@better-auth/core 1.4.6-beta.2 → 1.4.6-beta.4

package/src/db/get-tables.ts

@@ -0,0 +1,276 @@
+import type { BetterAuthOptions } from "../types";
+import type { BetterAuthDBSchema, DBFieldAttribute } from "./type";
+
+export const getAuthTables = (
+	options: BetterAuthOptions,
+): BetterAuthDBSchema => {
+	const pluginSchema = (options.plugins ?? []).reduce(
+		(acc, plugin) => {
+			const schema = plugin.schema;
+			if (!schema) return acc;
+			for (const [key, value] of Object.entries(schema)) {
+				acc[key] = {
+					fields: {
+						...acc[key]?.fields,
+						...value.fields,
+					},
+					modelName: value.modelName || key,
+				};
+			}
+			return acc;
+		},
+		{} as Record<
+			string,
+			{ fields: Record<string, DBFieldAttribute>; modelName: string }
+		>,
+	);
+
+	const shouldAddRateLimitTable = options.rateLimit?.storage === "database";
+	const rateLimitTable = {
+		rateLimit: {
+			modelName: options.rateLimit?.modelName || "rateLimit",
+			fields: {
+				key: {
+					type: "string",
+					fieldName: options.rateLimit?.fields?.key || "key",
+				},
+				count: {
+					type: "number",
+					fieldName: options.rateLimit?.fields?.count || "count",
+				},
+				lastRequest: {
+					type: "number",
+					bigint: true,
+					fieldName: options.rateLimit?.fields?.lastRequest || "lastRequest",
+				},
+			},
+		},
+	} satisfies BetterAuthDBSchema;
+
+	const { user, session, account, ...pluginTables } = pluginSchema;
+
+	const sessionTable = {
+		session: {
+			modelName: options.session?.modelName || "session",
+			fields: {
+				expiresAt: {
+					type: "date",
+					required: true,
+					fieldName: options.session?.fields?.expiresAt || "expiresAt",
+				},
+				token: {
+					type: "string",
+					required: true,
+					fieldName: options.session?.fields?.token || "token",
+					unique: true,
+				},
+				createdAt: {
+					type: "date",
+					required: true,
+					fieldName: options.session?.fields?.createdAt || "createdAt",
+					defaultValue: () => new Date(),
+				},
+				updatedAt: {
+					type: "date",
+					required: true,
+					fieldName: options.session?.fields?.updatedAt || "updatedAt",
+					onUpdate: () => new Date(),
+				},
+				ipAddress: {
+					type: "string",
+					required: false,
+					fieldName: options.session?.fields?.ipAddress || "ipAddress",
+				},
+				userAgent: {
+					type: "string",
+					required: false,
+					fieldName: options.session?.fields?.userAgent || "userAgent",
+				},
+				userId: {
+					type: "string",
+					fieldName: options.session?.fields?.userId || "userId",
+					references: {
+						model: options.user?.modelName || "user",
+						field: "id",
+						onDelete: "cascade",
+					},
+					required: true,
+					index: true,
+				},
+				...session?.fields,
+				...options.session?.additionalFields,
+			},
+			order: 2,
+		},
+	} satisfies BetterAuthDBSchema;
+
+	return {
+		user: {
+			modelName: options.user?.modelName || "user",
+			fields: {
+				name: {
+					type: "string",
+					required: true,
+					fieldName: options.user?.fields?.name || "name",
+					sortable: true,
+				},
+				email: {
+					type: "string",
+					unique: true,
+					required: true,
+					fieldName: options.user?.fields?.email || "email",
+					sortable: true,
+				},
+				emailVerified: {
+					type: "boolean",
+					defaultValue: false,
+					required: true,
+					fieldName: options.user?.fields?.emailVerified || "emailVerified",
+					input: false,
+				},
+				image: {
+					type: "string",
+					required: false,
+					fieldName: options.user?.fields?.image || "image",
+				},
+				createdAt: {
+					type: "date",
+					defaultValue: () => new Date(),
+					required: true,
+					fieldName: options.user?.fields?.createdAt || "createdAt",
+				},
+				updatedAt: {
+					type: "date",
+					defaultValue: () => new Date(),
+					onUpdate: () => new Date(),
+					required: true,
+					fieldName: options.user?.fields?.updatedAt || "updatedAt",
+				},
+				...user?.fields,
+				...options.user?.additionalFields,
+			},
+			order: 1,
+		},
+		//only add session table if it's not stored in secondary storage
+		...(!options.secondaryStorage || options.session?.storeSessionInDatabase
+			? sessionTable
+			: {}),
+		account: {
+			modelName: options.account?.modelName || "account",
+			fields: {
+				accountId: {
+					type: "string",
+					required: true,
+					fieldName: options.account?.fields?.accountId || "accountId",
+				},
+				providerId: {
+					type: "string",
+					required: true,
+					fieldName: options.account?.fields?.providerId || "providerId",
+				},
+				userId: {
+					type: "string",
+					references: {
+						model: options.user?.modelName || "user",
+						field: "id",
+						onDelete: "cascade",
+					},
+					required: true,
+					fieldName: options.account?.fields?.userId || "userId",
+					index: true,
+				},
+				accessToken: {
+					type: "string",
+					required: false,
+					fieldName: options.account?.fields?.accessToken || "accessToken",
+				},
+				refreshToken: {
+					type: "string",
+					required: false,
+					fieldName: options.account?.fields?.refreshToken || "refreshToken",
+				},
+				idToken: {
+					type: "string",
+					required: false,
+					fieldName: options.account?.fields?.idToken || "idToken",
+				},
+				accessTokenExpiresAt: {
+					type: "date",
+					required: false,
+					fieldName:
+						options.account?.fields?.accessTokenExpiresAt ||
+						"accessTokenExpiresAt",
+				},
+				refreshTokenExpiresAt: {
+					type: "date",
+					required: false,
+					fieldName:
+						options.account?.fields?.refreshTokenExpiresAt ||
+						"refreshTokenExpiresAt",
+				},
+				scope: {
+					type: "string",
+					required: false,
+					fieldName: options.account?.fields?.scope || "scope",
+				},
+				password: {
+					type: "string",
+					required: false,
+					fieldName: options.account?.fields?.password || "password",
+				},
+				createdAt: {
+					type: "date",
+					required: true,
+					fieldName: options.account?.fields?.createdAt || "createdAt",
+					defaultValue: () => new Date(),
+				},
+				updatedAt: {
+					type: "date",
+					required: true,
+					fieldName: options.account?.fields?.updatedAt || "updatedAt",
+					onUpdate: () => new Date(),
+				},
+				...account?.fields,
+				...options.account?.additionalFields,
+			},
+			order: 3,
+		},
+		verification: {
+			modelName: options.verification?.modelName || "verification",
+			fields: {
+				identifier: {
+					type: "string",
+					required: true,
+					fieldName: options.verification?.fields?.identifier || "identifier",
+					index: true,
+				},
+				value: {
+					type: "string",
+					required: true,
+					fieldName: options.verification?.fields?.value || "value",
+				},
+				expiresAt: {
+					type: "date",
+					required: true,
+					fieldName: options.verification?.fields?.expiresAt || "expiresAt",
+				},
+				createdAt: {
+					type: "date",
+					required: true,
+					defaultValue: () => new Date(),
+					fieldName: options.verification?.fields?.createdAt || "createdAt",
+				},
+				updatedAt: {
+					type: "date",
+					required: true,
+					defaultValue: () => new Date(),
+					onUpdate: () => new Date(),
+					fieldName: options.verification?.fields?.updatedAt || "updatedAt",
+				},
+			},
+			order: 4,
+		},
+		...pluginTables,
+		...(shouldAddRateLimitTable ? rateLimitTable : {}),
+	} satisfies BetterAuthDBSchema;
+};

package/src/db/index.ts

@@ -49,3 +49,5 @@ export type Primitive = DBPrimitive;
  * @deprecated Backport for 1.3.x, we will remove this in 1.4.x
  */
 export type BetterAuthDbSchema = BetterAuthDBSchema;
+
+export { getAuthTables } from "./get-tables";

package/src/db/test/get-tables.test.ts

@@ -0,0 +1,62 @@
+import { describe, expect, it } from "vitest";
+import { getAuthTables } from "../get-tables";
+
+describe("getAuthTables", () => {
+	it("should use correct field name for refreshTokenExpiresAt", () => {
+		const tables = getAuthTables({
+			account: {
+				fields: {
+					refreshTokenExpiresAt: "custom_refresh_token_expires_at",
+				},
+			},
+		});
+
+		const accountTable = tables.account;
+		const refreshTokenExpiresAtField =
+			accountTable!.fields.refreshTokenExpiresAt!;
+
+		expect(refreshTokenExpiresAtField.fieldName).toBe(
+			"custom_refresh_token_expires_at",
+		);
+	});
+
+	it("should not use accessTokenExpiresAt field name for refreshTokenExpiresAt", () => {
+		const tables = getAuthTables({
+			account: {
+				fields: {
+					accessTokenExpiresAt: "custom_access_token_expires_at",
+					refreshTokenExpiresAt: "custom_refresh_token_expires_at",
+				},
+			},
+		});
+
+		const accountTable = tables.account;
+		const refreshTokenExpiresAtField =
+			accountTable!.fields.refreshTokenExpiresAt!;
+		const accessTokenExpiresAtField =
+			accountTable!.fields.accessTokenExpiresAt!;
+
+		expect(refreshTokenExpiresAtField.fieldName).toBe(
+			"custom_refresh_token_expires_at",
+		);
+		expect(accessTokenExpiresAtField.fieldName).toBe(
+			"custom_access_token_expires_at",
+		);
+		expect(refreshTokenExpiresAtField.fieldName).not.toBe(
+			accessTokenExpiresAtField.fieldName,
+		);
+	});
+
+	it("should use default field names when no custom names provided", () => {
+		const tables = getAuthTables({});
+
+		const accountTable = tables.account;
+		const refreshTokenExpiresAtField =
+			accountTable!.fields.refreshTokenExpiresAt!;
+		const accessTokenExpiresAtField =
+			accountTable!.fields.accessTokenExpiresAt!;
+
+		expect(refreshTokenExpiresAtField.fieldName).toBe("refreshTokenExpiresAt");
+		expect(accessTokenExpiresAtField.fieldName).toBe("accessTokenExpiresAt");
+	});
+});

package/src/env/logger.ts

@@ -55,12 +55,10 @@ export interface Logger {
 		| undefined;
 }
 
-export type LogHandlerParams = Parameters<NonNullable<Logger["log"]>> extends [
-	LogLevel,
-	...infer Rest,
-]
-	? Rest
-	: never;
+export type LogHandlerParams =
+	Parameters<NonNullable<Logger["log"]>> extends [LogLevel, ...infer Rest]
+		? Rest
+		: never;
 
 const levelColors: Record<LogLevel, string> = {
 	info: TTY_COLORS.fg.blue,

package/src/oauth2/oauth-provider.ts

@@ -150,7 +150,7 @@ export type ProviderOptions<Profile extends Record<string, any> = any> = {
 					[key: string]: any;
 				};
 				data: any;
-		  }>)
+		  } | null>)
 		| undefined;
 	/**
 	 * Custom function to refresh a token

package/src/social-providers/google.ts

@@ -1,5 +1,6 @@
 import { betterFetch } from "@better-fetch/fetch";
-import { decodeJwt } from "jose";
+import { APIError } from "better-call";
+import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
 import { logger } from "../env";
 import { BetterAuthError } from "../error";
 import type { OAuthProvider, ProviderOptions } from "../oauth2";
@@ -126,24 +127,26 @@ export const google = (options: GoogleOptions) => {
 			if (options.verifyIdToken) {
 				return options.verifyIdToken(token, nonce);
 			}
-			const googlePublicKeyUrl = `https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=${token}`;
-			const { data: tokenInfo } = await betterFetch<{
-				aud: string;
-				iss: string;
-				email: string;
-				email_verified: boolean;
-				name: string;
-				picture: string;
-				sub: string;
-			}>(googlePublicKeyUrl);
-			if (!tokenInfo) {
+
+			// Verify JWT integrity
+			// See https://developers.google.com/identity/sign-in/web/backend-auth#verify-the-integrity-of-the-id-token
+
+			const { kid, alg: jwtAlg } = decodeProtectedHeader(token);
+			if (!kid || !jwtAlg) return false;
+
+			const publicKey = await getGooglePublicKey(kid);
+			const { payload: jwtClaims } = await jwtVerify(token, publicKey, {
+				algorithms: [jwtAlg],
+				issuer: ["https://accounts.google.com", "accounts.google.com"],
+				audience: options.clientId,
+				maxTokenAge: "1h",
+			});
+
+			if (nonce && jwtClaims.nonce !== nonce) {
 				return false;
 			}
-			const isValid =
-				tokenInfo.aud === options.clientId &&
-				(tokenInfo.iss === "https://accounts.google.com" ||
-					tokenInfo.iss === "accounts.google.com");
-			return isValid;
+
+			return true;
 		},
 		async getUserInfo(token) {
 			if (options.getUserInfo) {
@@ -169,3 +172,29 @@ export const google = (options: GoogleOptions) => {
 		options,
 	} satisfies OAuthProvider<GoogleProfile>;
 };
+
+export const getGooglePublicKey = async (kid: string) => {
+	const { data } = await betterFetch<{
+		keys: Array<{
+			kid: string;
+			alg: string;
+			kty: string;
+			use: string;
+			n: string;
+			e: string;
+		}>;
+	}>("https://www.googleapis.com/oauth2/v3/certs");
+
+	if (!data?.keys) {
+		throw new APIError("BAD_REQUEST", {
+			message: "Keys not found",
+		});
+	}
+
+	const jwk = data.keys.find((key) => key.kid === kid);
+	if (!jwk) {
+		throw new Error(`JWK with kid ${kid} not found`);
+	}
+
+	return await importJWK(jwk, jwk.alg);
+};

package/src/types/context.ts

@@ -165,6 +165,16 @@ export type AuthContext<Options extends BetterAuthOptions = BetterAuthOptions> =
 		appName: string;
 		baseURL: string;
 		trustedOrigins: string[];
+		/**
+		 * Verifies whether url is a trusted origin according to the "trustedOrigins" configuration
+		 * @param url The url to verify against the "trustedOrigins" configuration
+		 * @param settings Specify supported pattern matching settings
+		 * @returns {boolean} true if the URL matches the origin pattern, false otherwise.
+		 */
+		isTrustedOrigin: (
+			url: string,
+			settings?: { allowRelativePaths: boolean },
+		) => boolean;
 		oauthConfig: {
 			/**
 			 * This is dangerous and should only be used in dev or staging environments.

package/src/types/helper.ts

@@ -4,3 +4,7 @@ export type LiteralString = "" | (string & Record<never, never>);
 export type LiteralUnion<LiteralType, BaseType extends Primitive> =
 	| LiteralType
 	| (BaseType & Record<never, never>);
+
+export type Prettify<T> = {
+	[K in keyof T]: T[K];
+} & {};

package/src/types/init-options.ts

@@ -995,7 +995,7 @@ export type BetterAuthOptions = {
 						 */
 						before?: (
 							user: User & Record<string, unknown>,
-							context?: GenericEndpointContext,
+							context: GenericEndpointContext | null,
 						) => Promise<
 							| boolean
 							| void
@@ -1008,7 +1008,7 @@ export type BetterAuthOptions = {
 						 */
 						after?: (
 							user: User & Record<string, unknown>,
-							context?: GenericEndpointContext,
+							context: GenericEndpointContext | null,
 						) => Promise<void>;
 					};
 					update?: {
@@ -1019,7 +1019,7 @@ export type BetterAuthOptions = {
 						 */
 						before?: (
 							user: Partial<User> & Record<string, unknown>,
-							context?: GenericEndpointContext,
+							context: GenericEndpointContext | null,
 						) => Promise<
 							| boolean
 							| void
@@ -1032,7 +1032,7 @@ export type BetterAuthOptions = {
 						 */
 						after?: (
 							user: User & Record<string, unknown>,
-							context?: GenericEndpointContext,
+							context: GenericEndpointContext | null,
 						) => Promise<void>;
 					};
 					delete?: {
@@ -1042,14 +1042,14 @@ export type BetterAuthOptions = {
 						 */
 						before?: (
 							user: User & Record<string, unknown>,
-							context?: GenericEndpointContext,
+							context: GenericEndpointContext | null,
 						) => Promise<boolean | void>;
 						/**
 						 * Hook that is called after a user is deleted.
 						 */
 						after?: (
 							user: User & Record<string, unknown>,
-							context?: GenericEndpointContext,
+							context: GenericEndpointContext | null,
 						) => Promise<void>;
 					};
 				};
@@ -1065,7 +1065,7 @@ export type BetterAuthOptions = {
 						 */
 						before?: (
 							session: Session & Record<string, unknown>,
-							context?: GenericEndpointContext,
+							context: GenericEndpointContext | null,
 						) => Promise<
 							| boolean
 							| void
@@ -1078,7 +1078,7 @@ export type BetterAuthOptions = {
 						 */
 						after?: (
 							session: Session & Record<string, unknown>,
-							context?: GenericEndpointContext,
+							context: GenericEndpointContext | null,
 						) => Promise<void>;
 					};
 					/**
@@ -1092,7 +1092,7 @@ export type BetterAuthOptions = {
 						 */
 						before?: (
 							session: Partial<Session> & Record<string, unknown>,
-							context?: GenericEndpointContext,
+							context: GenericEndpointContext | null,
 						) => Promise<
 							| boolean
 							| void
@@ -1105,7 +1105,7 @@ export type BetterAuthOptions = {
 						 */
 						after?: (
 							session: Session & Record<string, unknown>,
-							context?: GenericEndpointContext,
+							context: GenericEndpointContext | null,
 						) => Promise<void>;
 					};
 					delete?: {
@@ -1115,14 +1115,14 @@ export type BetterAuthOptions = {
 						 */
 						before?: (
 							session: Session & Record<string, unknown>,
-							context?: GenericEndpointContext,
+							context: GenericEndpointContext | null,
 						) => Promise<boolean | void>;
 						/**
 						 * Hook that is called after a session is deleted.
 						 */
 						after?: (
 							session: Session & Record<string, unknown>,
-							context?: GenericEndpointContext,
+							context: GenericEndpointContext | null,
 						) => Promise<void>;
 					};
 				};
@@ -1138,7 +1138,7 @@ export type BetterAuthOptions = {
 						 */
 						before?: (
 							account: Account,
-							context?: GenericEndpointContext,
+							context: GenericEndpointContext | null,
 						) => Promise<
 							| boolean
 							| void
@@ -1151,7 +1151,7 @@ export type BetterAuthOptions = {
 						 */
 						after?: (
 							account: Account,
-							context?: GenericEndpointContext,
+							context: GenericEndpointContext | null,
 						) => Promise<void>;
 					};
 					/**
@@ -1165,7 +1165,7 @@ export type BetterAuthOptions = {
 						 */
 						before?: (
 							account: Partial<Account> & Record<string, unknown>,
-							context?: GenericEndpointContext,
+							context: GenericEndpointContext | null,
 						) => Promise<
 							| boolean
 							| void
@@ -1178,7 +1178,7 @@ export type BetterAuthOptions = {
 						 */
 						after?: (
 							account: Account & Record<string, unknown>,
-							context?: GenericEndpointContext,
+							context: GenericEndpointContext | null,
 						) => Promise<void>;
 					};
 					delete?: {
@@ -1188,14 +1188,14 @@ export type BetterAuthOptions = {
 						 */
 						before?: (
 							account: Account & Record<string, unknown>,
-							context?: GenericEndpointContext,
+							context: GenericEndpointContext | null,
 						) => Promise<boolean | void>;
 						/**
 						 * Hook that is called after an account is deleted.
 						 */
 						after?: (
 							account: Account & Record<string, unknown>,
-							context?: GenericEndpointContext,
+							context: GenericEndpointContext | null,
 						) => Promise<void>;
 					};
 				};
@@ -1211,7 +1211,7 @@ export type BetterAuthOptions = {
 						 */
 						before?: (
 							verification: Verification & Record<string, unknown>,
-							context?: GenericEndpointContext,
+							context: GenericEndpointContext | null,
 						) => Promise<
 							| boolean
 							| void
@@ -1224,7 +1224,7 @@ export type BetterAuthOptions = {
 						 */
 						after?: (
 							verification: Verification & Record<string, unknown>,
-							context?: GenericEndpointContext,
+							context: GenericEndpointContext | null,
 						) => Promise<void>;
 					};
 					update?: {
@@ -1235,7 +1235,7 @@ export type BetterAuthOptions = {
 						 */
 						before?: (
 							verification: Partial<Verification> & Record<string, unknown>,
-							context?: GenericEndpointContext,
+							context: GenericEndpointContext | null,
 						) => Promise<
 							| boolean
 							| void
@@ -1248,7 +1248,7 @@ export type BetterAuthOptions = {
 						 */
 						after?: (
 							verification: Verification & Record<string, unknown>,
-							context?: GenericEndpointContext,
+							context: GenericEndpointContext | null,
 						) => Promise<void>;
 					};
 					delete?: {
@@ -1258,14 +1258,14 @@ export type BetterAuthOptions = {
 						 */
 						before?: (
 							verification: Verification & Record<string, unknown>,
-							context?: GenericEndpointContext,
+							context: GenericEndpointContext | null,
 						) => Promise<boolean | void>;
 						/**
 						 * Hook that is called after a verification is deleted.
 						 */
 						after?: (
 							verification: Verification & Record<string, unknown>,
-							context?: GenericEndpointContext,
+							context: GenericEndpointContext | null,
 						) => Promise<void>;
 					};
 				};

package/src/utils/id.ts

@@ -0,0 +1,5 @@
+import { createRandomStringGenerator } from "@better-auth/utils/random";
+
+export const generateId = (size?: number) => {
+	return createRandomStringGenerator("a-z", "A-Z", "0-9")(size || 32);
+};

package/src/utils/index.ts

@@ -1 +1,4 @@
 export { defineErrorCodes } from "./error-codes";
+export { generateId } from "./id";
+export { safeJSONParse } from "./json";
+export { capitalizeFirstLetter } from "./string";