@better-auth/core 1.4.0-beta.8 → 1.4.0

package/src/social-providers/google.ts

@@ -0,0 +1,171 @@
+import { betterFetch } from "@better-fetch/fetch";
+import { decodeJwt } from "jose";
+import { logger } from "../env";
+import { BetterAuthError } from "../error";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import {
+	createAuthorizationURL,
+	refreshAccessToken,
+	validateAuthorizationCode,
+} from "../oauth2";
+
+export interface GoogleProfile {
+	aud: string;
+	azp: string;
+	email: string;
+	email_verified: boolean;
+	exp: number;
+	/**
+	 * The family name of the user, or last name in most
+	 * Western languages.
+	 */
+	family_name: string;
+	/**
+	 * The given name of the user, or first name in most
+	 * Western languages.
+	 */
+	given_name: string;
+	hd?: string | undefined;
+	iat: number;
+	iss: string;
+	jti?: string | undefined;
+	locale?: string | undefined;
+	name: string;
+	nbf?: number | undefined;
+	picture: string;
+	sub: string;
+}
+
+export interface GoogleOptions extends ProviderOptions<GoogleProfile> {
+	clientId: string;
+	/**
+	 * The access type to use for the authorization code request
+	 */
+	accessType?: ("offline" | "online") | undefined;
+	/**
+	 * The display mode to use for the authorization code request
+	 */
+	display?: ("page" | "popup" | "touch" | "wap") | undefined;
+	/**
+	 * The hosted domain of the user
+	 */
+	hd?: string | undefined;
+}
+
+export const google = (options: GoogleOptions) => {
+	return {
+		id: "google",
+		name: "Google",
+		async createAuthorizationURL({
+			state,
+			scopes,
+			codeVerifier,
+			redirectURI,
+			loginHint,
+			display,
+		}) {
+			if (!options.clientId || !options.clientSecret) {
+				logger.error(
+					"Client Id and Client Secret is required for Google. Make sure to provide them in the options.",
+				);
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
+			if (!codeVerifier) {
+				throw new BetterAuthError("codeVerifier is required for Google");
+			}
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["email", "profile", "openid"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			const url = await createAuthorizationURL({
+				id: "google",
+				options,
+				authorizationEndpoint: "https://accounts.google.com/o/oauth2/auth",
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+				prompt: options.prompt,
+				accessType: options.accessType,
+				display: display || options.display,
+				loginHint,
+				hd: options.hd,
+				additionalParams: {
+					include_granted_scopes: "true",
+				},
+			});
+			return url;
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://oauth2.googleapis.com/token",
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint: "https://www.googleapis.com/oauth2/v4/token",
+					});
+				},
+		async verifyIdToken(token, nonce) {
+			if (options.disableIdTokenSignIn) {
+				return false;
+			}
+			if (options.verifyIdToken) {
+				return options.verifyIdToken(token, nonce);
+			}
+			const googlePublicKeyUrl = `https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=${token}`;
+			const { data: tokenInfo } = await betterFetch<{
+				aud: string;
+				iss: string;
+				email: string;
+				email_verified: boolean;
+				name: string;
+				picture: string;
+				sub: string;
+			}>(googlePublicKeyUrl);
+			if (!tokenInfo) {
+				return false;
+			}
+			const isValid =
+				tokenInfo.aud === options.clientId &&
+				(tokenInfo.iss === "https://accounts.google.com" ||
+					tokenInfo.iss === "accounts.google.com");
+			return isValid;
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			if (!token.idToken) {
+				return null;
+			}
+			const user = decodeJwt(token.idToken) as GoogleProfile;
+			const userMap = await options.mapProfileToUser?.(user);
+			return {
+				user: {
+					id: user.sub,
+					name: user.name,
+					email: user.email,
+					image: user.picture,
+					emailVerified: user.email_verified,
+					...userMap,
+				},
+				data: user,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<GoogleProfile>;
+};

package/src/social-providers/huggingface.ts

@@ -0,0 +1,118 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import {
+	createAuthorizationURL,
+	refreshAccessToken,
+	validateAuthorizationCode,
+} from "../oauth2";
+
+export interface HuggingFaceProfile {
+	sub: string;
+	name: string;
+	preferred_username: string;
+	profile: string;
+	picture: string;
+	website?: string | undefined;
+	email?: string | undefined;
+	email_verified?: boolean | undefined;
+	isPro: boolean;
+	canPay?: boolean | undefined;
+	orgs?:
+		| {
+				sub: string;
+				name: string;
+				picture: string;
+				preferred_username: string;
+				isEnterprise: boolean | "plus";
+				canPay?: boolean;
+				roleInOrg?: "admin" | "write" | "contributor" | "read";
+				pendingSSO?: boolean;
+				missingMFA?: boolean;
+				resourceGroups?: {
+					sub: string;
+					name: string;
+					role: "admin" | "write" | "contributor" | "read";
+				}[];
+		  }
+		| undefined;
+}
+
+export interface HuggingFaceOptions
+	extends ProviderOptions<HuggingFaceProfile> {
+	clientId: string;
+}
+
+export const huggingface = (options: HuggingFaceOptions) => {
+	return {
+		id: "huggingface",
+		name: "Hugging Face",
+		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["openid", "profile", "email"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "huggingface",
+				options,
+				authorizationEndpoint: "https://huggingface.co/oauth/authorize",
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://huggingface.co/oauth/token",
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint: "https://huggingface.co/oauth/token",
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			const { data: profile, error } = await betterFetch<HuggingFaceProfile>(
+				"https://huggingface.co/oauth/userinfo",
+				{
+					method: "GET",
+					headers: {
+						Authorization: `Bearer ${token.accessToken}`,
+					},
+				},
+			);
+			if (error) {
+				return null;
+			}
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.sub,
+					name: profile.name || profile.preferred_username,
+					email: profile.email,
+					image: profile.picture,
+					emailVerified: profile.email_verified ?? false,
+					...userMap,
+				},
+				data: profile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<HuggingFaceProfile>;
+};

package/src/social-providers/index.ts

@@ -0,0 +1,124 @@
+import * as z from "zod";
+import { apple } from "./apple";
+import { atlassian } from "./atlassian";
+import { cognito } from "./cognito";
+import { discord } from "./discord";
+import { dropbox } from "./dropbox";
+import { facebook } from "./facebook";
+import { figma } from "./figma";
+import { github } from "./github";
+import { gitlab } from "./gitlab";
+import { google } from "./google";
+import { huggingface } from "./huggingface";
+import { kakao } from "./kakao";
+import { kick } from "./kick";
+import { line } from "./line";
+import { linear } from "./linear";
+import { linkedin } from "./linkedin";
+import { microsoft } from "./microsoft-entra-id";
+import { naver } from "./naver";
+import { notion } from "./notion";
+import { paybin } from "./paybin";
+import { paypal } from "./paypal";
+import { polar } from "./polar";
+import { reddit } from "./reddit";
+import { roblox } from "./roblox";
+import { salesforce } from "./salesforce";
+import { slack } from "./slack";
+import { spotify } from "./spotify";
+import { tiktok } from "./tiktok";
+import { twitch } from "./twitch";
+import { twitter } from "./twitter";
+import { vk } from "./vk";
+import { zoom } from "./zoom";
+
+export const socialProviders = {
+	apple,
+	atlassian,
+	cognito,
+	discord,
+	facebook,
+	figma,
+	github,
+	microsoft,
+	google,
+	huggingface,
+	slack,
+	spotify,
+	twitch,
+	twitter,
+	dropbox,
+	kick,
+	linear,
+	linkedin,
+	gitlab,
+	tiktok,
+	reddit,
+	roblox,
+	salesforce,
+	vk,
+	zoom,
+	notion,
+	kakao,
+	naver,
+	line,
+	paybin,
+	paypal,
+	polar,
+};
+
+export const socialProviderList = Object.keys(socialProviders) as [
+	"github",
+	...(keyof typeof socialProviders)[],
+];
+
+export const SocialProviderListEnum = z
+	.enum(socialProviderList)
+	.or(z.string()) as z.ZodType<SocialProviderList[number] | (string & {})>;
+
+export type SocialProvider = z.infer<typeof SocialProviderListEnum>;
+
+export type SocialProviders = {
+	[K in SocialProviderList[number]]?: Parameters<
+		(typeof socialProviders)[K]
+	>[0] & {
+		enabled?: boolean | undefined;
+	};
+};
+
+export * from "./apple";
+export * from "./atlassian";
+export * from "./cognito";
+export * from "./discord";
+export * from "./dropbox";
+export * from "./facebook";
+export * from "./figma";
+export * from "./github";
+export * from "./gitlab";
+export * from "./google";
+export * from "./huggingface";
+export * from "./kakao";
+export * from "./kick";
+export * from "./kick";
+export * from "./line";
+export * from "./linear";
+export * from "./linkedin";
+export * from "./linkedin";
+export * from "./microsoft-entra-id";
+export * from "./naver";
+export * from "./notion";
+export * from "./paybin";
+export * from "./paypal";
+export * from "./polar";
+export * from "./reddit";
+export * from "./roblox";
+export * from "./salesforce";
+export * from "./slack";
+export * from "./spotify";
+export * from "./tiktok";
+export * from "./twitch";
+export * from "./twitter";
+export * from "./vk";
+export * from "./zoom";
+
+export type SocialProviderList = typeof socialProviderList;

package/src/social-providers/kakao.ts

@@ -0,0 +1,178 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import {
+	createAuthorizationURL,
+	refreshAccessToken,
+	validateAuthorizationCode,
+} from "../oauth2";
+
+interface Partner {
+	/** Partner-specific ID (consent required: kakaotalk_message) */
+	uuid?: string | undefined;
+}
+
+interface Profile {
+	/** Nickname (consent required: profile/nickname) */
+	nickname?: string | undefined;
+	/** Thumbnail image URL (consent required: profile/profile image) */
+	thumbnail_image_url?: string | undefined;
+	/** Profile image URL (consent required: profile/profile image) */
+	profile_image_url?: string | undefined;
+	/** Whether the profile image is the default */
+	is_default_image?: boolean | undefined;
+	/** Whether the nickname is the default */
+	is_default_nickname?: boolean | undefined;
+}
+
+interface KakaoAccount {
+	/** Consent required: profile info (nickname/profile image) */
+	profile_needs_agreement?: boolean | undefined;
+	/** Consent required: nickname */
+	profile_nickname_needs_agreement?: boolean | undefined;
+	/** Consent required: profile image */
+	profile_image_needs_agreement?: boolean | undefined;
+	/** Profile info */
+	profile?: Profile | undefined;
+	/** Consent required: name */
+	name_needs_agreement?: boolean | undefined;
+	/** Name */
+	name?: string | undefined;
+	/** Consent required: email */
+	email_needs_agreement?: boolean | undefined;
+	/** Email valid */
+	is_email_valid?: boolean | undefined;
+	/** Email verified */
+	is_email_verified?: boolean | undefined;
+	/** Email */
+	email?: string | undefined;
+	/** Consent required: age range */
+	age_range_needs_agreement?: boolean | undefined;
+	/** Age range */
+	age_range?: string | undefined;
+	/** Consent required: birth year */
+	birthyear_needs_agreement?: boolean | undefined;
+	/** Birth year (YYYY) */
+	birthyear?: string | undefined;
+	/** Consent required: birthday */
+	birthday_needs_agreement?: boolean | undefined;
+	/** Birthday (MMDD) */
+	birthday?: string | undefined;
+	/** Birthday type (SOLAR/LUNAR) */
+	birthday_type?: string | undefined;
+	/** Whether birthday is in a leap month */
+	is_leap_month?: boolean | undefined;
+	/** Consent required: gender */
+	gender_needs_agreement?: boolean | undefined;
+	/** Gender (male/female) */
+	gender?: string | undefined;
+	/** Consent required: phone number */
+	phone_number_needs_agreement?: boolean | undefined;
+	/** Phone number */
+	phone_number?: string | undefined;
+	/** Consent required: CI */
+	ci_needs_agreement?: boolean | undefined;
+	/** CI (unique identifier) */
+	ci?: string | undefined;
+	/** CI authentication time (UTC) */
+	ci_authenticated_at?: string | undefined;
+}
+
+export interface KakaoProfile {
+	/** Kakao user ID */
+	id: number;
+	/**
+	 * Whether the user has signed up (only present if auto-connection is disabled)
+	 * false: preregistered, true: registered
+	 */
+	has_signed_up?: boolean | undefined;
+	/** UTC datetime when the user connected the service */
+	connected_at?: string | undefined;
+	/** UTC datetime when the user signed up via Kakao Sync */
+	synched_at?: string | undefined;
+	/** Custom user properties */
+	properties?: Record<string, any> | undefined;
+	/** Kakao account info */
+	kakao_account: KakaoAccount;
+	/** Partner info */
+	for_partner?: Partner | undefined;
+}
+
+export interface KakaoOptions extends ProviderOptions<KakaoProfile> {
+	clientId: string;
+}
+
+export const kakao = (options: KakaoOptions) => {
+	return {
+		id: "kakao",
+		name: "Kakao",
+		createAuthorizationURL({ state, scopes, redirectURI }) {
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["account_email", "profile_image", "profile_nickname"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "kakao",
+				options,
+				authorizationEndpoint: "https://kauth.kakao.com/oauth/authorize",
+				scopes: _scopes,
+				state,
+				redirectURI,
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://kauth.kakao.com/oauth/token",
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint: "https://kauth.kakao.com/oauth/token",
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			const { data: profile, error } = await betterFetch<KakaoProfile>(
+				"https://kapi.kakao.com/v2/user/me",
+				{
+					headers: {
+						Authorization: `Bearer ${token.accessToken}`,
+					},
+				},
+			);
+			if (error || !profile) {
+				return null;
+			}
+			const userMap = await options.mapProfileToUser?.(profile);
+			const account = profile.kakao_account || {};
+			const kakaoProfile = account.profile || {};
+			const user = {
+				id: String(profile.id),
+				name: kakaoProfile.nickname || account.name || undefined,
+				email: account.email,
+				image:
+					kakaoProfile.profile_image_url || kakaoProfile.thumbnail_image_url,
+				emailVerified: !!account.is_email_valid && !!account.is_email_verified,
+				...userMap,
+			};
+			return {
+				user,
+				data: profile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<KakaoProfile>;
+};

package/src/social-providers/kick.ts

@@ -0,0 +1,93 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import { createAuthorizationURL, validateAuthorizationCode } from "../oauth2";
+
+export interface KickProfile {
+	/**
+	 * The user id of the user
+	 */
+	user_id: string;
+	/**
+	 * The name of the user
+	 */
+	name: string;
+	/**
+	 * The email of the user
+	 */
+	email: string;
+	/**
+	 * The picture of the user
+	 */
+	profile_picture: string;
+}
+
+export interface KickOptions extends ProviderOptions<KickProfile> {
+	clientId: string;
+}
+
+export const kick = (options: KickOptions) => {
+	return {
+		id: "kick",
+		name: "Kick",
+		createAuthorizationURL({ state, scopes, redirectURI, codeVerifier }) {
+			const _scopes = options.disableDefaultScope ? [] : ["user:read"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+
+			return createAuthorizationURL({
+				id: "kick",
+				redirectURI,
+				options,
+				authorizationEndpoint: "https://id.kick.com/oauth/authorize",
+				scopes: _scopes,
+				codeVerifier,
+				state,
+			});
+		},
+		async validateAuthorizationCode({ code, redirectURI, codeVerifier }) {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://id.kick.com/oauth/token",
+				codeVerifier,
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+
+			const { data, error } = await betterFetch<{
+				data: KickProfile[];
+			}>("https://api.kick.com/public/v1/users", {
+				method: "GET",
+				headers: {
+					Authorization: `Bearer ${token.accessToken}`,
+				},
+			});
+
+			if (error) {
+				return null;
+			}
+
+			const profile = data.data[0]!;
+
+			const userMap = await options.mapProfileToUser?.(profile);
+			// Kick does not provide email_verified claim.
+			// We default to false for security consistency.
+			return {
+				user: {
+					id: profile.user_id,
+					name: profile.name,
+					email: profile.email,
+					image: profile.profile_picture,
+					emailVerified: false,
+					...userMap,
+				},
+				data: profile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<KickProfile>;
+};