@better-auth/core 1.4.0-beta.7 → 1.4.0-beta.9

package/dist/oauth2/index.mjs

@@ -0,0 +1,357 @@
+import { base64Url, base64 } from '@better-auth/utils/base64';
+import { betterFetch } from '@better-fetch/fetch';
+import { jwtVerify } from 'jose';
+
+function getOAuth2Tokens(data) {
+  const getDate = (seconds) => {
+    const now = /* @__PURE__ */ new Date();
+    return new Date(now.getTime() + seconds * 1e3);
+  };
+  return {
+    tokenType: data.token_type,
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token,
+    accessTokenExpiresAt: data.expires_in ? getDate(data.expires_in) : void 0,
+    refreshTokenExpiresAt: data.refresh_token_expires_in ? getDate(data.refresh_token_expires_in) : void 0,
+    scopes: data?.scope ? typeof data.scope === "string" ? data.scope.split(" ") : data.scope : [],
+    idToken: data.id_token
+  };
+}
+async function generateCodeChallenge(codeVerifier) {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(codeVerifier);
+  const hash = await crypto.subtle.digest("SHA-256", data);
+  return base64Url.encode(new Uint8Array(hash), {
+    padding: false
+  });
+}
+
+async function createAuthorizationURL({
+  id,
+  options,
+  authorizationEndpoint,
+  state,
+  codeVerifier,
+  scopes,
+  claims,
+  redirectURI,
+  duration,
+  prompt,
+  accessType,
+  responseType,
+  display,
+  loginHint,
+  hd,
+  responseMode,
+  additionalParams,
+  scopeJoiner
+}) {
+  const url = new URL(authorizationEndpoint);
+  url.searchParams.set("response_type", responseType || "code");
+  const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+  url.searchParams.set("client_id", primaryClientId);
+  url.searchParams.set("state", state);
+  url.searchParams.set("scope", scopes.join(scopeJoiner || " "));
+  url.searchParams.set("redirect_uri", options.redirectURI || redirectURI);
+  duration && url.searchParams.set("duration", duration);
+  display && url.searchParams.set("display", display);
+  loginHint && url.searchParams.set("login_hint", loginHint);
+  prompt && url.searchParams.set("prompt", prompt);
+  hd && url.searchParams.set("hd", hd);
+  accessType && url.searchParams.set("access_type", accessType);
+  responseMode && url.searchParams.set("response_mode", responseMode);
+  if (codeVerifier) {
+    const codeChallenge = await generateCodeChallenge(codeVerifier);
+    url.searchParams.set("code_challenge_method", "S256");
+    url.searchParams.set("code_challenge", codeChallenge);
+  }
+  if (claims) {
+    const claimsObj = claims.reduce(
+      (acc, claim) => {
+        acc[claim] = null;
+        return acc;
+      },
+      {}
+    );
+    url.searchParams.set(
+      "claims",
+      JSON.stringify({
+        id_token: { email: null, email_verified: null, ...claimsObj }
+      })
+    );
+  }
+  if (additionalParams) {
+    Object.entries(additionalParams).forEach(([key, value]) => {
+      url.searchParams.set(key, value);
+    });
+  }
+  return url;
+}
+
+function createAuthorizationCodeRequest({
+  code,
+  codeVerifier,
+  redirectURI,
+  options,
+  authentication,
+  deviceId,
+  headers,
+  additionalParams = {},
+  resource
+}) {
+  const body = new URLSearchParams();
+  const requestHeaders = {
+    "content-type": "application/x-www-form-urlencoded",
+    accept: "application/json",
+    "user-agent": "better-auth",
+    ...headers
+  };
+  body.set("grant_type", "authorization_code");
+  body.set("code", code);
+  codeVerifier && body.set("code_verifier", codeVerifier);
+  options.clientKey && body.set("client_key", options.clientKey);
+  deviceId && body.set("device_id", deviceId);
+  body.set("redirect_uri", options.redirectURI || redirectURI);
+  if (resource) {
+    if (typeof resource === "string") {
+      body.append("resource", resource);
+    } else {
+      for (const _resource of resource) {
+        body.append("resource", _resource);
+      }
+    }
+  }
+  if (authentication === "basic") {
+    const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+    const encodedCredentials = base64.encode(
+      `${primaryClientId}:${options.clientSecret ?? ""}`
+    );
+    requestHeaders["authorization"] = `Basic ${encodedCredentials}`;
+  } else {
+    const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+    body.set("client_id", primaryClientId);
+    if (options.clientSecret) {
+      body.set("client_secret", options.clientSecret);
+    }
+  }
+  for (const [key, value] of Object.entries(additionalParams)) {
+    if (!body.has(key)) body.append(key, value);
+  }
+  return {
+    body,
+    headers: requestHeaders
+  };
+}
+async function validateAuthorizationCode({
+  code,
+  codeVerifier,
+  redirectURI,
+  options,
+  tokenEndpoint,
+  authentication,
+  deviceId,
+  headers,
+  additionalParams = {},
+  resource
+}) {
+  const { body, headers: requestHeaders } = createAuthorizationCodeRequest({
+    code,
+    codeVerifier,
+    redirectURI,
+    options,
+    authentication,
+    deviceId,
+    headers,
+    additionalParams,
+    resource
+  });
+  const { data, error } = await betterFetch(tokenEndpoint, {
+    method: "POST",
+    body,
+    headers: requestHeaders
+  });
+  if (error) {
+    throw error;
+  }
+  const tokens = getOAuth2Tokens(data);
+  return tokens;
+}
+async function validateToken(token, jwksEndpoint) {
+  const { data, error } = await betterFetch(jwksEndpoint, {
+    method: "GET",
+    headers: {
+      accept: "application/json",
+      "user-agent": "better-auth"
+    }
+  });
+  if (error) {
+    throw error;
+  }
+  const keys = data["keys"];
+  const header = JSON.parse(atob(token.split(".")[0]));
+  const key = keys.find((key2) => key2.kid === header.kid);
+  if (!key) {
+    throw new Error("Key not found");
+  }
+  const verified = await jwtVerify(token, key);
+  return verified;
+}
+
+function createRefreshAccessTokenRequest({
+  refreshToken,
+  options,
+  authentication,
+  extraParams,
+  resource
+}) {
+  const body = new URLSearchParams();
+  const headers = {
+    "content-type": "application/x-www-form-urlencoded",
+    accept: "application/json"
+  };
+  body.set("grant_type", "refresh_token");
+  body.set("refresh_token", refreshToken);
+  if (authentication === "basic") {
+    const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+    if (primaryClientId) {
+      headers["authorization"] = "Basic " + base64.encode(`${primaryClientId}:${options.clientSecret ?? ""}`);
+    } else {
+      headers["authorization"] = "Basic " + base64.encode(`:${options.clientSecret ?? ""}`);
+    }
+  } else {
+    const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+    body.set("client_id", primaryClientId);
+    if (options.clientSecret) {
+      body.set("client_secret", options.clientSecret);
+    }
+  }
+  if (resource) {
+    if (typeof resource === "string") {
+      body.append("resource", resource);
+    } else {
+      for (const _resource of resource) {
+        body.append("resource", _resource);
+      }
+    }
+  }
+  if (extraParams) {
+    for (const [key, value] of Object.entries(extraParams)) {
+      body.set(key, value);
+    }
+  }
+  return {
+    body,
+    headers
+  };
+}
+async function refreshAccessToken({
+  refreshToken,
+  options,
+  tokenEndpoint,
+  authentication,
+  extraParams
+}) {
+  const { body, headers } = createRefreshAccessTokenRequest({
+    refreshToken,
+    options,
+    authentication,
+    extraParams
+  });
+  const { data, error } = await betterFetch(tokenEndpoint, {
+    method: "POST",
+    body,
+    headers
+  });
+  if (error) {
+    throw error;
+  }
+  const tokens = {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token,
+    tokenType: data.token_type,
+    scopes: data.scope?.split(" "),
+    idToken: data.id_token
+  };
+  if (data.expires_in) {
+    const now = /* @__PURE__ */ new Date();
+    tokens.accessTokenExpiresAt = new Date(
+      now.getTime() + data.expires_in * 1e3
+    );
+  }
+  return tokens;
+}
+
+function createClientCredentialsTokenRequest({
+  options,
+  scope,
+  authentication,
+  resource
+}) {
+  const body = new URLSearchParams();
+  const headers = {
+    "content-type": "application/x-www-form-urlencoded",
+    accept: "application/json"
+  };
+  body.set("grant_type", "client_credentials");
+  scope && body.set("scope", scope);
+  if (resource) {
+    if (typeof resource === "string") {
+      body.append("resource", resource);
+    } else {
+      for (const _resource of resource) {
+        body.append("resource", _resource);
+      }
+    }
+  }
+  if (authentication === "basic") {
+    const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+    const encodedCredentials = base64Url.encode(
+      `${primaryClientId}:${options.clientSecret}`
+    );
+    headers["authorization"] = `Basic ${encodedCredentials}`;
+  } else {
+    const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+    body.set("client_id", primaryClientId);
+    body.set("client_secret", options.clientSecret);
+  }
+  return {
+    body,
+    headers
+  };
+}
+async function clientCredentialsToken({
+  options,
+  tokenEndpoint,
+  scope,
+  authentication,
+  resource
+}) {
+  const { body, headers } = createClientCredentialsTokenRequest({
+    options,
+    scope,
+    authentication,
+    resource
+  });
+  const { data, error } = await betterFetch(tokenEndpoint, {
+    method: "POST",
+    body,
+    headers
+  });
+  if (error) {
+    throw error;
+  }
+  const tokens = {
+    accessToken: data.access_token,
+    tokenType: data.token_type,
+    scopes: data.scope?.split(" ")
+  };
+  if (data.expires_in) {
+    const now = /* @__PURE__ */ new Date();
+    tokens.accessTokenExpiresAt = new Date(
+      now.getTime() + data.expires_in * 1e3
+    );
+  }
+  return tokens;
+}
+
+export { clientCredentialsToken, createAuthorizationCodeRequest, createAuthorizationURL, createClientCredentialsTokenRequest, createRefreshAccessTokenRequest, generateCodeChallenge, getOAuth2Tokens, refreshAccessToken, validateAuthorizationCode, validateToken };

package/dist/shared/core.2rWMW9q9.d.ts

@@ -0,0 +1,13 @@
+import { D as DBFieldAttribute } from './core.CPuIItYE.js';
+
+type BetterAuthPluginDBSchema = {
+    [table in string]: {
+        fields: {
+            [field in string]: DBFieldAttribute;
+        };
+        disableMigration?: boolean;
+        modelName?: string;
+    };
+};
+
+export type { BetterAuthPluginDBSchema as B };

package/dist/shared/core.40VTWh-p.d.cts

@@ -0,0 +1,217 @@
+import * as z from 'zod';
+import { ZodType } from 'zod';
+import { L as LiteralString } from './core.MjcDoj7R.cjs';
+
+type DBPreservedModels = "user" | "account" | "session" | "verification" | "rate-limit" | "organization" | "member" | "invitation" | "jwks" | "passkey" | "two-factor";
+type DBFieldType = "string" | "number" | "boolean" | "date" | "json" | `${"string" | "number"}[]` | Array<LiteralString>;
+type DBPrimitive = string | number | boolean | Date | null | undefined | string[] | number[];
+type DBFieldAttributeConfig = {
+    /**
+     * If the field should be required on a new record.
+     * @default true
+     */
+    required?: boolean;
+    /**
+     * If the value should be returned on a response body.
+     * @default true
+     */
+    returned?: boolean;
+    /**
+     * If a value should be provided when creating a new record.
+     * @default true
+     */
+    input?: boolean;
+    /**
+     * Default value for the field
+     *
+     * Note: This will not create a default value on the database level. It will only
+     * be used when creating a new record.
+     */
+    defaultValue?: DBPrimitive | (() => DBPrimitive);
+    /**
+     * Update value for the field
+     *
+     * Note: This will create an onUpdate trigger on the database level for supported adapters.
+     * It will be called when updating a record.
+     */
+    onUpdate?: () => DBPrimitive;
+    /**
+     * transform the value before storing it.
+     */
+    transform?: {
+        input?: (value: DBPrimitive) => DBPrimitive | Promise<DBPrimitive>;
+        output?: (value: DBPrimitive) => DBPrimitive | Promise<DBPrimitive>;
+    };
+    /**
+     * Reference to another model.
+     */
+    references?: {
+        /**
+         * The model to reference.
+         */
+        model: string;
+        /**
+         * The field on the referenced model.
+         */
+        field: string;
+        /**
+         * The action to perform when the reference is deleted.
+         * @default "cascade"
+         */
+        onDelete?: "no action" | "restrict" | "cascade" | "set null" | "set default";
+    };
+    unique?: boolean;
+    /**
+     * If the field should be a bigint on the database instead of integer.
+     */
+    bigint?: boolean;
+    /**
+     * A zod schema to validate the value.
+     */
+    validator?: {
+        input?: ZodType;
+        output?: ZodType;
+    };
+    /**
+     * The name of the field on the database.
+     */
+    fieldName?: string;
+    /**
+     * If the field should be sortable.
+     *
+     * applicable only for `text` type.
+     * It's useful to mark fields varchar instead of text.
+     */
+    sortable?: boolean;
+};
+type DBFieldAttribute<T extends DBFieldType = DBFieldType> = {
+    type: T;
+} & DBFieldAttributeConfig;
+type BetterAuthDBSchema = Record<string, {
+    /**
+     * The name of the table in the database
+     */
+    modelName: string;
+    /**
+     * The fields of the table
+     */
+    fields: Record<string, DBFieldAttribute>;
+    /**
+     * Whether to disable migrations for this table
+     * @default false
+     */
+    disableMigrations?: boolean;
+    /**
+     * The order of the table
+     */
+    order?: number;
+}>;
+interface SecondaryStorage {
+    /**
+     *
+     * @param key - Key to get
+     * @returns - Value of the key
+     */
+    get: (key: string) => Promise<unknown> | unknown;
+    set: (
+    /**
+     * Key to store
+     */
+    key: string, 
+    /**
+     * Value to store
+     */
+    value: string, 
+    /**
+     * Time to live in seconds
+     */
+    ttl?: number) => Promise<void | null | unknown> | void;
+    /**
+     *
+     * @param key - Key to delete
+     */
+    delete: (key: string) => Promise<void | null | string> | void;
+}
+
+declare const userSchema: z.ZodObject<{
+    id: z.ZodString;
+    createdAt: z.ZodDefault<z.ZodDate>;
+    updatedAt: z.ZodDefault<z.ZodDate>;
+    email: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
+    emailVerified: z.ZodDefault<z.ZodBoolean>;
+    name: z.ZodString;
+    image: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+}, z.core.$strip>;
+/**
+ * User schema type used by better-auth, note that it's possible that user could have additional fields
+ *
+ * todo: we should use generics to extend this type with additional fields from plugins and options in the future
+ */
+type User = z.infer<typeof userSchema>;
+
+declare const accountSchema: z.ZodObject<{
+    id: z.ZodString;
+    createdAt: z.ZodDefault<z.ZodDate>;
+    updatedAt: z.ZodDefault<z.ZodDate>;
+    providerId: z.ZodString;
+    accountId: z.ZodString;
+    userId: z.ZodCoercedString<unknown>;
+    accessToken: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    refreshToken: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    idToken: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    accessTokenExpiresAt: z.ZodOptional<z.ZodNullable<z.ZodDate>>;
+    refreshTokenExpiresAt: z.ZodOptional<z.ZodNullable<z.ZodDate>>;
+    scope: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    password: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+}, z.core.$strip>;
+/**
+ * Account schema type used by better-auth, note that it's possible that account could have additional fields
+ *
+ * todo: we should use generics to extend this type with additional fields from plugins and options in the future
+ */
+type Account = z.infer<typeof accountSchema>;
+
+declare const sessionSchema: z.ZodObject<{
+    id: z.ZodString;
+    createdAt: z.ZodDefault<z.ZodDate>;
+    updatedAt: z.ZodDefault<z.ZodDate>;
+    userId: z.ZodCoercedString<unknown>;
+    expiresAt: z.ZodDate;
+    token: z.ZodString;
+    ipAddress: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    userAgent: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+}, z.core.$strip>;
+/**
+ * Session schema type used by better-auth, note that it's possible that session could have additional fields
+ *
+ * todo: we should use generics to extend this type with additional fields from plugins and options in the future
+ */
+type Session = z.infer<typeof sessionSchema>;
+
+declare const verificationSchema: z.ZodObject<{
+    id: z.ZodString;
+    createdAt: z.ZodDefault<z.ZodDate>;
+    updatedAt: z.ZodDefault<z.ZodDate>;
+    value: z.ZodString;
+    expiresAt: z.ZodDate;
+    identifier: z.ZodString;
+}, z.core.$strip>;
+/**
+ * Verification schema type used by better-auth, note that it's possible that verification could have additional fields
+ *
+ * todo: we should use generics to extend this type with additional fields from plugins and options in the future
+ */
+type Verification = z.infer<typeof verificationSchema>;
+
+declare const rateLimitSchema: z.ZodObject<{
+    key: z.ZodString;
+    count: z.ZodNumber;
+    lastRequest: z.ZodNumber;
+}, z.core.$strip>;
+/**
+ * Rate limit schema type used by better-auth for rate limiting
+ */
+type RateLimit = z.infer<typeof rateLimitSchema>;
+
+export { accountSchema as e, rateLimitSchema as r, sessionSchema as s, userSchema as u, verificationSchema as v };
+export type { Account as A, BetterAuthDBSchema as B, DBFieldAttribute as D, RateLimit as R, SecondaryStorage as S, User as U, Verification as V, DBFieldAttributeConfig as a, DBFieldType as b, DBPrimitive as c, DBPreservedModels as d, Session as f };