@better-auth/core 1.4.12-beta.2 → 1.4.13

package/dist/social-providers/github.d.mts

@@ -0,0 +1,104 @@
+import { OAuth2Tokens, ProviderOptions } from "../oauth2/oauth-provider.mjs";
+import "../oauth2/index.mjs";
+
+//#region src/social-providers/github.d.ts
+interface GithubProfile {
+  login: string;
+  id: string;
+  node_id: string;
+  avatar_url: string;
+  gravatar_id: string;
+  url: string;
+  html_url: string;
+  followers_url: string;
+  following_url: string;
+  gists_url: string;
+  starred_url: string;
+  subscriptions_url: string;
+  organizations_url: string;
+  repos_url: string;
+  events_url: string;
+  received_events_url: string;
+  type: string;
+  site_admin: boolean;
+  name: string;
+  company: string;
+  blog: string;
+  location: string;
+  email: string;
+  hireable: boolean;
+  bio: string;
+  twitter_username: string;
+  public_repos: string;
+  public_gists: string;
+  followers: string;
+  following: string;
+  created_at: string;
+  updated_at: string;
+  private_gists: string;
+  total_private_repos: string;
+  owned_private_repos: string;
+  disk_usage: string;
+  collaborators: string;
+  two_factor_authentication: boolean;
+  plan: {
+    name: string;
+    space: string;
+    private_repos: string;
+    collaborators: string;
+  };
+}
+interface GithubOptions extends ProviderOptions<GithubProfile> {
+  clientId: string;
+}
+declare const github: (options: GithubOptions) => {
+  id: "github";
+  name: string;
+  createAuthorizationURL({
+    state,
+    scopes,
+    loginHint,
+    codeVerifier,
+    redirectURI
+  }: {
+    state: string;
+    codeVerifier: string;
+    scopes?: string[] | undefined;
+    redirectURI: string;
+    display?: string | undefined;
+    loginHint?: string | undefined;
+  }): Promise<URL>;
+  validateAuthorizationCode: ({
+    code,
+    codeVerifier,
+    redirectURI
+  }: {
+    code: string;
+    redirectURI: string;
+    codeVerifier?: string | undefined;
+    deviceId?: string | undefined;
+  }) => Promise<OAuth2Tokens>;
+  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
+  getUserInfo(token: OAuth2Tokens & {
+    user?: {
+      name?: {
+        firstName?: string;
+        lastName?: string;
+      };
+      email?: string;
+    } | undefined;
+  }): Promise<{
+    user: {
+      id: string;
+      name?: string;
+      email?: string | null;
+      image?: string;
+      emailVerified: boolean;
+      [key: string]: any;
+    };
+    data: any;
+  } | null>;
+  options: GithubOptions;
+};
+//#endregion
+export { GithubOptions, GithubProfile, github };

package/dist/social-providers/github.mjs

@@ -0,0 +1,80 @@
+import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
+import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
+import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
+import "../oauth2/index.mjs";
+import { betterFetch } from "@better-fetch/fetch";
+
+//#region src/social-providers/github.ts
+const github = (options) => {
+	const tokenEndpoint = "https://github.com/login/oauth/access_token";
+	return {
+		id: "github",
+		name: "GitHub",
+		createAuthorizationURL({ state, scopes, loginHint, codeVerifier, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : ["read:user", "user:email"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "github",
+				options,
+				authorizationEndpoint: "https://github.com/login/oauth/authorize",
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+				loginHint,
+				prompt: options.prompt
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint: "https://github.com/login/oauth/access_token"
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			const { data: profile, error } = await betterFetch("https://api.github.com/user", { headers: {
+				"User-Agent": "better-auth",
+				authorization: `Bearer ${token.accessToken}`
+			} });
+			if (error) return null;
+			const { data: emails } = await betterFetch("https://api.github.com/user/emails", { headers: {
+				Authorization: `Bearer ${token.accessToken}`,
+				"User-Agent": "better-auth"
+			} });
+			if (!profile.email && emails) profile.email = (emails.find((e) => e.primary) ?? emails[0])?.email;
+			const emailVerified = emails?.find((e) => e.email === profile.email)?.verified ?? false;
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.id,
+					name: profile.name || profile.login,
+					email: profile.email,
+					image: profile.avatar_url,
+					emailVerified,
+					...userMap
+				},
+				data: profile
+			};
+		},
+		options
+	};
+};
+
+//#endregion
+export { github };

package/dist/social-providers/gitlab.d.mts

@@ -0,0 +1,125 @@
+import { OAuth2Tokens, ProviderOptions } from "../oauth2/oauth-provider.mjs";
+import "../oauth2/index.mjs";
+
+//#region src/social-providers/gitlab.d.ts
+interface GitlabProfile extends Record<string, any> {
+  id: number;
+  username: string;
+  email: string;
+  name: string;
+  state: string;
+  avatar_url: string;
+  web_url: string;
+  created_at: string;
+  bio: string;
+  location?: string | undefined;
+  public_email: string;
+  skype: string;
+  linkedin: string;
+  twitter: string;
+  website_url: string;
+  organization: string;
+  job_title: string;
+  pronouns: string;
+  bot: boolean;
+  work_information?: string | undefined;
+  followers: number;
+  following: number;
+  local_time: string;
+  last_sign_in_at: string;
+  confirmed_at: string;
+  theme_id: number;
+  last_activity_on: string;
+  color_scheme_id: number;
+  projects_limit: number;
+  current_sign_in_at: string;
+  identities: Array<{
+    provider: string;
+    extern_uid: string;
+  }>;
+  can_create_group: boolean;
+  can_create_project: boolean;
+  two_factor_enabled: boolean;
+  external: boolean;
+  private_profile: boolean;
+  commit_email: string;
+  shared_runners_minutes_limit: number;
+  extra_shared_runners_minutes_limit: number;
+  email_verified?: boolean | undefined;
+}
+interface GitlabOptions extends ProviderOptions<GitlabProfile> {
+  clientId: string;
+  issuer?: string | undefined;
+}
+declare const gitlab: (options: GitlabOptions) => {
+  id: "gitlab";
+  name: string;
+  createAuthorizationURL: ({
+    state,
+    scopes,
+    codeVerifier,
+    loginHint,
+    redirectURI
+  }: {
+    state: string;
+    codeVerifier: string;
+    scopes?: string[] | undefined;
+    redirectURI: string;
+    display?: string | undefined;
+    loginHint?: string | undefined;
+  }) => Promise<URL>;
+  validateAuthorizationCode: ({
+    code,
+    redirectURI,
+    codeVerifier
+  }: {
+    code: string;
+    redirectURI: string;
+    codeVerifier?: string | undefined;
+    deviceId?: string | undefined;
+  }) => Promise<OAuth2Tokens>;
+  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
+  getUserInfo(token: OAuth2Tokens & {
+    user?: {
+      name?: {
+        firstName?: string;
+        lastName?: string;
+      };
+      email?: string;
+    } | undefined;
+  }): Promise<{
+    user: {
+      id: string;
+      name?: string;
+      email?: string | null;
+      image?: string;
+      emailVerified: boolean;
+      [key: string]: any;
+    };
+    data: any;
+  } | {
+    user: {
+      id: number;
+      name: string;
+      email: string;
+      image: string;
+      emailVerified: boolean;
+    } | {
+      id: string | number;
+      name: string;
+      email: string | null;
+      image: string;
+      emailVerified: boolean;
+    } | {
+      id: string | number;
+      name: string;
+      email: string | null;
+      image: string;
+      emailVerified: boolean;
+    };
+    data: GitlabProfile;
+  } | null>;
+  options: GitlabOptions;
+};
+//#endregion
+export { GitlabOptions, GitlabProfile, gitlab };

package/dist/social-providers/gitlab.mjs

@@ -0,0 +1,82 @@
+import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
+import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
+import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
+import "../oauth2/index.mjs";
+import { betterFetch } from "@better-fetch/fetch";
+
+//#region src/social-providers/gitlab.ts
+const cleanDoubleSlashes = (input = "") => {
+	return input.split("://").map((str) => str.replace(/\/{2,}/g, "/")).join("://");
+};
+const issuerToEndpoints = (issuer) => {
+	const baseUrl = issuer || "https://gitlab.com";
+	return {
+		authorizationEndpoint: cleanDoubleSlashes(`${baseUrl}/oauth/authorize`),
+		tokenEndpoint: cleanDoubleSlashes(`${baseUrl}/oauth/token`),
+		userinfoEndpoint: cleanDoubleSlashes(`${baseUrl}/api/v4/user`)
+	};
+};
+const gitlab = (options) => {
+	const { authorizationEndpoint, tokenEndpoint, userinfoEndpoint } = issuerToEndpoints(options.issuer);
+	const issuerId = "gitlab";
+	return {
+		id: issuerId,
+		name: "Gitlab",
+		createAuthorizationURL: async ({ state, scopes, codeVerifier, loginHint, redirectURI }) => {
+			const _scopes = options.disableDefaultScope ? [] : ["read_user"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return await createAuthorizationURL({
+				id: issuerId,
+				options,
+				authorizationEndpoint,
+				scopes: _scopes,
+				state,
+				redirectURI,
+				codeVerifier,
+				loginHint
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI, codeVerifier }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				codeVerifier,
+				tokenEndpoint
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			const { data: profile, error } = await betterFetch(userinfoEndpoint, { headers: { authorization: `Bearer ${token.accessToken}` } });
+			if (error || profile.state !== "active" || profile.locked) return null;
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.id,
+					name: profile.name ?? profile.username,
+					email: profile.email,
+					image: profile.avatar_url,
+					emailVerified: profile.email_verified ?? false,
+					...userMap
+				},
+				data: profile
+			};
+		},
+		options
+	};
+};
+
+//#endregion
+export { gitlab };

package/dist/social-providers/google.d.mts

@@ -0,0 +1,99 @@
+import { OAuth2Tokens, ProviderOptions } from "../oauth2/oauth-provider.mjs";
+import "../oauth2/index.mjs";
+
+//#region src/social-providers/google.d.ts
+interface GoogleProfile {
+  aud: string;
+  azp: string;
+  email: string;
+  email_verified: boolean;
+  exp: number;
+  /**
+   * The family name of the user, or last name in most
+   * Western languages.
+   */
+  family_name: string;
+  /**
+   * The given name of the user, or first name in most
+   * Western languages.
+   */
+  given_name: string;
+  hd?: string | undefined;
+  iat: number;
+  iss: string;
+  jti?: string | undefined;
+  locale?: string | undefined;
+  name: string;
+  nbf?: number | undefined;
+  picture: string;
+  sub: string;
+}
+interface GoogleOptions extends ProviderOptions<GoogleProfile> {
+  clientId: string;
+  /**
+   * The access type to use for the authorization code request
+   */
+  accessType?: ("offline" | "online") | undefined;
+  /**
+   * The display mode to use for the authorization code request
+   */
+  display?: ("page" | "popup" | "touch" | "wap") | undefined;
+  /**
+   * The hosted domain of the user
+   */
+  hd?: string | undefined;
+}
+declare const google: (options: GoogleOptions) => {
+  id: "google";
+  name: string;
+  createAuthorizationURL({
+    state,
+    scopes,
+    codeVerifier,
+    redirectURI,
+    loginHint,
+    display
+  }: {
+    state: string;
+    codeVerifier: string;
+    scopes?: string[] | undefined;
+    redirectURI: string;
+    display?: string | undefined;
+    loginHint?: string | undefined;
+  }): Promise<URL>;
+  validateAuthorizationCode: ({
+    code,
+    codeVerifier,
+    redirectURI
+  }: {
+    code: string;
+    redirectURI: string;
+    codeVerifier?: string | undefined;
+    deviceId?: string | undefined;
+  }) => Promise<OAuth2Tokens>;
+  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
+  verifyIdToken(token: string, nonce: string | undefined): Promise<boolean>;
+  getUserInfo(token: OAuth2Tokens & {
+    user?: {
+      name?: {
+        firstName?: string;
+        lastName?: string;
+      };
+      email?: string;
+    } | undefined;
+  }): Promise<{
+    user: {
+      id: string;
+      name?: string;
+      email?: string | null;
+      image?: string;
+      emailVerified: boolean;
+      [key: string]: any;
+    };
+    data: any;
+  } | null>;
+  options: GoogleOptions;
+};
+declare const getGooglePublicKey: (kid: string) => Promise<Uint8Array<ArrayBufferLike> | CryptoKey>;
+//#endregion
+export { GoogleOptions, GoogleProfile, getGooglePublicKey, google };

package/dist/social-providers/google.mjs

@@ -0,0 +1,109 @@
+import { logger } from "../env/logger.mjs";
+import "../env/index.mjs";
+import { BetterAuthError } from "../error/index.mjs";
+import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
+import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
+import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
+import "../oauth2/index.mjs";
+import { betterFetch } from "@better-fetch/fetch";
+import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
+import { APIError } from "better-call";
+
+//#region src/social-providers/google.ts
+const google = (options) => {
+	return {
+		id: "google",
+		name: "Google",
+		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, loginHint, display }) {
+			if (!options.clientId || !options.clientSecret) {
+				logger.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options.");
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
+			if (!codeVerifier) throw new BetterAuthError("codeVerifier is required for Google");
+			const _scopes = options.disableDefaultScope ? [] : [
+				"email",
+				"profile",
+				"openid"
+			];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return await createAuthorizationURL({
+				id: "google",
+				options,
+				authorizationEndpoint: "https://accounts.google.com/o/oauth2/auth",
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+				prompt: options.prompt,
+				accessType: options.accessType,
+				display: display || options.display,
+				loginHint,
+				hd: options.hd,
+				additionalParams: { include_granted_scopes: "true" }
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://oauth2.googleapis.com/token"
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint: "https://www.googleapis.com/oauth2/v4/token"
+			});
+		},
+		async verifyIdToken(token, nonce) {
+			if (options.disableIdTokenSignIn) return false;
+			if (options.verifyIdToken) return options.verifyIdToken(token, nonce);
+			const { kid, alg: jwtAlg } = decodeProtectedHeader(token);
+			if (!kid || !jwtAlg) return false;
+			const { payload: jwtClaims } = await jwtVerify(token, await getGooglePublicKey(kid), {
+				algorithms: [jwtAlg],
+				issuer: ["https://accounts.google.com", "accounts.google.com"],
+				audience: options.clientId,
+				maxTokenAge: "1h"
+			});
+			if (nonce && jwtClaims.nonce !== nonce) return false;
+			return true;
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			if (!token.idToken) return null;
+			const user = decodeJwt(token.idToken);
+			const userMap = await options.mapProfileToUser?.(user);
+			return {
+				user: {
+					id: user.sub,
+					name: user.name,
+					email: user.email,
+					image: user.picture,
+					emailVerified: user.email_verified,
+					...userMap
+				},
+				data: user
+			};
+		},
+		options
+	};
+};
+const getGooglePublicKey = async (kid) => {
+	const { data } = await betterFetch("https://www.googleapis.com/oauth2/v3/certs");
+	if (!data?.keys) throw new APIError("BAD_REQUEST", { message: "Keys not found" });
+	const jwk = data.keys.find((key) => key.kid === kid);
+	if (!jwk) throw new Error(`JWK with kid ${kid} not found`);
+	return await importJWK(jwk, jwk.alg);
+};
+
+//#endregion
+export { getGooglePublicKey, google };

package/dist/social-providers/huggingface.d.mts

@@ -0,0 +1,85 @@
+import { OAuth2Tokens, ProviderOptions } from "../oauth2/oauth-provider.mjs";
+import "../oauth2/index.mjs";
+
+//#region src/social-providers/huggingface.d.ts
+interface HuggingFaceProfile {
+  sub: string;
+  name: string;
+  preferred_username: string;
+  profile: string;
+  picture: string;
+  website?: string | undefined;
+  email?: string | undefined;
+  email_verified?: boolean | undefined;
+  isPro: boolean;
+  canPay?: boolean | undefined;
+  orgs?: {
+    sub: string;
+    name: string;
+    picture: string;
+    preferred_username: string;
+    isEnterprise: boolean | "plus";
+    canPay?: boolean;
+    roleInOrg?: "admin" | "write" | "contributor" | "read";
+    pendingSSO?: boolean;
+    missingMFA?: boolean;
+    resourceGroups?: {
+      sub: string;
+      name: string;
+      role: "admin" | "write" | "contributor" | "read";
+    }[];
+  } | undefined;
+}
+interface HuggingFaceOptions extends ProviderOptions<HuggingFaceProfile> {
+  clientId: string;
+}
+declare const huggingface: (options: HuggingFaceOptions) => {
+  id: "huggingface";
+  name: string;
+  createAuthorizationURL({
+    state,
+    scopes,
+    codeVerifier,
+    redirectURI
+  }: {
+    state: string;
+    codeVerifier: string;
+    scopes?: string[] | undefined;
+    redirectURI: string;
+    display?: string | undefined;
+    loginHint?: string | undefined;
+  }): Promise<URL>;
+  validateAuthorizationCode: ({
+    code,
+    codeVerifier,
+    redirectURI
+  }: {
+    code: string;
+    redirectURI: string;
+    codeVerifier?: string | undefined;
+    deviceId?: string | undefined;
+  }) => Promise<OAuth2Tokens>;
+  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
+  getUserInfo(token: OAuth2Tokens & {
+    user?: {
+      name?: {
+        firstName?: string;
+        lastName?: string;
+      };
+      email?: string;
+    } | undefined;
+  }): Promise<{
+    user: {
+      id: string;
+      name?: string;
+      email?: string | null;
+      image?: string;
+      emailVerified: boolean;
+      [key: string]: any;
+    };
+    data: any;
+  } | null>;
+  options: HuggingFaceOptions;
+};
+//#endregion
+export { HuggingFaceOptions, HuggingFaceProfile, huggingface };