldType as c, DBPrimitive as d };

package/dist/shared/{core.CnvFgghY.d.mts → core.DeNN5HMO.d.mts}

@@ -113,5 +113,31 @@ type BetterAuthDBSchema = Record<string, {
      */
     order?: number;
 }>;
+interface SecondaryStorage {
+    /**
+     *
+     * @param key - Key to get
+     * @returns - Value of the key
+     */
+    get: (key: string) => Promise<unknown> | unknown;
+    set: (
+    /**
+     * Key to store
+     */
+    key: string, 
+    /**
+     * Value to store
+     */
+    value: string, 
+    /**
+     * Time to live in seconds
+     */
+    ttl?: number) => Promise<void | null | unknown> | void;
+    /**
+     *
+     * @param key - Key to delete
+     */
+    delete: (key: string) => Promise<void | null | string> | void;
+}
 
-export type { BetterAuthDBSchema as B, DBFieldAttribute as D, LiteralUnion as L, Models as M, LiteralString as a, DBFieldAttributeConfig as b, DBFieldType as c, DBPrimitive as d };
+export type { BetterAuthDBSchema as B, DBFieldAttribute as D, LiteralUnion as L, Models as M, SecondaryStorage as S, LiteralString as a, DBFieldAttributeConfig as b, DBFieldType as c, DBPrimitive as d };

package/dist/shared/{core.CnvFgghY.d.ts → core.DeNN5HMO.d.ts}

@@ -113,5 +113,31 @@ type BetterAuthDBSchema = Record<string, {
      */
     order?: number;
 }>;
+interface SecondaryStorage {
+    /**
+     *
+     * @param key - Key to get
+     * @returns - Value of the key
+     */
+    get: (key: string) => Promise<unknown> | unknown;
+    set: (
+    /**
+     * Key to store
+     */
+    key: string, 
+    /**
+     * Value to store
+     */
+    value: string, 
+    /**
+     * Time to live in seconds
+     */
+    ttl?: number) => Promise<void | null | unknown> | void;
+    /**
+     *
+     * @param key - Key to delete
+     */
+    delete: (key: string) => Promise<void | null | string> | void;
+}
 
-export type { BetterAuthDBSchema as B, DBFieldAttribute as D, LiteralUnion as L, Models as M, LiteralString as a, DBFieldAttributeConfig as b, DBFieldType as c, DBPrimitive as d };
+export type { BetterAuthDBSchema as B, DBFieldAttribute as D, LiteralUnion as L, Models as M, SecondaryStorage as S, LiteralString as a, DBFieldAttributeConfig as b, DBFieldType as c, DBPrimitive as d };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/core",
-  "version": "1.4.0-beta.7",
+  "version": "1.4.0-beta.8",
   "description": "The most comprehensive authentication library for TypeScript.",
   "type": "module",
   "main": "./dist/index.cjs",
@@ -26,6 +26,16 @@
         "default": "./dist/async_hooks/index.cjs"
       }
     },
+    "./env": {
+      "import": {
+        "types": "./dist/env/index.d.ts",
+        "default": "./dist/env/index.mjs"
+      },
+      "require": {
+        "types": "./dist/env/index.d.cts",
+        "default": "./dist/env/index.cjs"
+      }
+    },
     "./db": {
       "import": {
         "types": "./dist/db/index.d.ts",
@@ -45,6 +55,16 @@
         "types": "./dist/db/adapter/index.d.cts",
         "default": "./dist/db/adapter/index.cjs"
       }
+    },
+    "./oauth2": {
+      "import": {
+        "types": "./dist/oauth2/index.d.ts",
+        "default": "./dist/oauth2/index.mjs"
+      },
+      "require": {
+        "types": "./dist/oauth2/index.d.cts",
+        "default": "./dist/oauth2/index.cjs"
+      }
     }
   },
   "typesVersions": {
@@ -61,12 +81,20 @@
     }
   },
   "devDependencies": {
+    "@better-auth/utils": "0.3.0",
+    "@better-fetch/fetch": "1.1.18",
+    "jose": "^6.1.0",
     "unbuild": "3.6.1"
   },
   "dependencies": {
     "better-call": "1.0.19",
     "zod": "^4.1.5"
   },
+  "peerDependencies": {
+    "@better-auth/utils": "0.3.0",
+    "@better-fetch/fetch": "1.1.18",
+    "jose": "^6.1.0"
+  },
   "scripts": {
     "build": "unbuild --clean",
     "stub": "unbuild --stub",

package/src/db/index.ts

@@ -7,11 +7,13 @@ import type {
 } from "./type";
 import type { BetterAuthPluginDBSchema } from "./plugin";
 export type { BetterAuthPluginDBSchema } from "./plugin";
+export type { SecondaryStorage } from "./type";
 export { coreSchema } from "./schema/shared";
 export { userSchema, type User } from "./schema/user";
 export { accountSchema, type Account } from "./schema/account";
 export { sessionSchema, type Session } from "./schema/session";
 export { verificationSchema, type Verification } from "./schema/verification";
+export { rateLimitSchema, type RateLimit } from "./schema/rate-limit";
 
 export type {
 	DBFieldAttribute,

package/src/db/schema/rate-limit.ts

@@ -0,0 +1,21 @@
+import * as z from "zod";
+
+export const rateLimitSchema = z.object({
+	/**
+	 * The key to use for rate limiting
+	 */
+	key: z.string(),
+	/**
+	 * The number of requests made
+	 */
+	count: z.number(),
+	/**
+	 * The last request time in milliseconds
+	 */
+	lastRequest: z.number(),
+});
+
+/**
+ * Rate limit schema type used by better-auth for rate limiting
+ */
+export type RateLimit = z.infer<typeof rateLimitSchema>;

package/src/db/type.ts

@@ -153,3 +153,31 @@ export type BetterAuthDBSchema = Record<
 		order?: number;
 	}
 >;
+
+export interface SecondaryStorage {
+	/**
+	 *
+	 * @param key - Key to get
+	 * @returns - Value of the key
+	 */
+	get: (key: string) => Promise<unknown> | unknown;
+	set: (
+		/**
+		 * Key to store
+		 */
+		key: string,
+		/**
+		 * Value to store
+		 */
+		value: string,
+		/**
+		 * Time to live in seconds
+		 */
+		ttl?: number,
+	) => Promise<void | null | unknown> | void;
+	/**
+	 *
+	 * @param key - Key to delete
+	 */
+	delete: (key: string) => Promise<void | null | string> | void;
+}