@better-auth/core 1.4.12-beta.2 → 1.4.13

package/dist/social-providers/linear.mjs

@@ -0,0 +1,88 @@
+import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
+import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
+import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
+import "../oauth2/index.mjs";
+import { betterFetch } from "@better-fetch/fetch";
+
+//#region src/social-providers/linear.ts
+const linear = (options) => {
+	const tokenEndpoint = "https://api.linear.app/oauth/token";
+	return {
+		id: "linear",
+		name: "Linear",
+		createAuthorizationURL({ state, scopes, loginHint, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : ["read"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "linear",
+				options,
+				authorizationEndpoint: "https://linear.app/oauth/authorize",
+				scopes: _scopes,
+				state,
+				redirectURI,
+				loginHint
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			const { data: profile, error } = await betterFetch("https://api.linear.app/graphql", {
+				method: "POST",
+				headers: {
+					"Content-Type": "application/json",
+					Authorization: `Bearer ${token.accessToken}`
+				},
+				body: JSON.stringify({ query: `
+							query {
+								viewer {
+									id
+									name
+									email
+									avatarUrl
+									active
+									createdAt
+									updatedAt
+								}
+							}
+						` })
+			});
+			if (error || !profile?.data?.viewer) return null;
+			const userData = profile.data.viewer;
+			const userMap = await options.mapProfileToUser?.(userData);
+			return {
+				user: {
+					id: profile.data.viewer.id,
+					name: profile.data.viewer.name,
+					email: profile.data.viewer.email,
+					image: profile.data.viewer.avatarUrl,
+					emailVerified: false,
+					...userMap
+				},
+				data: userData
+			};
+		},
+		options
+	};
+};
+
+//#endregion
+export { linear };

package/dist/social-providers/linkedin.d.mts

@@ -0,0 +1,69 @@
+import { OAuth2Tokens, ProviderOptions } from "../oauth2/oauth-provider.mjs";
+import "../oauth2/index.mjs";
+
+//#region src/social-providers/linkedin.d.ts
+interface LinkedInProfile {
+  sub: string;
+  name: string;
+  given_name: string;
+  family_name: string;
+  picture: string;
+  locale: {
+    country: string;
+    language: string;
+  };
+  email: string;
+  email_verified: boolean;
+}
+interface LinkedInOptions extends ProviderOptions<LinkedInProfile> {
+  clientId: string;
+}
+declare const linkedin: (options: LinkedInOptions) => {
+  id: "linkedin";
+  name: string;
+  createAuthorizationURL: ({
+    state,
+    scopes,
+    redirectURI,
+    loginHint
+  }: {
+    state: string;
+    codeVerifier: string;
+    scopes?: string[] | undefined;
+    redirectURI: string;
+    display?: string | undefined;
+    loginHint?: string | undefined;
+  }) => Promise<URL>;
+  validateAuthorizationCode: ({
+    code,
+    redirectURI
+  }: {
+    code: string;
+    redirectURI: string;
+    codeVerifier?: string | undefined;
+    deviceId?: string | undefined;
+  }) => Promise<OAuth2Tokens>;
+  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
+  getUserInfo(token: OAuth2Tokens & {
+    user?: {
+      name?: {
+        firstName?: string;
+        lastName?: string;
+      };
+      email?: string;
+    } | undefined;
+  }): Promise<{
+    user: {
+      id: string;
+      name?: string;
+      email?: string | null;
+      image?: string;
+      emailVerified: boolean;
+      [key: string]: any;
+    };
+    data: any;
+  } | null>;
+  options: LinkedInOptions;
+};
+//#endregion
+export { LinkedInOptions, LinkedInProfile, linkedin };

package/dist/social-providers/linkedin.mjs

@@ -0,0 +1,76 @@
+import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
+import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
+import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
+import "../oauth2/index.mjs";
+import { betterFetch } from "@better-fetch/fetch";
+
+//#region src/social-providers/linkedin.ts
+const linkedin = (options) => {
+	const authorizationEndpoint = "https://www.linkedin.com/oauth/v2/authorization";
+	const tokenEndpoint = "https://www.linkedin.com/oauth/v2/accessToken";
+	return {
+		id: "linkedin",
+		name: "Linkedin",
+		createAuthorizationURL: async ({ state, scopes, redirectURI, loginHint }) => {
+			const _scopes = options.disableDefaultScope ? [] : [
+				"profile",
+				"email",
+				"openid"
+			];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return await createAuthorizationURL({
+				id: "linkedin",
+				options,
+				authorizationEndpoint,
+				scopes: _scopes,
+				state,
+				loginHint,
+				redirectURI
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return await validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			const { data: profile, error } = await betterFetch("https://api.linkedin.com/v2/userinfo", {
+				method: "GET",
+				headers: { Authorization: `Bearer ${token.accessToken}` }
+			});
+			if (error) return null;
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.sub,
+					name: profile.name,
+					email: profile.email,
+					emailVerified: profile.email_verified || false,
+					image: profile.picture,
+					...userMap
+				},
+				data: profile
+			};
+		},
+		options
+	};
+};
+
+//#endregion
+export { linkedin };

package/dist/social-providers/microsoft-entra-id.d.mts

@@ -0,0 +1,174 @@
+import { OAuth2Tokens, ProviderOptions } from "../oauth2/oauth-provider.mjs";
+import "../oauth2/index.mjs";
+
+//#region src/social-providers/microsoft-entra-id.d.ts
+/**
+ * @see [Microsoft Identity Platform - Optional claims reference](https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims-reference)
+ */
+interface MicrosoftEntraIDProfile extends Record<string, any> {
+  /** Identifies the intended recipient of the token */
+  aud: string;
+  /** Identifies the issuer, or "authorization server" that constructs and returns the token */
+  iss: string;
+  /** Indicates when the authentication for the token occurred */
+  iat: Date;
+  /** Records the identity provider that authenticated the subject of the token */
+  idp: string;
+  /** Identifies the time before which the JWT can't be accepted for processing */
+  nbf: Date;
+  /** Identifies the expiration time on or after which the JWT can't be accepted for processing */
+  exp: Date;
+  /** Code hash included in ID tokens when issued with an OAuth 2.0 authorization code */
+  c_hash: string;
+  /** Access token hash included in ID tokens when issued with an OAuth 2.0 access token */
+  at_hash: string;
+  /** Internal claim used to record data for token reuse */
+  aio: string;
+  /** The primary username that represents the user */
+  preferred_username: string;
+  /** User's email address */
+  email: string;
+  /** Human-readable value that identifies the subject of the token */
+  name: string;
+  /** Matches the parameter included in the original authorize request */
+  nonce: string;
+  /** User's profile picture */
+  picture: string;
+  /** Immutable identifier for the user account */
+  oid: string;
+  /** Set of roles assigned to the user */
+  roles: string[];
+  /** Internal claim used to revalidate tokens */
+  rh: string;
+  /** Subject identifier - unique to application ID */
+  sub: string;
+  /** Tenant ID the user is signing in to */
+  tid: string;
+  /** Unique identifier for a session */
+  sid: string;
+  /** Token identifier claim */
+  uti: string;
+  /** Indicates if user is in at least one group */
+  hasgroups: boolean;
+  /** User account status in tenant (0 = member, 1 = guest) */
+  acct: 0 | 1;
+  /** Auth Context IDs */
+  acrs: string;
+  /** Time when the user last authenticated */
+  auth_time: Date;
+  /** User's country/region */
+  ctry: string;
+  /** IP address of requesting client when inside VNET */
+  fwd: string;
+  /** Group claims */
+  groups: string;
+  /** Login hint for SSO */
+  login_hint: string;
+  /** Resource tenant's country/region */
+  tenant_ctry: string;
+  /** Region of the resource tenant */
+  tenant_region_scope: string;
+  /** UserPrincipalName */
+  upn: string;
+  /** User's verified primary email addresses */
+  verified_primary_email: string[];
+  /** User's verified secondary email addresses */
+  verified_secondary_email: string[];
+  /** Whether the user's email is verified (optional claim, must be configured in app registration) */
+  email_verified?: boolean | undefined;
+  /** VNET specifier information */
+  vnet: string;
+  /** Client Capabilities */
+  xms_cc: string;
+  /** Whether user's email domain is verified */
+  xms_edov: boolean;
+  /** Preferred data location for Multi-Geo tenants */
+  xms_pdl: string;
+  /** User preferred language */
+  xms_pl: string;
+  /** Tenant preferred language */
+  xms_tpl: string;
+  /** Zero-touch Deployment ID */
+  ztdid: string;
+  /** IP Address */
+  ipaddr: string;
+  /** On-premises Security Identifier */
+  onprem_sid: string;
+  /** Password Expiration Time */
+  pwd_exp: number;
+  /** Change Password URL */
+  pwd_url: string;
+  /** Inside Corporate Network flag */
+  in_corp: string;
+  /** User's family name/surname */
+  family_name: string;
+  /** User's given/first name */
+  given_name: string;
+}
+interface MicrosoftOptions extends ProviderOptions<MicrosoftEntraIDProfile> {
+  clientId: string;
+  /**
+   * The tenant ID of the Microsoft account
+   * @default "common"
+   */
+  tenantId?: string | undefined;
+  /**
+   * The authentication authority URL. Use the default "https://login.microsoftonline.com" for standard Entra ID or "https://<tenant-id>.ciamlogin.com" for CIAM scenarios.
+   * @default "https://login.microsoftonline.com"
+   */
+  authority?: string | undefined;
+  /**
+   * The size of the profile photo
+   * @default 48
+   */
+  profilePhotoSize?: (48 | 64 | 96 | 120 | 240 | 360 | 432 | 504 | 648) | undefined;
+  /**
+   * Disable profile photo
+   */
+  disableProfilePhoto?: boolean | undefined;
+}
+declare const microsoft: (options: MicrosoftOptions) => {
+  id: "microsoft";
+  name: string;
+  createAuthorizationURL(data: {
+    state: string;
+    codeVerifier: string;
+    scopes?: string[] | undefined;
+    redirectURI: string;
+    display?: string | undefined;
+    loginHint?: string | undefined;
+  }): Promise<URL>;
+  validateAuthorizationCode({
+    code,
+    codeVerifier,
+    redirectURI
+  }: {
+    code: string;
+    redirectURI: string;
+    codeVerifier?: string | undefined;
+    deviceId?: string | undefined;
+  }): Promise<OAuth2Tokens>;
+  getUserInfo(token: OAuth2Tokens & {
+    user?: {
+      name?: {
+        firstName?: string;
+        lastName?: string;
+      };
+      email?: string;
+    } | undefined;
+  }): Promise<{
+    user: {
+      id: string;
+      name?: string;
+      email?: string | null;
+      image?: string;
+      emailVerified: boolean;
+      [key: string]: any;
+    };
+    data: any;
+  } | null>;
+  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
+  options: MicrosoftOptions;
+};
+//#endregion
+export { MicrosoftEntraIDProfile, MicrosoftOptions, microsoft };

package/dist/social-providers/microsoft-entra-id.mjs

@@ -0,0 +1,106 @@
+import { logger } from "../env/logger.mjs";
+import "../env/index.mjs";
+import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
+import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
+import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
+import "../oauth2/index.mjs";
+import { base64 } from "@better-auth/utils/base64";
+import { betterFetch } from "@better-fetch/fetch";
+import { decodeJwt } from "jose";
+
+//#region src/social-providers/microsoft-entra-id.ts
+const microsoft = (options) => {
+	const tenant = options.tenantId || "common";
+	const authority = options.authority || "https://login.microsoftonline.com";
+	const authorizationEndpoint = `${authority}/${tenant}/oauth2/v2.0/authorize`;
+	const tokenEndpoint = `${authority}/${tenant}/oauth2/v2.0/token`;
+	return {
+		id: "microsoft",
+		name: "Microsoft EntraID",
+		createAuthorizationURL(data) {
+			const scopes = options.disableDefaultScope ? [] : [
+				"openid",
+				"profile",
+				"email",
+				"User.Read",
+				"offline_access"
+			];
+			if (options.scope) scopes.push(...options.scope);
+			if (data.scopes) scopes.push(...data.scopes);
+			return createAuthorizationURL({
+				id: "microsoft",
+				options,
+				authorizationEndpoint,
+				state: data.state,
+				codeVerifier: data.codeVerifier,
+				scopes,
+				redirectURI: data.redirectURI,
+				prompt: options.prompt,
+				loginHint: data.loginHint
+			});
+		},
+		validateAuthorizationCode({ code, codeVerifier, redirectURI }) {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			if (!token.idToken) return null;
+			const user = decodeJwt(token.idToken);
+			const profilePhotoSize = options.profilePhotoSize || 48;
+			await betterFetch(`https://graph.microsoft.com/v1.0/me/photos/${profilePhotoSize}x${profilePhotoSize}/$value`, {
+				headers: { Authorization: `Bearer ${token.accessToken}` },
+				async onResponse(context) {
+					if (options.disableProfilePhoto || !context.response.ok) return;
+					try {
+						const pictureBuffer = await context.response.clone().arrayBuffer();
+						user.picture = `data:image/jpeg;base64, ${base64.encode(pictureBuffer)}`;
+					} catch (e) {
+						logger.error(e && typeof e === "object" && "name" in e ? e.name : "", e);
+					}
+				}
+			});
+			const userMap = await options.mapProfileToUser?.(user);
+			const emailVerified = user.email_verified !== void 0 ? user.email_verified : user.email && (user.verified_primary_email?.includes(user.email) || user.verified_secondary_email?.includes(user.email)) ? true : false;
+			return {
+				user: {
+					id: user.sub,
+					name: user.name,
+					email: user.email,
+					image: user.picture,
+					emailVerified,
+					...userMap
+				},
+				data: user
+			};
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			const scopes = options.disableDefaultScope ? [] : [
+				"openid",
+				"profile",
+				"email",
+				"User.Read",
+				"offline_access"
+			];
+			if (options.scope) scopes.push(...options.scope);
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientSecret: options.clientSecret
+				},
+				extraParams: { scope: scopes.join(" ") },
+				tokenEndpoint
+			});
+		},
+		options
+	};
+};
+
+//#endregion
+export { microsoft };

package/dist/social-providers/naver.d.mts

@@ -0,0 +1,104 @@
+import { OAuth2Tokens, ProviderOptions } from "../oauth2/oauth-provider.mjs";
+import "../oauth2/index.mjs";
+
+//#region src/social-providers/naver.d.ts
+interface NaverProfile {
+  /** API response result code */
+  resultcode: string;
+  /** API response message */
+  message: string;
+  response: {
+    /** Unique Naver user identifier */
+    id: string;
+    /** User nickname */
+    nickname: string;
+    /** User real name */
+    name: string;
+    /** User email address */
+    email: string;
+    /** Gender (F: female, M: male, U: unknown) */
+    gender: string;
+    /** Age range */
+    age: string;
+    /** Birthday (MM-DD format) */
+    birthday: string;
+    /** Birth year */
+    birthyear: string;
+    /** Profile image URL */
+    profile_image: string;
+    /** Mobile phone number */
+    mobile: string;
+  };
+}
+interface NaverOptions extends ProviderOptions<NaverProfile> {
+  clientId: string;
+}
+declare const naver: (options: NaverOptions) => {
+  id: "naver";
+  name: string;
+  createAuthorizationURL({
+    state,
+    scopes,
+    redirectURI
+  }: {
+    state: string;
+    codeVerifier: string;
+    scopes?: string[] | undefined;
+    redirectURI: string;
+    display?: string | undefined;
+    loginHint?: string | undefined;
+  }): Promise<URL>;
+  validateAuthorizationCode: ({
+    code,
+    redirectURI
+  }: {
+    code: string;
+    redirectURI: string;
+    codeVerifier?: string | undefined;
+    deviceId?: string | undefined;
+  }) => Promise<OAuth2Tokens>;
+  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
+  getUserInfo(token: OAuth2Tokens & {
+    user?: {
+      name?: {
+        firstName?: string;
+        lastName?: string;
+      };
+      email?: string;
+    } | undefined;
+  }): Promise<{
+    user: {
+      id: string;
+      name?: string;
+      email?: string | null;
+      image?: string;
+      emailVerified: boolean;
+      [key: string]: any;
+    };
+    data: any;
+  } | {
+    user: {
+      id: string;
+      name: string;
+      email: string;
+      image: string;
+      emailVerified: boolean;
+    } | {
+      id: string;
+      name: string;
+      email: string | null;
+      image: string;
+      emailVerified: boolean;
+    } | {
+      id: string;
+      name: string;
+      email: string | null;
+      image: string;
+      emailVerified: boolean;
+    };
+    data: NaverProfile;
+  } | null>;
+  options: NaverOptions;
+};
+//#endregion
+export { NaverOptions, NaverProfile, naver };

package/dist/social-providers/naver.mjs

@@ -0,0 +1,67 @@
+import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
+import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
+import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
+import "../oauth2/index.mjs";
+import { betterFetch } from "@better-fetch/fetch";
+
+//#region src/social-providers/naver.ts
+const naver = (options) => {
+	return {
+		id: "naver",
+		name: "Naver",
+		createAuthorizationURL({ state, scopes, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : ["profile", "email"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "naver",
+				options,
+				authorizationEndpoint: "https://nid.naver.com/oauth2.0/authorize",
+				scopes: _scopes,
+				state,
+				redirectURI
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://nid.naver.com/oauth2.0/token"
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint: "https://nid.naver.com/oauth2.0/token"
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			const { data: profile, error } = await betterFetch("https://openapi.naver.com/v1/nid/me", { headers: { Authorization: `Bearer ${token.accessToken}` } });
+			if (error || !profile || profile.resultcode !== "00") return null;
+			const userMap = await options.mapProfileToUser?.(profile);
+			const res = profile.response || {};
+			return {
+				user: {
+					id: res.id,
+					name: res.name || res.nickname,
+					email: res.email,
+					image: res.profile_image,
+					emailVerified: false,
+					...userMap
+				},
+				data: profile
+			};
+		},
+		options
+	};
+};
+
+//#endregion
+export { naver };