@better-auth/core 1.4.0-beta.9 → 1.4.0

package/src/oauth2/oauth-provider.ts

@@ -1,20 +1,25 @@
 import type { LiteralString } from "../types";
 
 export interface OAuth2Tokens {
-	tokenType?: string;
-	accessToken?: string;
-	refreshToken?: string;
-	accessTokenExpiresAt?: Date;
-	refreshTokenExpiresAt?: Date;
-	scopes?: string[];
-	idToken?: string;
+	tokenType?: string | undefined;
+	accessToken?: string | undefined;
+	refreshToken?: string | undefined;
+	accessTokenExpiresAt?: Date | undefined;
+	refreshTokenExpiresAt?: Date | undefined;
+	scopes?: string[] | undefined;
+	idToken?: string | undefined;
+	/**
+	 * Raw token response from the provider.
+	 * Preserves provider-specific fields that are not part of the standard OAuth2 token response.
+	 */
+	raw?: Record<string, unknown> | undefined;
 }
 
 export type OAuth2UserInfo = {
 	id: string | number;
-	name?: string;
-	email?: string | null;
-	image?: string;
+	name?: string | undefined;
+	email?: (string | null) | undefined;
+	image?: string | undefined;
 	emailVerified: boolean;
 };
 
@@ -26,17 +31,17 @@ export interface OAuthProvider<
 	createAuthorizationURL: (data: {
 		state: string;
 		codeVerifier: string;
-		scopes?: string[];
+		scopes?: string[] | undefined;
 		redirectURI: string;
-		display?: string;
-		loginHint?: string;
+		display?: string | undefined;
+		loginHint?: string | undefined;
 	}) => Promise<URL> | URL;
 	name: string;
 	validateAuthorizationCode: (data: {
 		code: string;
 		redirectURI: string;
-		codeVerifier?: string;
-		deviceId?: string;
+		codeVerifier?: string | undefined;
+		deviceId?: string | undefined;
 	}) => Promise<OAuth2Tokens>;
 	getUserInfo: (
 		token: OAuth2Tokens & {
@@ -44,13 +49,15 @@ export interface OAuthProvider<
 			 * The user object from the provider
 			 * This is only available for some providers like Apple
 			 */
-			user?: {
-				name?: {
-					firstName?: string;
-					lastName?: string;
-				};
-				email?: string;
-			};
+			user?:
+				| {
+						name?: {
+							firstName?: string;
+							lastName?: string;
+						};
+						email?: string;
+				  }
+				| undefined;
 		},
 	) => Promise<{
 		user: OAuth2UserInfo;
@@ -59,28 +66,32 @@ export interface OAuthProvider<
 	/**
 	 * Custom function to refresh a token
 	 */
-	refreshAccessToken?: (refreshToken: string) => Promise<OAuth2Tokens>;
-	revokeToken?: (token: string) => Promise<void>;
+	refreshAccessToken?:
+		| ((refreshToken: string) => Promise<OAuth2Tokens>)
+		| undefined;
+	revokeToken?: ((token: string) => Promise<void>) | undefined;
 	/**
 	 * Verify the id token
 	 * @param token - The id token
 	 * @param nonce - The nonce
 	 * @returns True if the id token is valid, false otherwise
 	 */
-	verifyIdToken?: (token: string, nonce?: string) => Promise<boolean>;
+	verifyIdToken?:
+		| ((token: string, nonce?: string) => Promise<boolean>)
+		| undefined;
 	/**
 	 * Disable implicit sign up for new users. When set to true for the provider,
 	 * sign-in need to be called with with requestSignUp as true to create new users.
 	 */
-	disableImplicitSignUp?: boolean;
+	disableImplicitSignUp?: boolean | undefined;
 	/**
 	 * Disable sign up for new users.
 	 */
-	disableSignUp?: boolean;
+	disableSignUp?: boolean | undefined;
 	/**
 	 * Options for the provider
 	 */
-	options?: O;
+	options?: O | undefined;
 }
 
 export type ProviderOptions<Profile extends Record<string, any> = any> = {
@@ -89,106 +100,117 @@ export type ProviderOptions<Profile extends Record<string, any> = any> = {
 	 *
 	 * This is usually a string but can be any type depending on the provider.
 	 */
-	clientId?: unknown;
+	clientId?: unknown | undefined;
 	/**
 	 * The client secret of your application
 	 */
-	clientSecret?: string;
+	clientSecret?: string | undefined;
 	/**
 	 * The scopes you want to request from the provider
 	 */
-	scope?: string[];
+	scope?: string[] | undefined;
 	/**
 	 * Remove default scopes of the provider
 	 */
-	disableDefaultScope?: boolean;
+	disableDefaultScope?: boolean | undefined;
 	/**
 	 * The redirect URL for your application. This is where the provider will
 	 * redirect the user after the sign in process. Make sure this URL is
 	 * whitelisted in the provider's dashboard.
 	 */
-	redirectURI?: string;
+	redirectURI?: string | undefined;
 	/**
 	 * The client key of your application
 	 * Tiktok Social Provider uses this field instead of clientId
 	 */
-	clientKey?: string;
+	clientKey?: string | undefined;
 	/**
 	 * Disable provider from allowing users to sign in
 	 * with this provider with an id token sent from the
 	 * client.
 	 */
-	disableIdTokenSignIn?: boolean;
+	disableIdTokenSignIn?: boolean | undefined;
 	/**
 	 * verifyIdToken function to verify the id token
 	 */
-	verifyIdToken?: (token: string, nonce?: string) => Promise<boolean>;
+	verifyIdToken?:
+		| ((token: string, nonce?: string) => Promise<boolean>)
+		| undefined;
 	/**
 	 * Custom function to get user info from the provider
 	 */
-	getUserInfo?: (token: OAuth2Tokens) => Promise<{
-		user: {
-			id: string;
-			name?: string;
-			email?: string | null;
-			image?: string;
-			emailVerified: boolean;
-			[key: string]: any;
-		};
-		data: any;
-	}>;
+	getUserInfo?:
+		| ((token: OAuth2Tokens) => Promise<{
+				user: {
+					id: string;
+					name?: string;
+					email?: string | null;
+					image?: string;
+					emailVerified: boolean;
+					[key: string]: any;
+				};
+				data: any;
+		  }>)
+		| undefined;
 	/**
 	 * Custom function to refresh a token
 	 */
-	refreshAccessToken?: (refreshToken: string) => Promise<OAuth2Tokens>;
+	refreshAccessToken?:
+		| ((refreshToken: string) => Promise<OAuth2Tokens>)
+		| undefined;
 	/**
 	 * Custom function to map the provider profile to a
 	 * user.
 	 */
-	mapProfileToUser?: (profile: Profile) =>
-		| {
-				id?: string;
-				name?: string;
-				email?: string | null;
-				image?: string;
-				emailVerified?: boolean;
-				[key: string]: any;
-		  }
-		| Promise<{
-				id?: string;
-				name?: string;
-				email?: string | null;
-				image?: string;
-				emailVerified?: boolean;
-				[key: string]: any;
-		  }>;
+	mapProfileToUser?:
+		| ((profile: Profile) =>
+				| {
+						id?: string;
+						name?: string;
+						email?: string | null;
+						image?: string;
+						emailVerified?: boolean;
+						[key: string]: any;
+				  }
+				| Promise<{
+						id?: string;
+						name?: string;
+						email?: string | null;
+						image?: string;
+						emailVerified?: boolean;
+						[key: string]: any;
+				  }>)
+		| undefined;
 	/**
 	 * Disable implicit sign up for new users. When set to true for the provider,
 	 * sign-in need to be called with with requestSignUp as true to create new users.
 	 */
-	disableImplicitSignUp?: boolean;
+	disableImplicitSignUp?: boolean | undefined;
 	/**
 	 * Disable sign up for new users.
 	 */
-	disableSignUp?: boolean;
+	disableSignUp?: boolean | undefined;
 	/**
 	 * The prompt to use for the authorization code request
 	 */
 	prompt?:
-		| "select_account"
-		| "consent"
-		| "login"
-		| "none"
-		| "select_account consent";
+		| (
+				| "select_account"
+				| "consent"
+				| "login"
+				| "none"
+				| "select_account consent"
+		  )
+		| undefined;
 	/**
 	 * The response mode to use for the authorization code request
 	 */
-	responseMode?: "query" | "form_post";
+	responseMode?: ("query" | "form_post") | undefined;
 	/**
 	 * If enabled, the user info will be overridden with the provider user info
 	 * This is useful if you want to use the provider user info to update the user info
 	 *
 	 * @default false
 	 */
-	overrideUserInfoOnSignIn?: boolean;
+	overrideUserInfoOnSignIn?: boolean | undefined;
 };

package/src/oauth2/refresh-access-token.ts

@@ -1,6 +1,6 @@
+import { base64 } from "@better-auth/utils/base64";
 import { betterFetch } from "@better-fetch/fetch";
 import type { OAuth2Tokens, ProviderOptions } from "./oauth-provider";
-import { base64 } from "@better-auth/utils/base64";
 
 export function createRefreshAccessTokenRequest({
 	refreshToken,
@@ -11,9 +11,9 @@ export function createRefreshAccessTokenRequest({
 }: {
 	refreshToken: string;
 	options: Partial<ProviderOptions>;
-	authentication?: "basic" | "post";
-	extraParams?: Record<string, string>;
-	resource?: string | string[];
+	authentication?: ("basic" | "post") | undefined;
+	extraParams?: Record<string, string> | undefined;
+	resource?: (string | string[]) | undefined;
 }) {
 	const body = new URLSearchParams();
 	const headers: Record<string, any> = {
@@ -78,10 +78,10 @@ export async function refreshAccessToken({
 	refreshToken: string;
 	options: Partial<ProviderOptions>;
 	tokenEndpoint: string;
-	authentication?: "basic" | "post";
-	extraParams?: Record<string, string>;
+	authentication?: ("basic" | "post") | undefined;
+	extraParams?: Record<string, string> | undefined;
 	/** @deprecated always "refresh_token" */
-	grantType?: string;
+	grantType?: string | undefined;
 }): Promise<OAuth2Tokens> {
 	const { body, headers } = createRefreshAccessTokenRequest({
 		refreshToken,
@@ -92,11 +92,11 @@ export async function refreshAccessToken({
 
 	const { data, error } = await betterFetch<{
 		access_token: string;
-		refresh_token?: string;
-		expires_in?: number;
-		token_type?: string;
-		scope?: string;
-		id_token?: string;
+		refresh_token?: string | undefined;
+		expires_in?: number | undefined;
+		token_type?: string | undefined;
+		scope?: string | undefined;
+		id_token?: string | undefined;
 	}>(tokenEndpoint, {
 		method: "POST",
 		body,

package/src/oauth2/utils.ts

@@ -23,6 +23,8 @@ export function getOAuth2Tokens(data: Record<string, any>): OAuth2Tokens {
 				: data.scope
 			: [],
 		idToken: data.id_token,
+		// Preserve the raw token response for provider-specific fields
+		raw: data,
 	};
 }
 

package/src/oauth2/validate-authorization-code.ts

@@ -1,8 +1,8 @@
+import { base64 } from "@better-auth/utils/base64";
 import { betterFetch } from "@better-fetch/fetch";
 import { jwtVerify } from "jose";
 import type { ProviderOptions } from "./index";
 import { getOAuth2Tokens } from "./index";
-import { base64 } from "@better-auth/utils/base64";
 
 export function createAuthorizationCodeRequest({
 	code,
@@ -18,18 +18,17 @@ export function createAuthorizationCodeRequest({
 	code: string;
 	redirectURI: string;
 	options: Partial<ProviderOptions>;
-	codeVerifier?: string;
-	deviceId?: string;
-	authentication?: "basic" | "post";
-	headers?: Record<string, string>;
-	additionalParams?: Record<string, string>;
-	resource?: string | string[];
+	codeVerifier?: string | undefined;
+	deviceId?: string | undefined;
+	authentication?: ("basic" | "post") | undefined;
+	headers?: Record<string, string> | undefined;
+	additionalParams?: Record<string, string> | undefined;
+	resource?: (string | string[]) | undefined;
 }) {
 	const body = new URLSearchParams();
 	const requestHeaders: Record<string, any> = {
 		"content-type": "application/x-www-form-urlencoded",
 		accept: "application/json",
-		"user-agent": "better-auth",
 		...headers,
 	};
 	body.set("grant_type", "authorization_code");
@@ -92,13 +91,13 @@ export async function validateAuthorizationCode({
 	code: string;
 	redirectURI: string;
 	options: Partial<ProviderOptions>;
-	codeVerifier?: string;
-	deviceId?: string;
+	codeVerifier?: string | undefined;
+	deviceId?: string | undefined;
 	tokenEndpoint: string;
-	authentication?: "basic" | "post";
-	headers?: Record<string, string>;
-	additionalParams?: Record<string, string>;
-	resource?: string | string[];
+	authentication?: ("basic" | "post") | undefined;
+	headers?: Record<string, string> | undefined;
+	additionalParams?: Record<string, string> | undefined;
+	resource?: (string | string[]) | undefined;
 }) {
 	const { body, headers: requestHeaders } = createAuthorizationCodeRequest({
 		code,
@@ -139,7 +138,6 @@ export async function validateToken(token: string, jwksEndpoint: string) {
 		method: "GET",
 		headers: {
 			accept: "application/json",
-			"user-agent": "better-auth",
 		},
 	});
 	if (error) {

package/src/social-providers/apple.ts

@@ -1,12 +1,12 @@
 import { betterFetch } from "@better-fetch/fetch";
 import { APIError } from "better-call";
 import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
-import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
-	refreshAccessToken,
 	createAuthorizationURL,
+	refreshAccessToken,
 	validateAuthorizationCode,
-} from "@better-auth/core/oauth2";
+} from "../oauth2";
 export interface AppleProfile {
 	/**
 	 * The subject registered claim identifies the principal that’s the subject
@@ -52,7 +52,7 @@ export interface AppleProfile {
 	 * The URL to the user's profile picture.
 	 */
 	picture: string;
-	user?: AppleNonConformUser;
+	user?: AppleNonConformUser | undefined;
 }
 
 /**
@@ -70,8 +70,8 @@ export interface AppleNonConformUser {
 
 export interface AppleOptions extends ProviderOptions<AppleProfile> {
 	clientId: string;
-	appBundleIdentifier?: string;
-	audience?: string | string[];
+	appBundleIdentifier?: string | undefined;
+	audience?: (string | string[]) | undefined;
 }
 
 export const apple = (options: AppleOptions) => {
@@ -81,8 +81,8 @@ export const apple = (options: AppleOptions) => {
 		name: "Apple",
 		async createAuthorizationURL({ state, scopes, redirectURI }) {
 			const _scope = options.disableDefaultScope ? [] : ["email", "name"];
-			options.scope && _scope.push(...options.scope);
-			scopes && _scope.push(...scopes);
+			if (options.scope) _scope.push(...options.scope);
+			if (scopes) _scope.push(...scopes);
 			const url = await createAuthorizationURL({
 				id: "apple",
 				options,

package/src/social-providers/atlassian.ts

@@ -1,27 +1,29 @@
 import { betterFetch } from "@better-fetch/fetch";
+import { logger } from "../env";
 import { BetterAuthError } from "../error";
-import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
+	refreshAccessToken,
 	validateAuthorizationCode,
-} from "@better-auth/core/oauth2";
-import { logger } from "@better-auth/core/env";
-import { refreshAccessToken } from "@better-auth/core/oauth2";
+} from "../oauth2";
 
 export interface AtlassianProfile {
-	account_type?: string;
+	account_type?: string | undefined;
 	account_id: string;
-	email?: string;
+	email?: string | undefined;
 	name: string;
-	picture?: string;
-	nickname?: string;
-	locale?: string;
-	extended_profile?: {
-		job_title?: string;
-		organization?: string;
-		department?: string;
-		location?: string;
-	};
+	picture?: string | undefined;
+	nickname?: string | undefined;
+	locale?: string | undefined;
+	extended_profile?:
+		| {
+				job_title?: string;
+				organization?: string;
+				department?: string;
+				location?: string;
+		  }
+		| undefined;
 }
 export interface AtlassianOptions extends ProviderOptions<AtlassianProfile> {
 	clientId: string;
@@ -44,8 +46,8 @@ export const atlassian = (options: AtlassianOptions) => {
 			const _scopes = options.disableDefaultScope
 				? []
 				: ["read:jira-user", "offline_access"];
-			options.scope && _scopes.push(...options.scope);
-			scopes && _scopes.push(...scopes);
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 
 			return createAuthorizationURL({
 				id: "atlassian",
@@ -98,8 +100,8 @@ export const atlassian = (options: AtlassianOptions) => {
 				const { data: profile } = await betterFetch<{
 					account_id: string;
 					name: string;
-					email?: string;
-					picture?: string;
+					email?: string | undefined;
+					picture?: string | undefined;
 				}>("https://api.atlassian.com/me", {
 					headers: { Authorization: `Bearer ${token.accessToken}` },
 				});

package/src/social-providers/cognito.ts

@@ -1,27 +1,27 @@
 import { betterFetch } from "@better-fetch/fetch";
+import { APIError } from "better-call";
 import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
+import { logger } from "../env";
 import { BetterAuthError } from "../error";
-import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
+	refreshAccessToken,
 	validateAuthorizationCode,
-} from "@better-auth/core/oauth2";
-import { logger } from "@better-auth/core/env";
-import { refreshAccessToken } from "@better-auth/core/oauth2";
-import { APIError } from "better-call";
+} from "../oauth2";
 
 export interface CognitoProfile {
 	sub: string;
 	email: string;
 	email_verified: boolean;
 	name: string;
-	given_name?: string;
-	family_name?: string;
-	picture?: string;
-	username?: string;
-	locale?: string;
-	phone_number?: string;
-	phone_number_verified?: boolean;
+	given_name?: string | undefined;
+	family_name?: string | undefined;
+	picture?: string | undefined;
+	username?: string | undefined;
+	locale?: string | undefined;
+	phone_number?: string | undefined;
+	phone_number_verified?: boolean | undefined;
 	aud: string;
 	iss: string;
 	exp: number;
@@ -41,7 +41,7 @@ export interface CognitoOptions extends ProviderOptions<CognitoProfile> {
 	 */
 	region: string;
 	userPoolId: string;
-	requireClientSecret?: boolean;
+	requireClientSecret?: boolean | undefined;
 }
 
 export const cognito = (options: CognitoOptions) => {
@@ -77,8 +77,8 @@ export const cognito = (options: CognitoOptions) => {
 			const _scopes = options.disableDefaultScope
 				? []
 				: ["openid", "profile", "email"];
-			options.scope && _scopes.push(...options.scope);
-			scopes && _scopes.push(...scopes);
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 
 			const url = await createAuthorizationURL({
 				id: "cognito",

package/src/social-providers/discord.ts

@@ -1,9 +1,6 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
-import {
-	refreshAccessToken,
-	validateAuthorizationCode,
-} from "@better-auth/core/oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import { refreshAccessToken, validateAuthorizationCode } from "../oauth2";
 export interface DiscordProfile extends Record<string, any> {
 	/** the user's id (i.e. the numerical snowflake) */
 	id: string;
@@ -19,12 +16,12 @@ export interface DiscordProfile extends Record<string, any> {
 	 */
 	avatar: string | null;
 	/** whether the user belongs to an OAuth2 application */
-	bot?: boolean;
+	bot?: boolean | undefined;
 	/**
 	 * whether the user is an Official Discord System user (part of the urgent
 	 * message system)
 	 */
-	system?: boolean;
+	system?: boolean | undefined;
 	/** whether the user has two factor enabled on their account */
 	mfa_enabled: boolean;
 	/**
@@ -78,8 +75,8 @@ export interface DiscordProfile extends Record<string, any> {
 
 export interface DiscordOptions extends ProviderOptions<DiscordProfile> {
 	clientId: string;
-	prompt?: "none" | "consent";
-	permissions?: number;
+	prompt?: ("none" | "consent") | undefined;
+	permissions?: number | undefined;
 }
 
 export const discord = (options: DiscordOptions) => {
@@ -88,8 +85,8 @@ export const discord = (options: DiscordOptions) => {
 		name: "Discord",
 		createAuthorizationURL({ state, scopes, redirectURI }) {
 			const _scopes = options.disableDefaultScope ? [] : ["identify", "email"];
-			scopes && _scopes.push(...scopes);
-			options.scope && _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			if (options.scope) _scopes.push(...options.scope);
 			const hasBotScope = _scopes.includes("bot");
 			const permissionsParam =
 				hasBotScope && options.permissions !== undefined

package/src/social-providers/dropbox.ts

@@ -1,10 +1,10 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
 	validateAuthorizationCode,
-} from "@better-auth/core/oauth2";
+} from "../oauth2";
 
 export interface DropboxProfile {
 	account_id: string;
@@ -22,7 +22,7 @@ export interface DropboxProfile {
 
 export interface DropboxOptions extends ProviderOptions<DropboxProfile> {
 	clientId: string;
-	accessType?: "offline" | "online" | "legacy";
+	accessType?: ("offline" | "online" | "legacy") | undefined;
 }
 
 export const dropbox = (options: DropboxOptions) => {
@@ -38,8 +38,8 @@ export const dropbox = (options: DropboxOptions) => {
 			redirectURI,
 		}) => {
 			const _scopes = options.disableDefaultScope ? [] : ["account_info.read"];
-			options.scope && _scopes.push(...options.scope);
-			scopes && _scopes.push(...scopes);
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			const additionalParams: Record<string, string> = {};
 			if (options.accessType) {
 				additionalParams.token_access_type = options.accessType;