@better-auth/core 1.4.12-beta.2 → 1.4.13

package/dist/social-providers/apple.d.mts

@@ -0,0 +1,119 @@
+import { OAuth2Tokens, ProviderOptions } from "../oauth2/oauth-provider.mjs";
+import "../oauth2/index.mjs";
+
+//#region src/social-providers/apple.d.ts
+interface AppleProfile {
+  /**
+   * The subject registered claim identifies the principal that’s the subject
+   * of the identity token. Because this token is for your app, the value is
+   * the unique identifier for the user.
+   */
+  sub: string;
+  /**
+   * A String value representing the user's email address.
+   * The email address is either the user's real email address or the proxy
+   * address, depending on their status private email relay service.
+   */
+  email: string;
+  /**
+   * A string or Boolean value that indicates whether the service verifies
+   * the email. The value can either be a string ("true" or "false") or a
+   * Boolean (true or false). The system may not verify email addresses for
+   * Sign in with Apple at Work & School users, and this claim is "false" or
+   * false for those users.
+   */
+  email_verified: true | "true";
+  /**
+   * A string or Boolean value that indicates whether the email that the user
+   * shares is the proxy address. The value can either be a string ("true" or
+   * "false") or a Boolean (true or false).
+   */
+  is_private_email: boolean;
+  /**
+   * An Integer value that indicates whether the user appears to be a real
+   * person. Use the value of this claim to mitigate fraud. The possible
+   * values are: 0 (or Unsupported), 1 (or Unknown), 2 (or LikelyReal). For
+   * more information, see ASUserDetectionStatus. This claim is present only
+   * in iOS 14 and later, macOS 11 and later, watchOS 7 and later, tvOS 14
+   * and later. The claim isn’t present or supported for web-based apps.
+   */
+  real_user_status: number;
+  /**
+   * The user’s full name in the format provided during the authorization
+   * process.
+   */
+  name: string;
+  /**
+   * The URL to the user's profile picture.
+   */
+  picture: string;
+  user?: AppleNonConformUser | undefined;
+}
+/**
+ * This is the shape of the `user` query parameter that Apple sends the first
+ * time the user consents to the app.
+ * @see https://developer.apple.com/documentation/signinwithapplerestapi/request-an-authorization-to-the-sign-in-with-apple-server./
+ */
+interface AppleNonConformUser {
+  name: {
+    firstName: string;
+    lastName: string;
+  };
+  email: string;
+}
+interface AppleOptions extends ProviderOptions<AppleProfile> {
+  clientId: string;
+  appBundleIdentifier?: string | undefined;
+  audience?: (string | string[]) | undefined;
+}
+declare const apple: (options: AppleOptions) => {
+  id: "apple";
+  name: string;
+  createAuthorizationURL({
+    state,
+    scopes,
+    redirectURI
+  }: {
+    state: string;
+    codeVerifier: string;
+    scopes?: string[] | undefined;
+    redirectURI: string;
+    display?: string | undefined;
+    loginHint?: string | undefined;
+  }): Promise<URL>;
+  validateAuthorizationCode: ({
+    code,
+    codeVerifier,
+    redirectURI
+  }: {
+    code: string;
+    redirectURI: string;
+    codeVerifier?: string | undefined;
+    deviceId?: string | undefined;
+  }) => Promise<OAuth2Tokens>;
+  verifyIdToken(token: string, nonce: string | undefined): Promise<boolean>;
+  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
+  getUserInfo(token: OAuth2Tokens & {
+    user?: {
+      name?: {
+        firstName?: string;
+        lastName?: string;
+      };
+      email?: string;
+    } | undefined;
+  }): Promise<{
+    user: {
+      id: string;
+      name?: string;
+      email?: string | null;
+      image?: string;
+      emailVerified: boolean;
+      [key: string]: any;
+    };
+    data: any;
+  } | null>;
+  options: AppleOptions;
+};
+declare const getApplePublicKey: (kid: string) => Promise<Uint8Array<ArrayBufferLike> | CryptoKey>;
+//#endregion
+export { AppleNonConformUser, AppleOptions, AppleProfile, apple, getApplePublicKey };

package/dist/social-providers/apple.mjs

@@ -0,0 +1,102 @@
+import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
+import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
+import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
+import "../oauth2/index.mjs";
+import { betterFetch } from "@better-fetch/fetch";
+import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
+import { APIError } from "better-call";
+
+//#region src/social-providers/apple.ts
+const apple = (options) => {
+	const tokenEndpoint = "https://appleid.apple.com/auth/token";
+	return {
+		id: "apple",
+		name: "Apple",
+		async createAuthorizationURL({ state, scopes, redirectURI }) {
+			const _scope = options.disableDefaultScope ? [] : ["email", "name"];
+			if (options.scope) _scope.push(...options.scope);
+			if (scopes) _scope.push(...scopes);
+			return await createAuthorizationURL({
+				id: "apple",
+				options,
+				authorizationEndpoint: "https://appleid.apple.com/auth/authorize",
+				scopes: _scope,
+				state,
+				redirectURI,
+				responseMode: "form_post",
+				responseType: "code id_token"
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint
+			});
+		},
+		async verifyIdToken(token, nonce) {
+			if (options.disableIdTokenSignIn) return false;
+			if (options.verifyIdToken) return options.verifyIdToken(token, nonce);
+			const { kid, alg: jwtAlg } = decodeProtectedHeader(token);
+			if (!kid || !jwtAlg) return false;
+			const { payload: jwtClaims } = await jwtVerify(token, await getApplePublicKey(kid), {
+				algorithms: [jwtAlg],
+				issuer: "https://appleid.apple.com",
+				audience: options.audience && options.audience.length ? options.audience : options.appBundleIdentifier ? options.appBundleIdentifier : options.clientId,
+				maxTokenAge: "1h"
+			});
+			["email_verified", "is_private_email"].forEach((field) => {
+				if (jwtClaims[field] !== void 0) jwtClaims[field] = Boolean(jwtClaims[field]);
+			});
+			if (nonce && jwtClaims.nonce !== nonce) return false;
+			return !!jwtClaims;
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint: "https://appleid.apple.com/auth/token"
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			if (!token.idToken) return null;
+			const profile = decodeJwt(token.idToken);
+			if (!profile) return null;
+			const name = token.user ? `${token.user.name?.firstName} ${token.user.name?.lastName}` : profile.name || profile.email;
+			const emailVerified = typeof profile.email_verified === "boolean" ? profile.email_verified : profile.email_verified === "true";
+			const enrichedProfile = {
+				...profile,
+				name
+			};
+			const userMap = await options.mapProfileToUser?.(enrichedProfile);
+			return {
+				user: {
+					id: profile.sub,
+					name: enrichedProfile.name,
+					emailVerified,
+					email: profile.email,
+					...userMap
+				},
+				data: enrichedProfile
+			};
+		},
+		options
+	};
+};
+const getApplePublicKey = async (kid) => {
+	const { data } = await betterFetch(`https://appleid.apple.com/auth/keys`);
+	if (!data?.keys) throw new APIError("BAD_REQUEST", { message: "Keys not found" });
+	const jwk = data.keys.find((key) => key.kid === kid);
+	if (!jwk) throw new Error(`JWK with kid ${kid} not found`);
+	return await importJWK(jwk, jwk.alg);
+};
+
+//#endregion
+export { apple, getApplePublicKey };

package/dist/social-providers/atlassian.d.mts

@@ -0,0 +1,72 @@
+import { OAuth2Tokens, ProviderOptions } from "../oauth2/oauth-provider.mjs";
+import "../oauth2/index.mjs";
+
+//#region src/social-providers/atlassian.d.ts
+interface AtlassianProfile {
+  account_type?: string | undefined;
+  account_id: string;
+  email?: string | undefined;
+  name: string;
+  picture?: string | undefined;
+  nickname?: string | undefined;
+  locale?: string | undefined;
+  extended_profile?: {
+    job_title?: string;
+    organization?: string;
+    department?: string;
+    location?: string;
+  } | undefined;
+}
+interface AtlassianOptions extends ProviderOptions<AtlassianProfile> {
+  clientId: string;
+}
+declare const atlassian: (options: AtlassianOptions) => {
+  id: "atlassian";
+  name: string;
+  createAuthorizationURL({
+    state,
+    scopes,
+    codeVerifier,
+    redirectURI
+  }: {
+    state: string;
+    codeVerifier: string;
+    scopes?: string[] | undefined;
+    redirectURI: string;
+    display?: string | undefined;
+    loginHint?: string | undefined;
+  }): Promise<URL>;
+  validateAuthorizationCode: ({
+    code,
+    codeVerifier,
+    redirectURI
+  }: {
+    code: string;
+    redirectURI: string;
+    codeVerifier?: string | undefined;
+    deviceId?: string | undefined;
+  }) => Promise<OAuth2Tokens>;
+  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
+  getUserInfo(token: OAuth2Tokens & {
+    user?: {
+      name?: {
+        firstName?: string;
+        lastName?: string;
+      };
+      email?: string;
+    } | undefined;
+  }): Promise<{
+    user: {
+      id: string;
+      name?: string;
+      email?: string | null;
+      image?: string;
+      emailVerified: boolean;
+      [key: string]: any;
+    };
+    data: any;
+  } | null>;
+  options: AtlassianOptions;
+};
+//#endregion
+export { AtlassianOptions, AtlassianProfile, atlassian };

package/dist/social-providers/atlassian.mjs

@@ -0,0 +1,83 @@
+import { logger } from "../env/logger.mjs";
+import "../env/index.mjs";
+import { BetterAuthError } from "../error/index.mjs";
+import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
+import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
+import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
+import "../oauth2/index.mjs";
+import { betterFetch } from "@better-fetch/fetch";
+
+//#region src/social-providers/atlassian.ts
+const atlassian = (options) => {
+	return {
+		id: "atlassian",
+		name: "Atlassian",
+		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+			if (!options.clientId || !options.clientSecret) {
+				logger.error("Client Id and Secret are required for Atlassian");
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
+			if (!codeVerifier) throw new BetterAuthError("codeVerifier is required for Atlassian");
+			const _scopes = options.disableDefaultScope ? [] : ["read:jira-user", "offline_access"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "atlassian",
+				options,
+				authorizationEndpoint: "https://auth.atlassian.com/authorize",
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+				additionalParams: { audience: "api.atlassian.com" },
+				prompt: options.prompt
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://auth.atlassian.com/oauth/token"
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint: "https://auth.atlassian.com/oauth/token"
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			if (!token.accessToken) return null;
+			try {
+				const { data: profile } = await betterFetch("https://api.atlassian.com/me", { headers: { Authorization: `Bearer ${token.accessToken}` } });
+				if (!profile) return null;
+				const userMap = await options.mapProfileToUser?.(profile);
+				return {
+					user: {
+						id: profile.account_id,
+						name: profile.name,
+						email: profile.email,
+						image: profile.picture,
+						emailVerified: false,
+						...userMap
+					},
+					data: profile
+				};
+			} catch (error) {
+				logger.error("Failed to fetch user info from Figma:", error);
+				return null;
+			}
+		},
+		options
+	};
+};
+
+//#endregion
+export { atlassian };

package/dist/social-providers/cognito.d.mts

@@ -0,0 +1,87 @@
+import { OAuth2Tokens, ProviderOptions } from "../oauth2/oauth-provider.mjs";
+import "../oauth2/index.mjs";
+
+//#region src/social-providers/cognito.d.ts
+interface CognitoProfile {
+  sub: string;
+  email: string;
+  email_verified: boolean;
+  name: string;
+  given_name?: string | undefined;
+  family_name?: string | undefined;
+  picture?: string | undefined;
+  username?: string | undefined;
+  locale?: string | undefined;
+  phone_number?: string | undefined;
+  phone_number_verified?: boolean | undefined;
+  aud: string;
+  iss: string;
+  exp: number;
+  iat: number;
+  [key: string]: any;
+}
+interface CognitoOptions extends ProviderOptions<CognitoProfile> {
+  clientId: string;
+  /**
+   * The Cognito domain (e.g., "your-app.auth.us-east-1.amazoncognito.com")
+   */
+  domain: string;
+  /**
+   * AWS region where User Pool is hosted (e.g., "us-east-1")
+   */
+  region: string;
+  userPoolId: string;
+  requireClientSecret?: boolean | undefined;
+}
+declare const cognito: (options: CognitoOptions) => {
+  id: "cognito";
+  name: string;
+  createAuthorizationURL({
+    state,
+    scopes,
+    codeVerifier,
+    redirectURI
+  }: {
+    state: string;
+    codeVerifier: string;
+    scopes?: string[] | undefined;
+    redirectURI: string;
+    display?: string | undefined;
+    loginHint?: string | undefined;
+  }): Promise<URL>;
+  validateAuthorizationCode: ({
+    code,
+    codeVerifier,
+    redirectURI
+  }: {
+    code: string;
+    redirectURI: string;
+    codeVerifier?: string | undefined;
+    deviceId?: string | undefined;
+  }) => Promise<OAuth2Tokens>;
+  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
+  verifyIdToken(token: string, nonce: string | undefined): Promise<boolean>;
+  getUserInfo(token: OAuth2Tokens & {
+    user?: {
+      name?: {
+        firstName?: string;
+        lastName?: string;
+      };
+      email?: string;
+    } | undefined;
+  }): Promise<{
+    user: {
+      id: string;
+      name?: string;
+      email?: string | null;
+      image?: string;
+      emailVerified: boolean;
+      [key: string]: any;
+    };
+    data: any;
+  } | null>;
+  options: CognitoOptions;
+};
+declare const getCognitoPublicKey: (kid: string, region: string, userPoolId: string) => Promise<Uint8Array<ArrayBufferLike> | CryptoKey>;
+//#endregion
+export { CognitoOptions, CognitoProfile, cognito, getCognitoPublicKey };

package/dist/social-providers/cognito.mjs

@@ -0,0 +1,166 @@
+import { logger } from "../env/logger.mjs";
+import "../env/index.mjs";
+import { BetterAuthError } from "../error/index.mjs";
+import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
+import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
+import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
+import "../oauth2/index.mjs";
+import { betterFetch } from "@better-fetch/fetch";
+import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
+import { APIError } from "better-call";
+
+//#region src/social-providers/cognito.ts
+const cognito = (options) => {
+	if (!options.domain || !options.region || !options.userPoolId) {
+		logger.error("Domain, region and userPoolId are required for Amazon Cognito. Make sure to provide them in the options.");
+		throw new BetterAuthError("DOMAIN_AND_REGION_REQUIRED");
+	}
+	const cleanDomain = options.domain.replace(/^https?:\/\//, "");
+	const authorizationEndpoint = `https://${cleanDomain}/oauth2/authorize`;
+	const tokenEndpoint = `https://${cleanDomain}/oauth2/token`;
+	const userInfoEndpoint = `https://${cleanDomain}/oauth2/userinfo`;
+	return {
+		id: "cognito",
+		name: "Cognito",
+		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+			if (!options.clientId) {
+				logger.error("ClientId is required for Amazon Cognito. Make sure to provide them in the options.");
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
+			if (options.requireClientSecret && !options.clientSecret) {
+				logger.error("Client Secret is required when requireClientSecret is true. Make sure to provide it in the options.");
+				throw new BetterAuthError("CLIENT_SECRET_REQUIRED");
+			}
+			const _scopes = options.disableDefaultScope ? [] : [
+				"openid",
+				"profile",
+				"email"
+			];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			const url = await createAuthorizationURL({
+				id: "cognito",
+				options: { ...options },
+				authorizationEndpoint,
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+				prompt: options.prompt
+			});
+			const scopeValue = url.searchParams.get("scope");
+			if (scopeValue) {
+				url.searchParams.delete("scope");
+				const encodedScope = encodeURIComponent(scopeValue);
+				const urlString = url.toString();
+				const separator = urlString.includes("?") ? "&" : "?";
+				return new URL(`${urlString}${separator}scope=${encodedScope}`);
+			}
+			return url;
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint
+			});
+		},
+		async verifyIdToken(token, nonce) {
+			if (options.disableIdTokenSignIn) return false;
+			if (options.verifyIdToken) return options.verifyIdToken(token, nonce);
+			try {
+				const { kid, alg: jwtAlg } = decodeProtectedHeader(token);
+				if (!kid || !jwtAlg) return false;
+				const publicKey = await getCognitoPublicKey(kid, options.region, options.userPoolId);
+				const expectedIssuer = `https://cognito-idp.${options.region}.amazonaws.com/${options.userPoolId}`;
+				const { payload: jwtClaims } = await jwtVerify(token, publicKey, {
+					algorithms: [jwtAlg],
+					issuer: expectedIssuer,
+					audience: options.clientId,
+					maxTokenAge: "1h"
+				});
+				if (nonce && jwtClaims.nonce !== nonce) return false;
+				return true;
+			} catch (error) {
+				logger.error("Failed to verify ID token:", error);
+				return false;
+			}
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			if (token.idToken) try {
+				const profile = decodeJwt(token.idToken);
+				if (!profile) return null;
+				const name = profile.name || profile.given_name || profile.username || profile.email;
+				const enrichedProfile = {
+					...profile,
+					name
+				};
+				const userMap = await options.mapProfileToUser?.(enrichedProfile);
+				return {
+					user: {
+						id: profile.sub,
+						name: enrichedProfile.name,
+						email: profile.email,
+						image: profile.picture,
+						emailVerified: profile.email_verified,
+						...userMap
+					},
+					data: enrichedProfile
+				};
+			} catch (error) {
+				logger.error("Failed to decode ID token:", error);
+			}
+			if (token.accessToken) try {
+				const { data: userInfo } = await betterFetch(userInfoEndpoint, { headers: { Authorization: `Bearer ${token.accessToken}` } });
+				if (userInfo) {
+					const userMap = await options.mapProfileToUser?.(userInfo);
+					return {
+						user: {
+							id: userInfo.sub,
+							name: userInfo.name || userInfo.given_name || userInfo.username,
+							email: userInfo.email,
+							image: userInfo.picture,
+							emailVerified: userInfo.email_verified,
+							...userMap
+						},
+						data: userInfo
+					};
+				}
+			} catch (error) {
+				logger.error("Failed to fetch user info from Cognito:", error);
+			}
+			return null;
+		},
+		options
+	};
+};
+const getCognitoPublicKey = async (kid, region, userPoolId) => {
+	const COGNITO_JWKS_URI = `https://cognito-idp.${region}.amazonaws.com/${userPoolId}/.well-known/jwks.json`;
+	try {
+		const { data } = await betterFetch(COGNITO_JWKS_URI);
+		if (!data?.keys) throw new APIError("BAD_REQUEST", { message: "Keys not found" });
+		const jwk = data.keys.find((key) => key.kid === kid);
+		if (!jwk) throw new Error(`JWK with kid ${kid} not found`);
+		return await importJWK(jwk, jwk.alg);
+	} catch (error) {
+		logger.error("Failed to fetch Cognito public key:", error);
+		throw error;
+	}
+};
+
+//#endregion
+export { cognito, getCognitoPublicKey };