@better-auth/core 1.5.0-beta.13 → 1.5.0-beta.16

package/src/oauth2/refresh-access-token.ts

@@ -119,6 +119,7 @@ export async function refreshAccessToken({
 		access_token: string;
 		refresh_token?: string | undefined;
 		expires_in?: number | undefined;
+		refresh_token_expires_in?: number | undefined;
 		token_type?: string | undefined;
 		scope?: string | undefined;
 		id_token?: string | undefined;
@@ -145,5 +146,12 @@ export async function refreshAccessToken({
 		);
 	}
 
+	if (data.refresh_token_expires_in) {
+		const now = new Date();
+		tokens.refreshTokenExpiresAt = new Date(
+			now.getTime() + data.refresh_token_expires_in * 1000,
+		);
+	}
+
 	return tokens;
 }

package/src/oauth2/validate-token.test.ts

@@ -1,14 +1,6 @@
 import type { JWK } from "jose";
 import { exportJWK, generateKeyPair, SignJWT } from "jose";
-import {
-	afterAll,
-	beforeAll,
-	beforeEach,
-	describe,
-	expect,
-	it,
-	vi,
-} from "vitest";
+import { afterAll, beforeAll, describe, expect, it, vi } from "vitest";
 import { validateToken } from "./validate-authorization-code";
 
 describe("validateToken", () => {
@@ -24,10 +16,6 @@ describe("validateToken", () => {
 		globalThis.fetch = originalFetch;
 	});
 
-	beforeEach(() => {
-		mockedFetch.mockReset();
-	});
-
 	async function createTestJWKS(alg: string, crv?: string) {
 		const { publicKey, privateKey } = await generateKeyPair(alg, {
 			crv,

package/src/social-providers/apple.ts

@@ -112,30 +112,34 @@ export const apple = (options: AppleOptions) => {
 			if (options.verifyIdToken) {
 				return options.verifyIdToken(token, nonce);
 			}
-			const decodedHeader = decodeProtectedHeader(token);
-			const { kid, alg: jwtAlg } = decodedHeader;
-			if (!kid || !jwtAlg) return false;
-			const publicKey = await getApplePublicKey(kid);
-			const { payload: jwtClaims } = await jwtVerify(token, publicKey, {
-				algorithms: [jwtAlg],
-				issuer: "https://appleid.apple.com",
-				audience:
-					options.audience && options.audience.length
-						? options.audience
-						: options.appBundleIdentifier
-							? options.appBundleIdentifier
-							: options.clientId,
-				maxTokenAge: "1h",
-			});
-			["email_verified", "is_private_email"].forEach((field) => {
-				if (jwtClaims[field] !== undefined) {
-					jwtClaims[field] = Boolean(jwtClaims[field]);
+			try {
+				const decodedHeader = decodeProtectedHeader(token);
+				const { kid, alg: jwtAlg } = decodedHeader;
+				if (!kid || !jwtAlg) return false;
+				const publicKey = await getApplePublicKey(kid);
+				const { payload: jwtClaims } = await jwtVerify(token, publicKey, {
+					algorithms: [jwtAlg],
+					issuer: "https://appleid.apple.com",
+					audience:
+						options.audience && options.audience.length
+							? options.audience
+							: options.appBundleIdentifier
+								? options.appBundleIdentifier
+								: options.clientId,
+					maxTokenAge: "1h",
+				});
+				["email_verified", "is_private_email"].forEach((field) => {
+					if (jwtClaims[field] !== undefined) {
+						jwtClaims[field] = Boolean(jwtClaims[field]);
+					}
+				});
+				if (nonce && jwtClaims.nonce !== nonce) {
+					return false;
 				}
-			});
-			if (nonce && jwtClaims.nonce !== nonce) {
+				return !!jwtClaims;
+			} catch {
 				return false;
 			}
-			return !!jwtClaims;
 		},
 		refreshAccessToken: options.refreshAccessToken
 			? options.refreshAccessToken
@@ -158,15 +162,15 @@ export const apple = (options: AppleOptions) => {
 				return null;
 			}
 
-			// TODO: " " masking will be removed when the name field is made optional
+			// TODO: "" masking will be removed when the name field is made optional
 			let name: string;
 			if (token.user?.name) {
 				const firstName = token.user.name.firstName || "";
 				const lastName = token.user.name.lastName || "";
 				const fullName = `${firstName} ${lastName}`.trim();
-				name = fullName || " ";
+				name = fullName;
 			} else {
-				name = profile.name || " ";
+				name = profile.name || "";
 			}
 
 			const emailVerified =

package/src/social-providers/cognito.ts

@@ -178,10 +178,7 @@ export const cognito = (options: CognitoOptions) => {
 						return null;
 					}
 					const name =
-						profile.name ||
-						profile.given_name ||
-						profile.username ||
-						profile.email;
+						profile.name || profile.given_name || profile.username || "";
 					const enrichedProfile = {
 						...profile,
 						name,
@@ -220,7 +217,11 @@ export const cognito = (options: CognitoOptions) => {
 						return {
 							user: {
 								id: userInfo.sub,
-								name: userInfo.name || userInfo.given_name || userInfo.username,
+								name:
+									userInfo.name ||
+									userInfo.given_name ||
+									userInfo.username ||
+									"",
 								email: userInfo.email,
 								image: userInfo.picture,
 								emailVerified: userInfo.email_verified,

package/src/social-providers/github.ts

@@ -170,7 +170,7 @@ export const github = (options: GithubOptions) => {
 			return {
 				user: {
 					id: profile.id,
-					name: profile.name || profile.login,
+					name: profile.name || profile.login || "",
 					email: profile.email,
 					image: profile.avatar_url,
 					emailVerified,

package/src/social-providers/gitlab.ts

@@ -141,7 +141,7 @@ export const gitlab = (options: GitlabOptions) => {
 			return {
 				user: {
 					id: profile.id,
-					name: profile.name ?? profile.username,
+					name: profile.name ?? profile.username ?? "",
 					email: profile.email,
 					image: profile.avatar_url,
 					emailVerified: profile.email_verified ?? false,

package/src/social-providers/google.ts

@@ -130,22 +130,26 @@ export const google = (options: GoogleOptions) => {
 			// Verify JWT integrity
 			// See https://developers.google.com/identity/sign-in/web/backend-auth#verify-the-integrity-of-the-id-token
 
-			const { kid, alg: jwtAlg } = decodeProtectedHeader(token);
-			if (!kid || !jwtAlg) return false;
+			try {
+				const { kid, alg: jwtAlg } = decodeProtectedHeader(token);
+				if (!kid || !jwtAlg) return false;
 
-			const publicKey = await getGooglePublicKey(kid);
-			const { payload: jwtClaims } = await jwtVerify(token, publicKey, {
-				algorithms: [jwtAlg],
-				issuer: ["https://accounts.google.com", "accounts.google.com"],
-				audience: options.clientId,
-				maxTokenAge: "1h",
-			});
+				const publicKey = await getGooglePublicKey(kid);
+				const { payload: jwtClaims } = await jwtVerify(token, publicKey, {
+					algorithms: [jwtAlg],
+					issuer: ["https://accounts.google.com", "accounts.google.com"],
+					audience: options.clientId,
+					maxTokenAge: "1h",
+				});
+
+				if (nonce && jwtClaims.nonce !== nonce) {
+					return false;
+				}
 
-			if (nonce && jwtClaims.nonce !== nonce) {
+				return true;
+			} catch {
 				return false;
 			}
-
-			return true;
 		},
 		async getUserInfo(token) {
 			if (options.getUserInfo) {

package/src/social-providers/huggingface.ts

@@ -104,7 +104,7 @@ export const huggingface = (options: HuggingFaceOptions) => {
 			return {
 				user: {
 					id: profile.sub,
-					name: profile.name || profile.preferred_username,
+					name: profile.name || profile.preferred_username || "",
 					email: profile.email,
 					image: profile.picture,
 					emailVerified: profile.email_verified ?? false,

package/src/social-providers/index.ts

@@ -22,6 +22,7 @@ import { notion } from "./notion";
 import { paybin } from "./paybin";
 import { paypal } from "./paypal";
 import { polar } from "./polar";
+import { railway } from "./railway";
 import { reddit } from "./reddit";
 import { roblox } from "./roblox";
 import { salesforce } from "./salesforce";
@@ -67,6 +68,7 @@ export const socialProviders = {
 	paybin,
 	paypal,
 	polar,
+	railway,
 	vercel,
 };
 
@@ -113,6 +115,7 @@ export * from "./notion";
 export * from "./paybin";
 export * from "./paypal";
 export * from "./polar";
+export * from "./railway";
 export * from "./reddit";
 export * from "./roblox";
 export * from "./salesforce";

package/src/social-providers/kakao.ts

@@ -161,7 +161,7 @@ export const kakao = (options: KakaoOptions) => {
 			const kakaoProfile = account.profile || {};
 			const user = {
 				id: String(profile.id),
-				name: kakaoProfile.nickname || account.name || undefined,
+				name: kakaoProfile.nickname || account.name || "",
 				email: account.email,
 				image:
 					kakaoProfile.profile_image_url || kakaoProfile.thumbnail_image_url,

package/src/social-providers/line.ts

@@ -147,7 +147,7 @@ export const line = (options: LineOptions) => {
 			const userMap = await options.mapProfileToUser?.(profile as any);
 			// ID preference order
 			const id = (profile as any).sub || (profile as any).userId;
-			const name = (profile as any).name || (profile as any).displayName;
+			const name = (profile as any).name || (profile as any).displayName || "";
 			const image =
 				(profile as any).picture || (profile as any).pictureUrl || undefined;
 			const email = (profile as any).email;

package/src/social-providers/naver.ts

@@ -96,7 +96,7 @@ export const naver = (options: NaverOptions) => {
 			const res = profile.response || {};
 			const user = {
 				id: res.id,
-				name: res.name || res.nickname,
+				name: res.name || res.nickname || "",
 				email: res.email,
 				image: res.profile_image,
 				emailVerified: false,

package/src/social-providers/notion.ts

@@ -94,7 +94,7 @@ export const notion = (options: NotionOptions) => {
 			return {
 				user: {
 					id: userProfile.id,
-					name: userProfile.name || "Notion User",
+					name: userProfile.name || "",
 					email: userProfile.person?.email || null,
 					image: userProfile.avatar_url,
 					emailVerified: false,

package/src/social-providers/paybin.ts

@@ -104,11 +104,7 @@ export const paybin = (options: PaybinOptions) => {
 			return {
 				user: {
 					id: user.sub,
-					name:
-						user.name ||
-						user.preferred_username ||
-						(user.email ? user.email.split("@")[0] : "User") ||
-						"User",
+					name: user.name || user.preferred_username || "",
 					email: user.email,
 					image: user.picture,
 					emailVerified: user.email_verified || false,

package/src/social-providers/polar.ts

@@ -96,7 +96,7 @@ export const polar = (options: PolarOptions) => {
 			return {
 				user: {
 					id: profile.id,
-					name: profile.public_name || profile.username,
+					name: profile.public_name || profile.username || "",
 					email: profile.email,
 					image: profile.avatar_url,
 					emailVerified: profile.email_verified ?? false,

package/src/social-providers/railway.ts

@@ -0,0 +1,100 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import {
+	createAuthorizationURL,
+	refreshAccessToken,
+	validateAuthorizationCode,
+} from "../oauth2";
+
+const authorizationEndpoint = "https://backboard.railway.com/oauth/auth";
+const tokenEndpoint = "https://backboard.railway.com/oauth/token";
+const userinfoEndpoint = "https://backboard.railway.com/oauth/me";
+
+export interface RailwayProfile {
+	/** The user's unique ID (OAuth `sub` claim). */
+	sub: string;
+	/** The user's email address. */
+	email: string;
+	/** The user's display name. */
+	name: string;
+	/** URL of the user's profile picture. */
+	picture: string;
+}
+
+export interface RailwayOptions extends ProviderOptions<RailwayProfile> {
+	clientId: string;
+}
+
+export const railway = (options: RailwayOptions) => {
+	return {
+		id: "railway",
+		name: "Railway",
+		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["openid", "email", "profile"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "railway",
+				options,
+				authorizationEndpoint,
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint,
+				authentication: "basic",
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint,
+						authentication: "basic",
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			const { data: profile, error } = await betterFetch<RailwayProfile>(
+				userinfoEndpoint,
+				{ headers: { authorization: `Bearer ${token.accessToken}` } },
+			);
+			if (error || !profile) {
+				return null;
+			}
+			const userMap = await options.mapProfileToUser?.(profile);
+			// Railway does not provide an email_verified claim.
+			// We default to false for security consistency.
+			return {
+				user: {
+					id: profile.sub,
+					name: profile.name,
+					email: profile.email,
+					image: profile.picture,
+					emailVerified: false,
+					...userMap,
+				},
+				data: profile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<RailwayProfile>;
+};

package/src/social-providers/tiktok.ts

@@ -197,7 +197,8 @@ export const tiktok = (options: TiktokOptions) => {
 				user: {
 					email: profile.data.user.email || profile.data.user.username,
 					id: profile.data.user.open_id,
-					name: profile.data.user.display_name || profile.data.user.username,
+					name:
+						profile.data.user.display_name || profile.data.user.username || "",
 					image: profile.data.user.avatar_large_url,
 					emailVerified: false,
 				},

package/src/social-providers/vercel.ts

@@ -73,7 +73,7 @@ export const vercel = (options: VercelOptions) => {
 			return {
 				user: {
 					id: profile.sub,
-					name: profile.name ?? profile.preferred_username,
+					name: profile.name ?? profile.preferred_username ?? "",
 					email: profile.email,
 					image: profile.picture,
 					emailVerified: profile.email_verified ?? false,

package/src/types/context.ts

@@ -265,6 +265,11 @@ export type AuthContext<Options extends BetterAuthOptions = BetterAuthOptions> =
 		InfoContext & {
 			options: Options;
 			trustedOrigins: string[];
+			/**
+			 * Resolved list of trusted providers for account linking.
+			 * Populated from "account.accountLinking.trustedProviders" (supports static array or async function).
+			 */
+			trustedProviders: string[];
 			/**
 			 * Verifies whether url is a trusted origin according to the "trustedOrigins" configuration
 			 * @param url The url to verify against the "trustedOrigins" configuration

package/src/types/init-options.ts

@@ -887,11 +887,43 @@ export type BetterAuthOptions = {
 					 */
 					disableImplicitLinking?: boolean;
 					/**
-					 * List of trusted providers
+					 * List of trusted providers. Can be a static array or a function
+					 * that returns providers dynamically. The function is called
+					 * during context init (with `request` undefined) and again
+					 * on each request (with the incoming Request). It must be
+					 * resilient to `request` being undefined.
+					 *
+					 * @example
+					 * ```ts
+					 * trustedProviders: ["google", "github"]
+					 * ```
+					 *
+					 * @example
+					 * ```ts
+					 * trustedProviders: async (request) => {
+					 *   if (!request) return [];
+					 *   const providers = await getTrustedProvidersForTenant(request);
+					 *   return providers;
+					 * }
+					 * ```
 					 */
-					trustedProviders?: Array<
-						LiteralUnion<SocialProviderList[number] | "email-password", string>
-					>;
+					trustedProviders?:
+						| Array<
+								LiteralUnion<
+									SocialProviderList[number] | "email-password",
+									string
+								>
+						  >
+						| ((
+								request?: Request | undefined,
+						  ) => Awaitable<
+								Array<
+									LiteralUnion<
+										SocialProviderList[number] | "email-password",
+										string
+									>
+								>
+						  >);
 					/**
 					 * If enabled (true), this will allow users to manually linking accounts with different email addresses than the main user.
 					 *

package/src/types/plugin.ts

@@ -45,7 +45,8 @@ export type BetterAuthPlugin = BetterAuthPluginErrorCodePart & {
 	init?:
 		| ((ctx: AuthContext) =>
 				| Awaitable<{
-						context?: DeepPartial<Omit<AuthContext, "options">>;
+						context?: DeepPartial<Omit<AuthContext, "options">> &
+							Record<string, unknown>;
 						options?: Partial<BetterAuthOptions>;
 				  }>
 				| void

package/src/utils/deprecate.test.ts

@@ -36,7 +36,6 @@ describe("deprecate", () => {
 		deprecatedFn();
 
 		expect(consoleWarn).toHaveBeenCalledWith("[Deprecation] test message");
-		consoleWarn.mockRestore();
 	});
 
 	it("should pass arguments and return value correctly", () => {