@better-auth/core 1.4.0-beta.9 → 1.4.0

package/src/social-providers/facebook.ts

@@ -1,11 +1,11 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import { createRemoteJWKSet, decodeJwt, jwtVerify } from "jose";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
+	refreshAccessToken,
 	validateAuthorizationCode,
-} from "@better-auth/core/oauth2";
-import { createRemoteJWKSet, jwtVerify, decodeJwt } from "jose";
-import { refreshAccessToken } from "@better-auth/core/oauth2";
+} from "../oauth2";
 export interface FacebookProfile {
 	id: string;
 	name: string;
@@ -28,12 +28,12 @@ export interface FacebookOptions extends ProviderOptions<FacebookProfile> {
 	 *
 	 * @default ["id", "name", "email", "picture"]
 	 */
-	fields?: string[];
+	fields?: string[] | undefined;
 
 	/**
 	 * The config id to use when undergoing oauth
 	 */
-	configId?: string;
+	configId?: string | undefined;
 }
 
 export const facebook = (options: FacebookOptions) => {
@@ -44,8 +44,8 @@ export const facebook = (options: FacebookOptions) => {
 			const _scopes = options.disableDefaultScope
 				? []
 				: ["email", "public_profile"];
-			options.scope && _scopes.push(...options.scope);
-			scopes && _scopes.push(...scopes);
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			return await createAuthorizationURL({
 				id: "facebook",
 				options,
@@ -152,15 +152,17 @@ export const facebook = (options: FacebookOptions) => {
 				};
 
 				// https://developers.facebook.com/docs/facebook-login/limited-login/permissions
+				// Facebook ID token does not include email_verified claim.
+				// We default to false for security consistency.
 				const userMap = await options.mapProfileToUser?.({
 					...user,
-					email_verified: true,
+					email_verified: false,
 				});
 
 				return {
 					user: {
 						...user,
-						emailVerified: true,
+						emailVerified: false,
 						...userMap,
 					},
 					data: profile,

package/src/social-providers/figma.ts

@@ -1,12 +1,12 @@
 import { betterFetch } from "@better-fetch/fetch";
+import { logger } from "../env";
 import { BetterAuthError } from "../error";
-import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
+	refreshAccessToken,
 	validateAuthorizationCode,
-} from "@better-auth/core/oauth2";
-import { logger } from "@better-auth/core/env";
-import { refreshAccessToken } from "@better-auth/core/oauth2";
+} from "../oauth2";
 
 export interface FigmaProfile {
 	id: string;
@@ -35,8 +35,8 @@ export const figma = (options: FigmaOptions) => {
 			}
 
 			const _scopes = options.disableDefaultScope ? [] : ["file_read"];
-			options.scope && _scopes.push(...options.scope);
-			scopes && _scopes.push(...scopes);
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 
 			const url = await createAuthorizationURL({
 				id: "figma",

package/src/social-providers/github.ts

@@ -1,10 +1,10 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
 	validateAuthorizationCode,
-} from "@better-auth/core/oauth2";
+} from "../oauth2";
 
 export interface GithubProfile {
 	login: string;
@@ -65,8 +65,8 @@ export const github = (options: GithubOptions) => {
 			const _scopes = options.disableDefaultScope
 				? []
 				: ["read:user", "user:email"];
-			options.scope && _scopes.push(...options.scope);
-			scopes && _scopes.push(...scopes);
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "github",
 				options,

package/src/social-providers/gitlab.ts

@@ -1,10 +1,10 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
-	validateAuthorizationCode,
 	refreshAccessToken,
-} from "@better-auth/core/oauth2";
+	validateAuthorizationCode,
+} from "../oauth2";
 
 export interface GitlabProfile extends Record<string, any> {
 	id: number;
@@ -16,7 +16,7 @@ export interface GitlabProfile extends Record<string, any> {
 	web_url: string;
 	created_at: string;
 	bio: string;
-	location?: string;
+	location?: string | undefined;
 	public_email: string;
 	skype: string;
 	linkedin: string;
@@ -26,7 +26,7 @@ export interface GitlabProfile extends Record<string, any> {
 	job_title: string;
 	pronouns: string;
 	bot: boolean;
-	work_information?: string;
+	work_information?: string | undefined;
 	followers: number;
 	following: number;
 	local_time: string;
@@ -49,11 +49,12 @@ export interface GitlabProfile extends Record<string, any> {
 	commit_email: string;
 	shared_runners_minutes_limit: number;
 	extra_shared_runners_minutes_limit: number;
+	email_verified?: boolean | undefined;
 }
 
 export interface GitlabOptions extends ProviderOptions<GitlabProfile> {
 	clientId: string;
-	issuer?: string;
+	issuer?: string | undefined;
 }
 
 const cleanDoubleSlashes = (input: string = "") => {
@@ -63,7 +64,7 @@ const cleanDoubleSlashes = (input: string = "") => {
 		.join("://");
 };
 
-const issuerToEndpoints = (issuer?: string) => {
+const issuerToEndpoints = (issuer?: string | undefined) => {
 	let baseUrl = issuer || "https://gitlab.com";
 	return {
 		authorizationEndpoint: cleanDoubleSlashes(`${baseUrl}/oauth/authorize`),
@@ -88,8 +89,8 @@ export const gitlab = (options: GitlabOptions) => {
 			redirectURI,
 		}) => {
 			const _scopes = options.disableDefaultScope ? [] : ["read_user"];
-			options.scope && _scopes.push(...options.scope);
-			scopes && _scopes.push(...scopes);
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			return await createAuthorizationURL({
 				id: issuerId,
 				options,
@@ -135,13 +136,15 @@ export const gitlab = (options: GitlabOptions) => {
 				return null;
 			}
 			const userMap = await options.mapProfileToUser?.(profile);
+			// GitLab may provide email_verified claim, but it's not guaranteed.
+			// We check for it first, then default to false for security consistency.
 			return {
 				user: {
 					id: profile.id,
 					name: profile.name ?? profile.username,
 					email: profile.email,
 					image: profile.avatar_url,
-					emailVerified: true,
+					emailVerified: profile.email_verified ?? false,
 					...userMap,
 				},
 				data: profile,

package/src/social-providers/google.ts

@@ -1,13 +1,13 @@
 import { betterFetch } from "@better-fetch/fetch";
 import { decodeJwt } from "jose";
+import { logger } from "../env";
 import { BetterAuthError } from "../error";
-import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
+	refreshAccessToken,
 	validateAuthorizationCode,
-} from "@better-auth/core/oauth2";
-import { logger } from "@better-auth/core/env";
-import { refreshAccessToken } from "@better-auth/core/oauth2";
+} from "../oauth2";
 
 export interface GoogleProfile {
 	aud: string;
@@ -25,13 +25,13 @@ export interface GoogleProfile {
 	 * Western languages.
 	 */
 	given_name: string;
-	hd?: string;
+	hd?: string | undefined;
 	iat: number;
 	iss: string;
-	jti?: string;
-	locale?: string;
+	jti?: string | undefined;
+	locale?: string | undefined;
 	name: string;
-	nbf?: number;
+	nbf?: number | undefined;
 	picture: string;
 	sub: string;
 }
@@ -41,15 +41,15 @@ export interface GoogleOptions extends ProviderOptions<GoogleProfile> {
 	/**
 	 * The access type to use for the authorization code request
 	 */
-	accessType?: "offline" | "online";
+	accessType?: ("offline" | "online") | undefined;
 	/**
 	 * The display mode to use for the authorization code request
 	 */
-	display?: "page" | "popup" | "touch" | "wap";
+	display?: ("page" | "popup" | "touch" | "wap") | undefined;
 	/**
 	 * The hosted domain of the user
 	 */
-	hd?: string;
+	hd?: string | undefined;
 }
 
 export const google = (options: GoogleOptions) => {
@@ -76,8 +76,8 @@ export const google = (options: GoogleOptions) => {
 			const _scopes = options.disableDefaultScope
 				? []
 				: ["email", "profile", "openid"];
-			options.scope && _scopes.push(...options.scope);
-			scopes && _scopes.push(...scopes);
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			const url = await createAuthorizationURL({
 				id: "google",
 				options,

package/src/social-providers/huggingface.ts

@@ -1,10 +1,10 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
-	validateAuthorizationCode,
 	refreshAccessToken,
-} from "@better-auth/core/oauth2";
+	validateAuthorizationCode,
+} from "../oauth2";
 
 export interface HuggingFaceProfile {
 	sub: string;
@@ -12,27 +12,29 @@ export interface HuggingFaceProfile {
 	preferred_username: string;
 	profile: string;
 	picture: string;
-	website?: string;
-	email?: string;
-	email_verified?: boolean;
+	website?: string | undefined;
+	email?: string | undefined;
+	email_verified?: boolean | undefined;
 	isPro: boolean;
-	canPay?: boolean;
-	orgs?: {
-		sub: string;
-		name: string;
-		picture: string;
-		preferred_username: string;
-		isEnterprise: boolean | "plus";
-		canPay?: boolean;
-		roleInOrg?: "admin" | "write" | "contributor" | "read";
-		pendingSSO?: boolean;
-		missingMFA?: boolean;
-		resourceGroups?: {
-			sub: string;
-			name: string;
-			role: "admin" | "write" | "contributor" | "read";
-		}[];
-	};
+	canPay?: boolean | undefined;
+	orgs?:
+		| {
+				sub: string;
+				name: string;
+				picture: string;
+				preferred_username: string;
+				isEnterprise: boolean | "plus";
+				canPay?: boolean;
+				roleInOrg?: "admin" | "write" | "contributor" | "read";
+				pendingSSO?: boolean;
+				missingMFA?: boolean;
+				resourceGroups?: {
+					sub: string;
+					name: string;
+					role: "admin" | "write" | "contributor" | "read";
+				}[];
+		  }
+		| undefined;
 }
 
 export interface HuggingFaceOptions
@@ -48,8 +50,8 @@ export const huggingface = (options: HuggingFaceOptions) => {
 			const _scopes = options.disableDefaultScope
 				? []
 				: ["openid", "profile", "email"];
-			options.scope && _scopes.push(...options.scope);
-			scopes && _scopes.push(...scopes);
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "huggingface",
 				options,

package/src/social-providers/index.ts

@@ -3,32 +3,34 @@ import { apple } from "./apple";
 import { atlassian } from "./atlassian";
 import { cognito } from "./cognito";
 import { discord } from "./discord";
+import { dropbox } from "./dropbox";
 import { facebook } from "./facebook";
 import { figma } from "./figma";
 import { github } from "./github";
+import { gitlab } from "./gitlab";
 import { google } from "./google";
-import { kick } from "./kick";
 import { huggingface } from "./huggingface";
-import { microsoft } from "./microsoft-entra-id";
-import { slack } from "./slack";
-import { notion } from "./notion";
-import { spotify } from "./spotify";
-import { twitch } from "./twitch";
-import { twitter } from "./twitter";
-import { dropbox } from "./dropbox";
+import { kakao } from "./kakao";
+import { kick } from "./kick";
+import { line } from "./line";
 import { linear } from "./linear";
 import { linkedin } from "./linkedin";
-import { gitlab } from "./gitlab";
-import { tiktok } from "./tiktok";
+import { microsoft } from "./microsoft-entra-id";
+import { naver } from "./naver";
+import { notion } from "./notion";
+import { paybin } from "./paybin";
+import { paypal } from "./paypal";
+import { polar } from "./polar";
 import { reddit } from "./reddit";
 import { roblox } from "./roblox";
 import { salesforce } from "./salesforce";
+import { slack } from "./slack";
+import { spotify } from "./spotify";
+import { tiktok } from "./tiktok";
+import { twitch } from "./twitch";
+import { twitter } from "./twitter";
 import { vk } from "./vk";
 import { zoom } from "./zoom";
-import { kakao } from "./kakao";
-import { naver } from "./naver";
-import { line } from "./line";
-import { paypal } from "./paypal";
 
 export const socialProviders = {
 	apple,
@@ -60,7 +62,9 @@ export const socialProviders = {
 	kakao,
 	naver,
 	line,
+	paybin,
 	paypal,
+	polar,
 };
 
 export const socialProviderList = Object.keys(socialProviders) as [
@@ -78,7 +82,7 @@ export type SocialProviders = {
 	[K in SocialProviderList[number]]?: Parameters<
 		(typeof socialProviders)[K]
 	>[0] & {
-		enabled?: boolean;
+		enabled?: boolean | undefined;
 	};
 };
 
@@ -90,29 +94,31 @@ export * from "./dropbox";
 export * from "./facebook";
 export * from "./figma";
 export * from "./github";
-export * from "./linear";
-export * from "./linkedin";
 export * from "./gitlab";
 export * from "./google";
+export * from "./huggingface";
+export * from "./kakao";
 export * from "./kick";
+export * from "./kick";
+export * from "./line";
+export * from "./linear";
+export * from "./linkedin";
 export * from "./linkedin";
 export * from "./microsoft-entra-id";
+export * from "./naver";
 export * from "./notion";
+export * from "./paybin";
+export * from "./paypal";
+export * from "./polar";
 export * from "./reddit";
 export * from "./roblox";
 export * from "./salesforce";
+export * from "./slack";
 export * from "./spotify";
 export * from "./tiktok";
 export * from "./twitch";
 export * from "./twitter";
 export * from "./vk";
 export * from "./zoom";
-export * from "./kick";
-export * from "./huggingface";
-export * from "./slack";
-export * from "./kakao";
-export * from "./naver";
-export * from "./line";
-export * from "./paypal";
 
 export type SocialProviderList = typeof socialProviderList;

package/src/social-providers/kakao.ts

@@ -1,80 +1,80 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
-	validateAuthorizationCode,
 	refreshAccessToken,
-} from "@better-auth/core/oauth2";
+	validateAuthorizationCode,
+} from "../oauth2";
 
 interface Partner {
 	/** Partner-specific ID (consent required: kakaotalk_message) */
-	uuid?: string;
+	uuid?: string | undefined;
 }
 
 interface Profile {
 	/** Nickname (consent required: profile/nickname) */
-	nickname?: string;
+	nickname?: string | undefined;
 	/** Thumbnail image URL (consent required: profile/profile image) */
-	thumbnail_image_url?: string;
+	thumbnail_image_url?: string | undefined;
 	/** Profile image URL (consent required: profile/profile image) */
-	profile_image_url?: string;
+	profile_image_url?: string | undefined;
 	/** Whether the profile image is the default */
-	is_default_image?: boolean;
+	is_default_image?: boolean | undefined;
 	/** Whether the nickname is the default */
-	is_default_nickname?: boolean;
+	is_default_nickname?: boolean | undefined;
 }
 
 interface KakaoAccount {
 	/** Consent required: profile info (nickname/profile image) */
-	profile_needs_agreement?: boolean;
+	profile_needs_agreement?: boolean | undefined;
 	/** Consent required: nickname */
-	profile_nickname_needs_agreement?: boolean;
+	profile_nickname_needs_agreement?: boolean | undefined;
 	/** Consent required: profile image */
-	profile_image_needs_agreement?: boolean;
+	profile_image_needs_agreement?: boolean | undefined;
 	/** Profile info */
-	profile?: Profile;
+	profile?: Profile | undefined;
 	/** Consent required: name */
-	name_needs_agreement?: boolean;
+	name_needs_agreement?: boolean | undefined;
 	/** Name */
-	name?: string;
+	name?: string | undefined;
 	/** Consent required: email */
-	email_needs_agreement?: boolean;
+	email_needs_agreement?: boolean | undefined;
 	/** Email valid */
-	is_email_valid?: boolean;
+	is_email_valid?: boolean | undefined;
 	/** Email verified */
-	is_email_verified?: boolean;
+	is_email_verified?: boolean | undefined;
 	/** Email */
-	email?: string;
+	email?: string | undefined;
 	/** Consent required: age range */
-	age_range_needs_agreement?: boolean;
+	age_range_needs_agreement?: boolean | undefined;
 	/** Age range */
-	age_range?: string;
+	age_range?: string | undefined;
 	/** Consent required: birth year */
-	birthyear_needs_agreement?: boolean;
+	birthyear_needs_agreement?: boolean | undefined;
 	/** Birth year (YYYY) */
-	birthyear?: string;
+	birthyear?: string | undefined;
 	/** Consent required: birthday */
-	birthday_needs_agreement?: boolean;
+	birthday_needs_agreement?: boolean | undefined;
 	/** Birthday (MMDD) */
-	birthday?: string;
+	birthday?: string | undefined;
 	/** Birthday type (SOLAR/LUNAR) */
-	birthday_type?: string;
+	birthday_type?: string | undefined;
 	/** Whether birthday is in a leap month */
-	is_leap_month?: boolean;
+	is_leap_month?: boolean | undefined;
 	/** Consent required: gender */
-	gender_needs_agreement?: boolean;
+	gender_needs_agreement?: boolean | undefined;
 	/** Gender (male/female) */
-	gender?: string;
+	gender?: string | undefined;
 	/** Consent required: phone number */
-	phone_number_needs_agreement?: boolean;
+	phone_number_needs_agreement?: boolean | undefined;
 	/** Phone number */
-	phone_number?: string;
+	phone_number?: string | undefined;
 	/** Consent required: CI */
-	ci_needs_agreement?: boolean;
+	ci_needs_agreement?: boolean | undefined;
 	/** CI (unique identifier) */
-	ci?: string;
+	ci?: string | undefined;
 	/** CI authentication time (UTC) */
-	ci_authenticated_at?: string;
+	ci_authenticated_at?: string | undefined;
 }
 
 export interface KakaoProfile {
@@ -84,17 +84,17 @@ export interface KakaoProfile {
 	 * Whether the user has signed up (only present if auto-connection is disabled)
 	 * false: preregistered, true: registered
 	 */
-	has_signed_up?: boolean;
+	has_signed_up?: boolean | undefined;
 	/** UTC datetime when the user connected the service */
-	connected_at?: string;
+	connected_at?: string | undefined;
 	/** UTC datetime when the user signed up via Kakao Sync */
-	synched_at?: string;
+	synched_at?: string | undefined;
 	/** Custom user properties */
-	properties?: Record<string, any>;
+	properties?: Record<string, any> | undefined;
 	/** Kakao account info */
 	kakao_account: KakaoAccount;
 	/** Partner info */
-	for_partner?: Partner;
+	for_partner?: Partner | undefined;
 }
 
 export interface KakaoOptions extends ProviderOptions<KakaoProfile> {
@@ -109,8 +109,8 @@ export const kakao = (options: KakaoOptions) => {
 			const _scopes = options.disableDefaultScope
 				? []
 				: ["account_email", "profile_image", "profile_nickname"];
-			options.scope && _scopes.push(...options.scope);
-			scopes && _scopes.push(...scopes);
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "kakao",
 				options,

package/src/social-providers/kick.ts

@@ -1,9 +1,6 @@
 import { betterFetch } from "@better-fetch/fetch";
-import {
-	createAuthorizationURL,
-	validateAuthorizationCode,
-} from "@better-auth/core/oauth2";
-import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import { createAuthorizationURL, validateAuthorizationCode } from "../oauth2";
 
 export interface KickProfile {
 	/**
@@ -34,8 +31,8 @@ export const kick = (options: KickOptions) => {
 		name: "Kick",
 		createAuthorizationURL({ state, scopes, redirectURI, codeVerifier }) {
 			const _scopes = options.disableDefaultScope ? [] : ["user:read"];
-			options.scope && _scopes.push(...options.scope);
-			scopes && _scopes.push(...scopes);
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 
 			return createAuthorizationURL({
 				id: "kick",
@@ -77,14 +74,15 @@ export const kick = (options: KickOptions) => {
 			const profile = data.data[0]!;
 
 			const userMap = await options.mapProfileToUser?.(profile);
-
+			// Kick does not provide email_verified claim.
+			// We default to false for security consistency.
 			return {
 				user: {
 					id: profile.user_id,
 					name: profile.name,
 					email: profile.email,
 					image: profile.profile_picture,
-					emailVerified: true,
+					emailVerified: false,
 					...userMap,
 				},
 				data: profile,