@better-auth/core 1.4.0-beta.9 → 1.4.0

package/src/social-providers/line.ts

@@ -1,11 +1,11 @@
 import { betterFetch } from "@better-fetch/fetch";
 import { decodeJwt } from "jose";
-import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
 	validateAuthorizationCode,
-} from "@better-auth/core/oauth2";
+} from "../oauth2";
 
 export interface LineIdTokenPayload {
 	iss: string;
@@ -13,18 +13,18 @@ export interface LineIdTokenPayload {
 	aud: string;
 	exp: number;
 	iat: number;
-	name?: string;
-	picture?: string;
-	email?: string;
-	amr?: string[];
-	nonce?: string;
+	name?: string | undefined;
+	picture?: string | undefined;
+	email?: string | undefined;
+	amr?: string[] | undefined;
+	nonce?: string | undefined;
 }
 
 export interface LineUserInfo {
 	sub: string;
-	name?: string;
-	picture?: string;
-	email?: string;
+	name?: string | undefined;
+	picture?: string | undefined;
+	email?: string | undefined;
 }
 
 export interface LineOptions
@@ -60,8 +60,8 @@ export const line = (options: LineOptions) => {
 			const _scopes = options.disableDefaultScope
 				? []
 				: ["openid", "profile", "email"];
-			options.scope && _scopes.push(...options.scope);
-			scopes && _scopes.push(...scopes);
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			return await createAuthorizationURL({
 				id: "line",
 				options,

package/src/social-providers/linear.ts

@@ -1,16 +1,16 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
 	validateAuthorizationCode,
-} from "@better-auth/core/oauth2";
+} from "../oauth2";
 
-interface LinearUser {
+export interface LinearUser {
 	id: string;
 	name: string;
 	email: string;
-	avatarUrl?: string;
+	avatarUrl?: string | undefined;
 	active: boolean;
 	createdAt: string;
 	updatedAt: string;
@@ -33,8 +33,8 @@ export const linear = (options: LinearOptions) => {
 		name: "Linear",
 		createAuthorizationURL({ state, scopes, loginHint, redirectURI }) {
 			const _scopes = options.disableDefaultScope ? [] : ["read"];
-			options.scope && _scopes.push(...options.scope);
-			scopes && _scopes.push(...scopes);
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "linear",
 				options,
@@ -102,14 +102,15 @@ export const linear = (options: LinearOptions) => {
 
 			const userData = profile.data.viewer;
 			const userMap = await options.mapProfileToUser?.(userData);
-
+			// Linear does not provide email_verified claim.
+			// We default to false for security consistency.
 			return {
 				user: {
 					id: profile.data.viewer.id,
 					name: profile.data.viewer.name,
 					email: profile.data.viewer.email,
 					image: profile.data.viewer.avatarUrl,
-					emailVerified: true,
+					emailVerified: false,
 					...userMap,
 				},
 				data: userData,

package/src/social-providers/linkedin.ts

@@ -1,10 +1,10 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
-	validateAuthorizationCode,
 	refreshAccessToken,
-} from "@better-auth/core/oauth2";
+	validateAuthorizationCode,
+} from "../oauth2";
 
 export interface LinkedInProfile {
 	sub: string;
@@ -41,8 +41,8 @@ export const linkedin = (options: LinkedInOptions) => {
 			const _scopes = options.disableDefaultScope
 				? []
 				: ["profile", "email", "openid"];
-			options.scope && _scopes.push(...options.scope);
-			scopes && _scopes.push(...scopes);
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			return await createAuthorizationURL({
 				id: "linkedin",
 				options,

package/src/social-providers/microsoft-entra-id.ts

@@ -1,13 +1,13 @@
+import { base64 } from "@better-auth/utils/base64";
+import { betterFetch } from "@better-fetch/fetch";
+import { decodeJwt } from "jose";
+import { logger } from "../env";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
-	validateAuthorizationCode,
 	createAuthorizationURL,
 	refreshAccessToken,
-} from "@better-auth/core/oauth2";
-import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
-import { betterFetch } from "@better-fetch/fetch";
-import { logger } from "@better-auth/core/env";
-import { decodeJwt } from "jose";
-import { base64 } from "@better-auth/utils/base64";
+	validateAuthorizationCode,
+} from "../oauth2";
 
 /**
  * @see [Microsoft Identity Platform - Optional claims reference](https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims-reference)
@@ -81,6 +81,8 @@ export interface MicrosoftEntraIDProfile extends Record<string, any> {
 	verified_primary_email: string[];
 	/** User's verified secondary email addresses */
 	verified_secondary_email: string[];
+	/** Whether the user's email is verified (optional claim, must be configured in app registration) */
+	email_verified?: boolean | undefined;
 	/** VNET specifier information */
 	vnet: string;
 	/** Client Capabilities */
@@ -118,21 +120,23 @@ export interface MicrosoftOptions
 	 * The tenant ID of the Microsoft account
 	 * @default "common"
 	 */
-	tenantId?: string;
+	tenantId?: string | undefined;
 	/**
 	 * The authentication authority URL. Use the default "https://login.microsoftonline.com" for standard Entra ID or "https://<tenant-id>.ciamlogin.com" for CIAM scenarios.
 	 * @default "https://login.microsoftonline.com"
 	 */
-	authority?: string;
+	authority?: string | undefined;
 	/**
 	 * The size of the profile photo
 	 * @default 48
 	 */
-	profilePhotoSize?: 48 | 64 | 96 | 120 | 240 | 360 | 432 | 504 | 648;
+	profilePhotoSize?:
+		| (48 | 64 | 96 | 120 | 240 | 360 | 432 | 504 | 648)
+		| undefined;
 	/**
 	 * Disable profile photo
 	 */
-	disableProfilePhoto?: boolean;
+	disableProfilePhoto?: boolean | undefined;
 }
 
 export const microsoft = (options: MicrosoftOptions) => {
@@ -147,8 +151,8 @@ export const microsoft = (options: MicrosoftOptions) => {
 			const scopes = options.disableDefaultScope
 				? []
 				: ["openid", "profile", "email", "User.Read", "offline_access"];
-			options.scope && scopes.push(...options.scope);
-			data.scopes && scopes.push(...data.scopes);
+			if (options.scope) scopes.push(...options.scope);
+			if (data.scopes) scopes.push(...data.scopes);
 			return createAuthorizationURL({
 				id: "microsoft",
 				options,
@@ -206,13 +210,25 @@ export const microsoft = (options: MicrosoftOptions) => {
 				},
 			);
 			const userMap = await options.mapProfileToUser?.(user);
+			// Microsoft Entra ID does NOT include email_verified claim by default.
+			// It must be configured as an optional claim in the app registration.
+			// We default to false when not provided for security consistency.
+			// We can also check verified_primary_email/verified_secondary_email arrays as fallback.
+			const emailVerified =
+				user.email_verified !== undefined
+					? user.email_verified
+					: user.email &&
+							(user.verified_primary_email?.includes(user.email) ||
+								user.verified_secondary_email?.includes(user.email))
+						? true
+						: false;
 			return {
 				user: {
 					id: user.sub,
 					name: user.name,
 					email: user.email,
 					image: user.picture,
-					emailVerified: true,
+					emailVerified,
 					...userMap,
 				},
 				data: user,
@@ -224,7 +240,7 @@ export const microsoft = (options: MicrosoftOptions) => {
 					const scopes = options.disableDefaultScope
 						? []
 						: ["openid", "profile", "email", "User.Read", "offline_access"];
-					options.scope && scopes.push(...options.scope);
+					if (options.scope) scopes.push(...options.scope);
 
 					return refreshAccessToken({
 						refreshToken,

package/src/social-providers/naver.ts

@@ -1,10 +1,10 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
-	validateAuthorizationCode,
 	refreshAccessToken,
-} from "@better-auth/core/oauth2";
+	validateAuthorizationCode,
+} from "../oauth2";
 
 export interface NaverProfile {
 	/** API response result code */
@@ -45,8 +45,8 @@ export const naver = (options: NaverOptions) => {
 		name: "Naver",
 		createAuthorizationURL({ state, scopes, redirectURI }) {
 			const _scopes = options.disableDefaultScope ? [] : ["profile", "email"];
-			options.scope && _scopes.push(...options.scope);
-			scopes && _scopes.push(...scopes);
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "naver",
 				options,

package/src/social-providers/notion.ts

@@ -1,20 +1,22 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
 	validateAuthorizationCode,
-} from "@better-auth/core/oauth2";
+} from "../oauth2";
 
 export interface NotionProfile {
 	object: "user";
 	id: string;
 	type: "person" | "bot";
-	name?: string;
-	avatar_url?: string;
-	person?: {
-		email?: string;
-	};
+	name?: string | undefined;
+	avatar_url?: string | undefined;
+	person?:
+		| {
+				email?: string;
+		  }
+		| undefined;
 }
 
 export interface NotionOptions extends ProviderOptions<NotionProfile> {
@@ -28,8 +30,8 @@ export const notion = (options: NotionOptions) => {
 		name: "Notion",
 		createAuthorizationURL({ state, scopes, loginHint, redirectURI }) {
 			const _scopes: string[] = options.disableDefaultScope ? [] : [];
-			options.scope && _scopes.push(...options.scope);
-			scopes && _scopes.push(...scopes);
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "notion",
 				options,

package/src/social-providers/paybin.ts

@@ -0,0 +1,122 @@
+import { decodeJwt } from "jose";
+import { logger } from "../env";
+import { BetterAuthError } from "../error";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import {
+	createAuthorizationURL,
+	refreshAccessToken,
+	validateAuthorizationCode,
+} from "../oauth2";
+
+export interface PaybinProfile {
+	sub: string;
+	email: string;
+	email_verified?: boolean | undefined;
+	name?: string | undefined;
+	preferred_username?: string | undefined;
+	picture?: string | undefined;
+	given_name?: string | undefined;
+	family_name?: string | undefined;
+}
+
+export interface PaybinOptions extends ProviderOptions<PaybinProfile> {
+	clientId: string;
+	/**
+	 * The issuer URL of your Paybin OAuth server
+	 * @default "https://idp.paybin.io"
+	 */
+	issuer?: string | undefined;
+}
+
+export const paybin = (options: PaybinOptions) => {
+	const issuer = options.issuer || "https://idp.paybin.io";
+	const authorizationEndpoint = `${issuer}/oauth2/authorize`;
+	const tokenEndpoint = `${issuer}/oauth2/token`;
+
+	return {
+		id: "paybin",
+		name: "Paybin",
+		async createAuthorizationURL({
+			state,
+			scopes,
+			codeVerifier,
+			redirectURI,
+			loginHint,
+		}) {
+			if (!options.clientId || !options.clientSecret) {
+				logger.error(
+					"Client Id and Client Secret is required for Paybin. Make sure to provide them in the options.",
+				);
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
+			if (!codeVerifier) {
+				throw new BetterAuthError("codeVerifier is required for Paybin");
+			}
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["openid", "email", "profile"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			const url = await createAuthorizationURL({
+				id: "paybin",
+				options,
+				authorizationEndpoint,
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+				prompt: options.prompt,
+				loginHint,
+			});
+			return url;
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint,
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint,
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			if (!token.idToken) {
+				return null;
+			}
+			const user = decodeJwt(token.idToken) as PaybinProfile;
+			const userMap = await options.mapProfileToUser?.(user);
+			return {
+				user: {
+					id: user.sub,
+					name:
+						user.name ||
+						user.preferred_username ||
+						(user.email ? user.email.split("@")[0] : "User") ||
+						"User",
+					email: user.email,
+					image: user.picture,
+					emailVerified: user.email_verified || false,
+					...userMap,
+				},
+				data: user,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<PaybinProfile>;
+};

package/src/social-providers/paypal.ts

@@ -1,46 +1,48 @@
+import { base64 } from "@better-auth/utils/base64";
 import { betterFetch } from "@better-fetch/fetch";
-import { BetterAuthError } from "../error";
-import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
-import { createAuthorizationURL } from "@better-auth/core/oauth2";
-import { logger } from "@better-auth/core/env";
 import { decodeJwt } from "jose";
-import { base64 } from "@better-auth/utils/base64";
+import { logger } from "../env";
+import { BetterAuthError } from "../error";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import { createAuthorizationURL } from "../oauth2";
 
 export interface PayPalProfile {
 	user_id: string;
 	name: string;
 	given_name: string;
 	family_name: string;
-	middle_name?: string;
-	picture?: string;
+	middle_name?: string | undefined;
+	picture?: string | undefined;
 	email: string;
 	email_verified: boolean;
-	gender?: string;
-	birthdate?: string;
-	zoneinfo?: string;
-	locale?: string;
-	phone_number?: string;
-	address?: {
-		street_address?: string;
-		locality?: string;
-		region?: string;
-		postal_code?: string;
-		country?: string;
-	};
-	verified_account?: boolean;
-	account_type?: string;
-	age_range?: string;
-	payer_id?: string;
+	gender?: string | undefined;
+	birthdate?: string | undefined;
+	zoneinfo?: string | undefined;
+	locale?: string | undefined;
+	phone_number?: string | undefined;
+	address?:
+		| {
+				street_address?: string;
+				locality?: string;
+				region?: string;
+				postal_code?: string;
+				country?: string;
+		  }
+		| undefined;
+	verified_account?: boolean | undefined;
+	account_type?: string | undefined;
+	age_range?: string | undefined;
+	payer_id?: string | undefined;
 }
 
 export interface PayPalTokenResponse {
-	scope?: string;
+	scope?: string | undefined;
 	access_token: string;
-	refresh_token?: string;
+	refresh_token?: string | undefined;
 	token_type: "Bearer";
-	id_token?: string;
+	id_token?: string | undefined;
 	expires_in: number;
-	nonce?: string;
+	nonce?: string | undefined;
 }
 
 export interface PayPalOptions extends ProviderOptions<PayPalProfile> {
@@ -49,12 +51,12 @@ export interface PayPalOptions extends ProviderOptions<PayPalProfile> {
 	 * PayPal environment - 'sandbox' for testing, 'live' for production
 	 * @default 'sandbox'
 	 */
-	environment?: "sandbox" | "live";
+	environment?: ("sandbox" | "live") | undefined;
 	/**
 	 * Whether to request shipping address information
 	 * @default false
 	 */
-	requestShippingAddress?: boolean;
+	requestShippingAddress?: boolean | undefined;
 }
 
 export const paypal = (options: PayPalOptions) => {

package/src/social-providers/polar.ts

@@ -0,0 +1,110 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import {
+	createAuthorizationURL,
+	refreshAccessToken,
+	validateAuthorizationCode,
+} from "../oauth2";
+
+export interface PolarProfile {
+	id: string;
+	email: string;
+	username: string;
+	avatar_url: string;
+	github_username?: string | undefined;
+	account_id?: string | undefined;
+	public_name?: string | undefined;
+	email_verified?: boolean | undefined;
+	profile_settings?:
+		| {
+				profile_settings_enabled?: boolean;
+				profile_settings_public_name?: string;
+				profile_settings_public_avatar?: string;
+				profile_settings_public_bio?: string;
+				profile_settings_public_location?: string;
+				profile_settings_public_website?: string;
+				profile_settings_public_twitter?: string;
+				profile_settings_public_github?: string;
+				profile_settings_public_email?: string;
+		  }
+		| undefined;
+}
+
+export interface PolarOptions extends ProviderOptions<PolarProfile> {}
+
+export const polar = (options: PolarOptions) => {
+	return {
+		id: "polar",
+		name: "Polar",
+		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["openid", "profile", "email"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "polar",
+				options,
+				authorizationEndpoint: "https://polar.sh/oauth2/authorize",
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+				prompt: options.prompt,
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://api.polar.sh/v1/oauth2/token",
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint: "https://api.polar.sh/v1/oauth2/token",
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			const { data: profile, error } = await betterFetch<PolarProfile>(
+				"https://api.polar.sh/v1/oauth2/userinfo",
+				{
+					headers: {
+						Authorization: `Bearer ${token.accessToken}`,
+					},
+				},
+			);
+			if (error) {
+				return null;
+			}
+			const userMap = await options.mapProfileToUser?.(profile);
+			// Polar may provide email_verified claim, but it's not guaranteed.
+			// We check for it first, then default to false for security consistency.
+			return {
+				user: {
+					id: profile.id,
+					name: profile.public_name || profile.username,
+					email: profile.email,
+					image: profile.avatar_url,
+					emailVerified: profile.email_verified ?? false,
+					...userMap,
+				},
+				data: profile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<PolarProfile>;
+};

package/src/social-providers/reddit.ts

@@ -1,11 +1,11 @@
+import { base64 } from "@better-auth/utils/base64";
 import { betterFetch } from "@better-fetch/fetch";
-import type { OAuthProvider, ProviderOptions } from "@better-auth/core/oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	getOAuth2Tokens,
 	refreshAccessToken,
-} from "@better-auth/core/oauth2";
-import { base64 } from "@better-auth/utils/base64";
+} from "../oauth2";
 
 export interface RedditProfile {
 	id: string;
@@ -18,7 +18,7 @@ export interface RedditProfile {
 
 export interface RedditOptions extends ProviderOptions<RedditProfile> {
 	clientId: string;
-	duration?: string;
+	duration?: string | undefined;
 }
 
 export const reddit = (options: RedditOptions) => {
@@ -27,8 +27,8 @@ export const reddit = (options: RedditOptions) => {
 		name: "Reddit",
 		createAuthorizationURL({ state, scopes, redirectURI }) {
 			const _scopes = options.disableDefaultScope ? [] : ["identity"];
-			options.scope && _scopes.push(...options.scope);
-			scopes && _scopes.push(...scopes);
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "reddit",
 				options,