@better-auth/core 1.4.12-beta.2 → 1.4.13

package/dist/oauth2/create-authorization-url.mjs

@@ -0,0 +1,42 @@
+import { generateCodeChallenge } from "./utils.mjs";
+
+//#region src/oauth2/create-authorization-url.ts
+async function createAuthorizationURL({ id, options, authorizationEndpoint, state, codeVerifier, scopes, claims, redirectURI, duration, prompt, accessType, responseType, display, loginHint, hd, responseMode, additionalParams, scopeJoiner }) {
+	const url = new URL(options.authorizationEndpoint || authorizationEndpoint);
+	url.searchParams.set("response_type", responseType || "code");
+	const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+	url.searchParams.set("client_id", primaryClientId);
+	url.searchParams.set("state", state);
+	if (scopes) url.searchParams.set("scope", scopes.join(scopeJoiner || " "));
+	url.searchParams.set("redirect_uri", options.redirectURI || redirectURI);
+	duration && url.searchParams.set("duration", duration);
+	display && url.searchParams.set("display", display);
+	loginHint && url.searchParams.set("login_hint", loginHint);
+	prompt && url.searchParams.set("prompt", prompt);
+	hd && url.searchParams.set("hd", hd);
+	accessType && url.searchParams.set("access_type", accessType);
+	responseMode && url.searchParams.set("response_mode", responseMode);
+	if (codeVerifier) {
+		const codeChallenge = await generateCodeChallenge(codeVerifier);
+		url.searchParams.set("code_challenge_method", "S256");
+		url.searchParams.set("code_challenge", codeChallenge);
+	}
+	if (claims) {
+		const claimsObj = claims.reduce((acc, claim) => {
+			acc[claim] = null;
+			return acc;
+		}, {});
+		url.searchParams.set("claims", JSON.stringify({ id_token: {
+			email: null,
+			email_verified: null,
+			...claimsObj
+		} }));
+	}
+	if (additionalParams) Object.entries(additionalParams).forEach(([key, value]) => {
+		url.searchParams.set(key, value);
+	});
+	return url;
+}
+
+//#endregion
+export { createAuthorizationURL };

package/dist/oauth2/index.d.mts

@@ -1,2 +1,8 @@
-import { Bn as refreshAccessToken, Fn as validateAuthorizationCode, Gn as OAuth2UserInfo, Hn as clientCredentialsToken, In as validateToken, Kn as OAuthProvider, Ln as generateCodeChallenge, Mn as verifyAccessToken, Nn as verifyJwsAccessToken, Pn as createAuthorizationCodeRequest, Rn as getOAuth2Tokens, Un as createClientCredentialsTokenRequest, Vn as createAuthorizationURL, Wn as OAuth2Tokens, jn as getJwks, qn as ProviderOptions, zn as createRefreshAccessTokenRequest } from "../index-zgYuzZ7O.mjs";
-export { OAuth2Tokens, OAuth2UserInfo, OAuthProvider, ProviderOptions, clientCredentialsToken, createAuthorizationCodeRequest, createAuthorizationURL, createClientCredentialsTokenRequest, createRefreshAccessTokenRequest, generateCodeChallenge, getJwks, getOAuth2Tokens, refreshAccessToken, validateAuthorizationCode, validateToken, verifyAccessToken, verifyJwsAccessToken };
+import { OAuth2Tokens, OAuth2UserInfo, OAuthProvider, ProviderOptions } from "./oauth-provider.mjs";
+import { clientCredentialsToken, createClientCredentialsTokenRequest } from "./client-credentials-token.mjs";
+import { createAuthorizationURL } from "./create-authorization-url.mjs";
+import { createRefreshAccessTokenRequest, refreshAccessToken } from "./refresh-access-token.mjs";
+import { generateCodeChallenge, getOAuth2Tokens } from "./utils.mjs";
+import { createAuthorizationCodeRequest, validateAuthorizationCode, validateToken } from "./validate-authorization-code.mjs";
+import { getJwks, verifyAccessToken, verifyJwsAccessToken } from "./verify.mjs";
+export { type OAuth2Tokens, type OAuth2UserInfo, type OAuthProvider, type ProviderOptions, clientCredentialsToken, createAuthorizationCodeRequest, createAuthorizationURL, createClientCredentialsTokenRequest, createRefreshAccessTokenRequest, generateCodeChallenge, getJwks, getOAuth2Tokens, refreshAccessToken, validateAuthorizationCode, validateToken, verifyAccessToken, verifyJwsAccessToken };

package/dist/oauth2/index.mjs

@@ -1,4 +1,8 @@
-import "../env-DbssmzoK.mjs";
-import { a as validateAuthorizationCode, c as refreshAccessToken, d as getOAuth2Tokens, f as clientCredentialsToken, i as createAuthorizationCodeRequest, l as createAuthorizationURL, n as verifyAccessToken, o as validateToken, p as createClientCredentialsTokenRequest, r as verifyJwsAccessToken, s as createRefreshAccessTokenRequest, t as getJwks, u as generateCodeChallenge } from "../oauth2-COJkghlT.mjs";
+import { clientCredentialsToken, createClientCredentialsTokenRequest } from "./client-credentials-token.mjs";
+import { generateCodeChallenge, getOAuth2Tokens } from "./utils.mjs";
+import { createAuthorizationURL } from "./create-authorization-url.mjs";
+import { createRefreshAccessTokenRequest, refreshAccessToken } from "./refresh-access-token.mjs";
+import { createAuthorizationCodeRequest, validateAuthorizationCode, validateToken } from "./validate-authorization-code.mjs";
+import { getJwks, verifyAccessToken, verifyJwsAccessToken } from "./verify.mjs";
 
 export { clientCredentialsToken, createAuthorizationCodeRequest, createAuthorizationURL, createClientCredentialsTokenRequest, createRefreshAccessTokenRequest, generateCodeChallenge, getJwks, getOAuth2Tokens, refreshAccessToken, validateAuthorizationCode, validateToken, verifyAccessToken, verifyJwsAccessToken };

package/dist/oauth2/oauth-provider.d.mts

@@ -0,0 +1,194 @@
+import { Awaitable, LiteralString } from "../types/helper.mjs";
+import "../types/index.mjs";
+
+//#region src/oauth2/oauth-provider.d.ts
+interface OAuth2Tokens {
+  tokenType?: string | undefined;
+  accessToken?: string | undefined;
+  refreshToken?: string | undefined;
+  accessTokenExpiresAt?: Date | undefined;
+  refreshTokenExpiresAt?: Date | undefined;
+  scopes?: string[] | undefined;
+  idToken?: string | undefined;
+  /**
+   * Raw token response from the provider.
+   * Preserves provider-specific fields that are not part of the standard OAuth2 token response.
+   */
+  raw?: Record<string, unknown> | undefined;
+}
+type OAuth2UserInfo = {
+  id: string | number;
+  name?: string | undefined;
+  email?: (string | null) | undefined;
+  image?: string | undefined;
+  emailVerified: boolean;
+};
+interface OAuthProvider<T extends Record<string, any> = Record<string, any>, O extends Record<string, any> = Partial<ProviderOptions>> {
+  id: LiteralString;
+  createAuthorizationURL: (data: {
+    state: string;
+    codeVerifier: string;
+    scopes?: string[] | undefined;
+    redirectURI: string;
+    display?: string | undefined;
+    loginHint?: string | undefined;
+  }) => Awaitable<URL>;
+  name: string;
+  validateAuthorizationCode: (data: {
+    code: string;
+    redirectURI: string;
+    codeVerifier?: string | undefined;
+    deviceId?: string | undefined;
+  }) => Promise<OAuth2Tokens>;
+  getUserInfo: (token: OAuth2Tokens & {
+    /**
+     * The user object from the provider
+     * This is only available for some providers like Apple
+     */
+    user?: {
+      name?: {
+        firstName?: string;
+        lastName?: string;
+      };
+      email?: string;
+    } | undefined;
+  }) => Promise<{
+    user: OAuth2UserInfo;
+    data: T;
+  } | null>;
+  /**
+   * Custom function to refresh a token
+   */
+  refreshAccessToken?: ((refreshToken: string) => Promise<OAuth2Tokens>) | undefined;
+  revokeToken?: ((token: string) => Promise<void>) | undefined;
+  /**
+   * Verify the id token
+   * @param token - The id token
+   * @param nonce - The nonce
+   * @returns True if the id token is valid, false otherwise
+   */
+  verifyIdToken?: ((token: string, nonce?: string) => Promise<boolean>) | undefined;
+  /**
+   * Disable implicit sign up for new users. When set to true for the provider,
+   * sign-in need to be called with with requestSignUp as true to create new users.
+   */
+  disableImplicitSignUp?: boolean | undefined;
+  /**
+   * Disable sign up for new users.
+   */
+  disableSignUp?: boolean | undefined;
+  /**
+   * Options for the provider
+   */
+  options?: O | undefined;
+}
+type ProviderOptions<Profile extends Record<string, any> = any> = {
+  /**
+   * The client ID of your application.
+   *
+   * This is usually a string but can be any type depending on the provider.
+   */
+  clientId?: unknown | undefined;
+  /**
+   * The client secret of your application
+   */
+  clientSecret?: string | undefined;
+  /**
+   * The scopes you want to request from the provider
+   */
+  scope?: string[] | undefined;
+  /**
+   * Remove default scopes of the provider
+   */
+  disableDefaultScope?: boolean | undefined;
+  /**
+   * The redirect URL for your application. This is where the provider will
+   * redirect the user after the sign in process. Make sure this URL is
+   * whitelisted in the provider's dashboard.
+   */
+  redirectURI?: string | undefined;
+  /**
+   * Custom authorization endpoint URL.
+   * Use this to override the default authorization endpoint of the provider.
+   * Useful for testing with local OAuth servers or using sandbox environments.
+   */
+  authorizationEndpoint?: string | undefined;
+  /**
+   * The client key of your application
+   * Tiktok Social Provider uses this field instead of clientId
+   */
+  clientKey?: string | undefined;
+  /**
+   * Disable provider from allowing users to sign in
+   * with this provider with an id token sent from the
+   * client.
+   */
+  disableIdTokenSignIn?: boolean | undefined;
+  /**
+   * verifyIdToken function to verify the id token
+   */
+  verifyIdToken?: ((token: string, nonce?: string) => Promise<boolean>) | undefined;
+  /**
+   * Custom function to get user info from the provider
+   */
+  getUserInfo?: ((token: OAuth2Tokens) => Promise<{
+    user: {
+      id: string;
+      name?: string;
+      email?: string | null;
+      image?: string;
+      emailVerified: boolean;
+      [key: string]: any;
+    };
+    data: any;
+  } | null>) | undefined;
+  /**
+   * Custom function to refresh a token
+   */
+  refreshAccessToken?: ((refreshToken: string) => Promise<OAuth2Tokens>) | undefined;
+  /**
+   * Custom function to map the provider profile to a
+   * user.
+   */
+  mapProfileToUser?: ((profile: Profile) => {
+    id?: string;
+    name?: string;
+    email?: string | null;
+    image?: string;
+    emailVerified?: boolean;
+    [key: string]: any;
+  } | Promise<{
+    id?: string;
+    name?: string;
+    email?: string | null;
+    image?: string;
+    emailVerified?: boolean;
+    [key: string]: any;
+  }>) | undefined;
+  /**
+   * Disable implicit sign up for new users. When set to true for the provider,
+   * sign-in need to be called with with requestSignUp as true to create new users.
+   */
+  disableImplicitSignUp?: boolean | undefined;
+  /**
+   * Disable sign up for new users.
+   */
+  disableSignUp?: boolean | undefined;
+  /**
+   * The prompt to use for the authorization code request
+   */
+  prompt?: ("select_account" | "consent" | "login" | "none" | "select_account consent") | undefined;
+  /**
+   * The response mode to use for the authorization code request
+   */
+  responseMode?: ("query" | "form_post") | undefined;
+  /**
+   * If enabled, the user info will be overridden with the provider user info
+   * This is useful if you want to use the provider user info to update the user info
+   *
+   * @default false
+   */
+  overrideUserInfoOnSignIn?: boolean | undefined;
+};
+//#endregion
+export { OAuth2Tokens, OAuth2UserInfo, OAuthProvider, ProviderOptions };

package/dist/oauth2/refresh-access-token.d.mts

@@ -0,0 +1,36 @@
+import { OAuth2Tokens, ProviderOptions } from "./oauth-provider.mjs";
+
+//#region src/oauth2/refresh-access-token.d.ts
+declare function createRefreshAccessTokenRequest({
+  refreshToken,
+  options,
+  authentication,
+  extraParams,
+  resource
+}: {
+  refreshToken: string;
+  options: Partial<ProviderOptions>;
+  authentication?: ("basic" | "post") | undefined;
+  extraParams?: Record<string, string> | undefined;
+  resource?: (string | string[]) | undefined;
+}): {
+  body: URLSearchParams;
+  headers: Record<string, any>;
+};
+declare function refreshAccessToken({
+  refreshToken,
+  options,
+  tokenEndpoint,
+  authentication,
+  extraParams
+}: {
+  refreshToken: string;
+  options: Partial<ProviderOptions>;
+  tokenEndpoint: string;
+  authentication?: ("basic" | "post") | undefined;
+  extraParams?: Record<string, string> | undefined;
+  /** @deprecated always "refresh_token" */
+  grantType?: string | undefined;
+}): Promise<OAuth2Tokens>;
+//#endregion
+export { createRefreshAccessTokenRequest, refreshAccessToken };

package/dist/oauth2/refresh-access-token.mjs

@@ -0,0 +1,58 @@
+import { base64 } from "@better-auth/utils/base64";
+import { betterFetch } from "@better-fetch/fetch";
+
+//#region src/oauth2/refresh-access-token.ts
+function createRefreshAccessTokenRequest({ refreshToken, options, authentication, extraParams, resource }) {
+	const body = new URLSearchParams();
+	const headers = {
+		"content-type": "application/x-www-form-urlencoded",
+		accept: "application/json"
+	};
+	body.set("grant_type", "refresh_token");
+	body.set("refresh_token", refreshToken);
+	if (authentication === "basic") {
+		const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+		if (primaryClientId) headers["authorization"] = "Basic " + base64.encode(`${primaryClientId}:${options.clientSecret ?? ""}`);
+		else headers["authorization"] = "Basic " + base64.encode(`:${options.clientSecret ?? ""}`);
+	} else {
+		const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+		body.set("client_id", primaryClientId);
+		if (options.clientSecret) body.set("client_secret", options.clientSecret);
+	}
+	if (resource) if (typeof resource === "string") body.append("resource", resource);
+	else for (const _resource of resource) body.append("resource", _resource);
+	if (extraParams) for (const [key, value] of Object.entries(extraParams)) body.set(key, value);
+	return {
+		body,
+		headers
+	};
+}
+async function refreshAccessToken({ refreshToken, options, tokenEndpoint, authentication, extraParams }) {
+	const { body, headers } = createRefreshAccessTokenRequest({
+		refreshToken,
+		options,
+		authentication,
+		extraParams
+	});
+	const { data, error } = await betterFetch(tokenEndpoint, {
+		method: "POST",
+		body,
+		headers
+	});
+	if (error) throw error;
+	const tokens = {
+		accessToken: data.access_token,
+		refreshToken: data.refresh_token,
+		tokenType: data.token_type,
+		scopes: data.scope?.split(" "),
+		idToken: data.id_token
+	};
+	if (data.expires_in) {
+		const now = /* @__PURE__ */ new Date();
+		tokens.accessTokenExpiresAt = new Date(now.getTime() + data.expires_in * 1e3);
+	}
+	return tokens;
+}
+
+//#endregion
+export { createRefreshAccessTokenRequest, refreshAccessToken };

package/dist/oauth2/utils.d.mts

@@ -0,0 +1,7 @@
+import { OAuth2Tokens } from "./oauth-provider.mjs";
+
+//#region src/oauth2/utils.d.ts
+declare function getOAuth2Tokens(data: Record<string, any>): OAuth2Tokens;
+declare function generateCodeChallenge(codeVerifier: string): Promise<string>;
+//#endregion
+export { generateCodeChallenge, getOAuth2Tokens };

package/dist/oauth2/utils.mjs

@@ -0,0 +1,27 @@
+import { base64Url } from "@better-auth/utils/base64";
+
+//#region src/oauth2/utils.ts
+function getOAuth2Tokens(data) {
+	const getDate = (seconds) => {
+		const now = /* @__PURE__ */ new Date();
+		return new Date(now.getTime() + seconds * 1e3);
+	};
+	return {
+		tokenType: data.token_type,
+		accessToken: data.access_token,
+		refreshToken: data.refresh_token,
+		accessTokenExpiresAt: data.expires_in ? getDate(data.expires_in) : void 0,
+		refreshTokenExpiresAt: data.refresh_token_expires_in ? getDate(data.refresh_token_expires_in) : void 0,
+		scopes: data?.scope ? typeof data.scope === "string" ? data.scope.split(" ") : data.scope : [],
+		idToken: data.id_token,
+		raw: data
+	};
+}
+async function generateCodeChallenge(codeVerifier) {
+	const data = new TextEncoder().encode(codeVerifier);
+	const hash = await crypto.subtle.digest("SHA-256", data);
+	return base64Url.encode(new Uint8Array(hash), { padding: false });
+}
+
+//#endregion
+export { generateCodeChallenge, getOAuth2Tokens };

package/dist/oauth2/validate-authorization-code.d.mts

@@ -0,0 +1,55 @@
+import { OAuth2Tokens, ProviderOptions } from "./oauth-provider.mjs";
+import "./index.mjs";
+import * as jose0 from "jose";
+
+//#region src/oauth2/validate-authorization-code.d.ts
+declare function createAuthorizationCodeRequest({
+  code,
+  codeVerifier,
+  redirectURI,
+  options,
+  authentication,
+  deviceId,
+  headers,
+  additionalParams,
+  resource
+}: {
+  code: string;
+  redirectURI: string;
+  options: Partial<ProviderOptions>;
+  codeVerifier?: string | undefined;
+  deviceId?: string | undefined;
+  authentication?: ("basic" | "post") | undefined;
+  headers?: Record<string, string> | undefined;
+  additionalParams?: Record<string, string> | undefined;
+  resource?: (string | string[]) | undefined;
+}): {
+  body: URLSearchParams;
+  headers: Record<string, any>;
+};
+declare function validateAuthorizationCode({
+  code,
+  codeVerifier,
+  redirectURI,
+  options,
+  tokenEndpoint,
+  authentication,
+  deviceId,
+  headers,
+  additionalParams,
+  resource
+}: {
+  code: string;
+  redirectURI: string;
+  options: Partial<ProviderOptions>;
+  codeVerifier?: string | undefined;
+  deviceId?: string | undefined;
+  tokenEndpoint: string;
+  authentication?: ("basic" | "post") | undefined;
+  headers?: Record<string, string> | undefined;
+  additionalParams?: Record<string, string> | undefined;
+  resource?: (string | string[]) | undefined;
+}): Promise<OAuth2Tokens>;
+declare function validateToken(token: string, jwksEndpoint: string): Promise<jose0.JWTVerifyResult<jose0.JWTPayload>>;
+//#endregion
+export { createAuthorizationCodeRequest, validateAuthorizationCode, validateToken };

package/dist/oauth2/validate-authorization-code.mjs

@@ -0,0 +1,71 @@
+import { getOAuth2Tokens } from "./utils.mjs";
+import "./index.mjs";
+import { base64 } from "@better-auth/utils/base64";
+import { betterFetch } from "@better-fetch/fetch";
+import { jwtVerify } from "jose";
+
+//#region src/oauth2/validate-authorization-code.ts
+function createAuthorizationCodeRequest({ code, codeVerifier, redirectURI, options, authentication, deviceId, headers, additionalParams = {}, resource }) {
+	const body = new URLSearchParams();
+	const requestHeaders = {
+		"content-type": "application/x-www-form-urlencoded",
+		accept: "application/json",
+		...headers
+	};
+	body.set("grant_type", "authorization_code");
+	body.set("code", code);
+	codeVerifier && body.set("code_verifier", codeVerifier);
+	options.clientKey && body.set("client_key", options.clientKey);
+	deviceId && body.set("device_id", deviceId);
+	body.set("redirect_uri", options.redirectURI || redirectURI);
+	if (resource) if (typeof resource === "string") body.append("resource", resource);
+	else for (const _resource of resource) body.append("resource", _resource);
+	if (authentication === "basic") {
+		const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+		requestHeaders["authorization"] = `Basic ${base64.encode(`${primaryClientId}:${options.clientSecret ?? ""}`)}`;
+	} else {
+		const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+		body.set("client_id", primaryClientId);
+		if (options.clientSecret) body.set("client_secret", options.clientSecret);
+	}
+	for (const [key, value] of Object.entries(additionalParams)) if (!body.has(key)) body.append(key, value);
+	return {
+		body,
+		headers: requestHeaders
+	};
+}
+async function validateAuthorizationCode({ code, codeVerifier, redirectURI, options, tokenEndpoint, authentication, deviceId, headers, additionalParams = {}, resource }) {
+	const { body, headers: requestHeaders } = createAuthorizationCodeRequest({
+		code,
+		codeVerifier,
+		redirectURI,
+		options,
+		authentication,
+		deviceId,
+		headers,
+		additionalParams,
+		resource
+	});
+	const { data, error } = await betterFetch(tokenEndpoint, {
+		method: "POST",
+		body,
+		headers: requestHeaders
+	});
+	if (error) throw error;
+	return getOAuth2Tokens(data);
+}
+async function validateToken(token, jwksEndpoint) {
+	const { data, error } = await betterFetch(jwksEndpoint, {
+		method: "GET",
+		headers: { accept: "application/json" }
+	});
+	if (error) throw error;
+	const keys = data["keys"];
+	const header = JSON.parse(atob(token.split(".")[0]));
+	const key = keys.find((key$1) => key$1.kid === header.kid);
+	if (!key) throw new Error("Key not found");
+	return await jwtVerify(token, key);
+}
+
+//#endregion
+export { createAuthorizationCodeRequest, validateAuthorizationCode, validateToken };

package/dist/oauth2/verify.d.mts

@@ -0,0 +1,49 @@
+import { JSONWebKeySet, JWTPayload, JWTVerifyOptions } from "jose";
+
+//#region src/oauth2/verify.d.ts
+interface VerifyAccessTokenRemote {
+  /** Full url of the introspect endpoint. Should end with `/oauth2/introspect` */
+  introspectUrl: string;
+  /** Client Secret */
+  clientId: string;
+  /** Client Secret */
+  clientSecret: string;
+  /**
+   * Forces remote verification of a token.
+   * This ensures attached session (if applicable)
+   * is also still active.
+   */
+  force?: boolean;
+}
+/**
+ * Performs local verification of an access token for your APIs.
+ *
+ * Can also be configured for remote verification.
+ */
+declare function verifyJwsAccessToken(token: string, opts: {
+  /** Jwks url or promise of a Jwks */
+  jwksFetch: string | (() => Promise<JSONWebKeySet | undefined>);
+  /** Verify options */
+  verifyOptions: JWTVerifyOptions & Required<Pick<JWTVerifyOptions, "audience" | "issuer">>;
+}): Promise<JWTPayload>;
+declare function getJwks(token: string, opts: {
+  /** Jwks url or promise of a Jwks */
+  jwksFetch: string | (() => Promise<JSONWebKeySet | undefined>);
+}): Promise<JSONWebKeySet>;
+/**
+ * Performs local verification of an access token for your API.
+ *
+ * Can also be configured for remote verification.
+ */
+declare function verifyAccessToken(token: string, opts: {
+  /** Verify options */
+  verifyOptions: JWTVerifyOptions & Required<Pick<JWTVerifyOptions, "audience" | "issuer">>;
+  /** Scopes to additionally verify. Token must include all but not exact. */
+  scopes?: string[];
+  /** Required to verify access token locally */
+  jwksUrl?: string;
+  /** If provided, can verify a token remotely */
+  remoteVerify?: VerifyAccessTokenRemote;
+}): Promise<JWTPayload>;
+//#endregion
+export { getJwks, verifyAccessToken, verifyJwsAccessToken };

package/dist/oauth2/verify.mjs

@@ -0,0 +1,95 @@
+import { logger } from "../env/logger.mjs";
+import "../env/index.mjs";
+import { betterFetch } from "@better-fetch/fetch";
+import { UnsecuredJWT, createLocalJWKSet, decodeProtectedHeader, jwtVerify } from "jose";
+import { APIError } from "better-call";
+
+//#region src/oauth2/verify.ts
+/** Last fetched jwks used locally in getJwks @internal */
+let jwks;
+/**
+* Performs local verification of an access token for your APIs.
+*
+* Can also be configured for remote verification.
+*/
+async function verifyJwsAccessToken(token, opts) {
+	try {
+		const jwt = await jwtVerify(token, createLocalJWKSet(await getJwks(token, opts)), opts.verifyOptions);
+		if (jwt.payload.azp) jwt.payload.client_id = jwt.payload.azp;
+		return jwt.payload;
+	} catch (error) {
+		if (error instanceof Error) throw error;
+		throw new Error(error);
+	}
+}
+async function getJwks(token, opts) {
+	let jwtHeaders;
+	try {
+		jwtHeaders = decodeProtectedHeader(token);
+	} catch (error) {
+		if (error instanceof Error) throw error;
+		throw new Error(error);
+	}
+	if (!jwtHeaders.kid) throw new Error("Missing jwt kid");
+	if (!jwks || !jwks.keys.find((jwk) => jwk.kid === jwtHeaders.kid)) {
+		jwks = typeof opts.jwksFetch === "string" ? await betterFetch(opts.jwksFetch, { headers: { Accept: "application/json" } }).then(async (res) => {
+			if (res.error) throw new Error(`Jwks failed: ${res.error.message ?? res.error.statusText}`);
+			return res.data;
+		}) : await opts.jwksFetch();
+		if (!jwks) throw new Error("No jwks found");
+	}
+	return jwks;
+}
+/**
+* Performs local verification of an access token for your API.
+*
+* Can also be configured for remote verification.
+*/
+async function verifyAccessToken(token, opts) {
+	let payload;
+	if (opts.jwksUrl && !opts?.remoteVerify?.force) try {
+		payload = await verifyJwsAccessToken(token, {
+			jwksFetch: opts.jwksUrl,
+			verifyOptions: opts.verifyOptions
+		});
+	} catch (error) {
+		if (error instanceof Error) if (error.name === "TypeError" || error.name === "JWSInvalid") {} else if (error.name === "JWTExpired") throw new APIError("UNAUTHORIZED", { message: "token expired" });
+		else if (error.name === "JWTInvalid") throw new APIError("UNAUTHORIZED", { message: "token invalid" });
+		else throw error;
+		else throw new Error(error);
+	}
+	if (opts?.remoteVerify) {
+		const { data: introspect, error: introspectError } = await betterFetch(opts.remoteVerify.introspectUrl, {
+			method: "POST",
+			headers: {
+				Accept: "application/json",
+				"Content-Type": "application/x-www-form-urlencoded"
+			},
+			body: new URLSearchParams({
+				client_id: opts.remoteVerify.clientId,
+				client_secret: opts.remoteVerify.clientSecret,
+				token,
+				token_type_hint: "access_token"
+			}).toString()
+		});
+		if (introspectError) logger.error(`Introspection failed: ${introspectError.message ?? introspectError.statusText}`);
+		if (!introspect) throw new APIError("INTERNAL_SERVER_ERROR", { message: "introspection failed" });
+		if (!introspect.active) throw new APIError("UNAUTHORIZED", { message: "token inactive" });
+		try {
+			const unsecuredJwt = new UnsecuredJWT(introspect).encode();
+			const { audience: _audience, ...verifyOptions } = opts.verifyOptions;
+			payload = (introspect.aud ? UnsecuredJWT.decode(unsecuredJwt, opts.verifyOptions) : UnsecuredJWT.decode(unsecuredJwt, verifyOptions)).payload;
+		} catch (error) {
+			throw new Error(error);
+		}
+	}
+	if (!payload) throw new APIError("UNAUTHORIZED", { message: `no token payload` });
+	if (opts.scopes) {
+		const validScopes = new Set(payload.scope?.split(" "));
+		for (const sc of opts.scopes) if (!validScopes.has(sc)) throw new APIError("FORBIDDEN", { message: `invalid scope ${sc}` });
+	}
+	return payload;
+}
+
+//#endregion
+export { getJwks, verifyAccessToken, verifyJwsAccessToken };