@better-auth/core 1.5.0-beta.2 → 1.5.0-beta.20

package/src/oauth2/refresh-access-token.ts

@@ -1,7 +1,34 @@
 import { base64 } from "@better-auth/utils/base64";
 import { betterFetch } from "@better-fetch/fetch";
+import type { AwaitableFunction } from "../types";
 import type { OAuth2Tokens, ProviderOptions } from "./oauth-provider";
 
+export async function refreshAccessTokenRequest({
+	refreshToken,
+	options,
+	authentication,
+	extraParams,
+	resource,
+}: {
+	refreshToken: string;
+	options: AwaitableFunction<Partial<ProviderOptions>>;
+	authentication?: ("basic" | "post") | undefined;
+	extraParams?: Record<string, string> | undefined;
+	resource?: (string | string[]) | undefined;
+}) {
+	options = typeof options === "function" ? await options() : options;
+	return createRefreshAccessTokenRequest({
+		refreshToken,
+		options,
+		authentication,
+		extraParams,
+		resource,
+	});
+}
+
+/**
+ * @deprecated use async'd refreshAccessTokenRequest instead
+ */
 export function createRefreshAccessTokenRequest({
 	refreshToken,
 	options,
@@ -10,7 +37,7 @@ export function createRefreshAccessTokenRequest({
 	resource,
 }: {
 	refreshToken: string;
-	options: Partial<ProviderOptions>;
+	options: ProviderOptions;
 	authentication?: ("basic" | "post") | undefined;
 	extraParams?: Record<string, string> | undefined;
 	resource?: (string | string[]) | undefined;
@@ -80,10 +107,8 @@ export async function refreshAccessToken({
 	tokenEndpoint: string;
 	authentication?: ("basic" | "post") | undefined;
 	extraParams?: Record<string, string> | undefined;
-	/** @deprecated always "refresh_token" */
-	grantType?: string | undefined;
 }): Promise<OAuth2Tokens> {
-	const { body, headers } = createRefreshAccessTokenRequest({
+	const { body, headers } = await createRefreshAccessTokenRequest({
 		refreshToken,
 		options,
 		authentication,
@@ -94,6 +119,7 @@ export async function refreshAccessToken({
 		access_token: string;
 		refresh_token?: string | undefined;
 		expires_in?: number | undefined;
+		refresh_token_expires_in?: number | undefined;
 		token_type?: string | undefined;
 		scope?: string | undefined;
 		id_token?: string | undefined;
@@ -120,5 +146,12 @@ export async function refreshAccessToken({
 		);
 	}
 
+	if (data.refresh_token_expires_in) {
+		const now = new Date();
+		tokens.refreshTokenExpiresAt = new Date(
+			now.getTime() + data.refresh_token_expires_in * 1000,
+		);
+	}
+
 	return tokens;
 }

package/src/oauth2/validate-authorization-code.ts

@@ -1,9 +1,48 @@
 import { base64 } from "@better-auth/utils/base64";
 import { betterFetch } from "@better-fetch/fetch";
-import { jwtVerify } from "jose";
+import { createRemoteJWKSet, jwtVerify } from "jose";
+import type { AwaitableFunction } from "../types";
 import type { ProviderOptions } from "./index";
 import { getOAuth2Tokens } from "./index";
 
+export async function authorizationCodeRequest({
+	code,
+	codeVerifier,
+	redirectURI,
+	options,
+	authentication,
+	deviceId,
+	headers,
+	additionalParams = {},
+	resource,
+}: {
+	code: string;
+	redirectURI: string;
+	options: AwaitableFunction<Partial<ProviderOptions>>;
+	codeVerifier?: string | undefined;
+	deviceId?: string | undefined;
+	authentication?: ("basic" | "post") | undefined;
+	headers?: Record<string, string> | undefined;
+	additionalParams?: Record<string, string> | undefined;
+	resource?: (string | string[]) | undefined;
+}) {
+	options = typeof options === "function" ? await options() : options;
+	return createAuthorizationCodeRequest({
+		code,
+		codeVerifier,
+		redirectURI,
+		options,
+		authentication,
+		deviceId,
+		headers,
+		additionalParams,
+		resource,
+	});
+}
+
+/**
+ * @deprecated use async'd authorizationCodeRequest instead
+ */
 export function createAuthorizationCodeRequest({
 	code,
 	codeVerifier,
@@ -31,6 +70,7 @@ export function createAuthorizationCodeRequest({
 		accept: "application/json",
 		...headers,
 	};
+
 	body.set("grant_type", "authorization_code");
 	body.set("code", code);
 	codeVerifier && body.set("code_verifier", codeVerifier);
@@ -90,7 +130,7 @@ export async function validateAuthorizationCode({
 }: {
 	code: string;
 	redirectURI: string;
-	options: Partial<ProviderOptions>;
+	options: AwaitableFunction<Partial<ProviderOptions>>;
 	codeVerifier?: string | undefined;
 	deviceId?: string | undefined;
 	tokenEndpoint: string;
@@ -99,7 +139,7 @@ export async function validateAuthorizationCode({
 	additionalParams?: Record<string, string> | undefined;
 	resource?: (string | string[]) | undefined;
 }) {
-	const { body, headers: requestHeaders } = createAuthorizationCodeRequest({
+	const { body, headers: requestHeaders } = await authorizationCodeRequest({
 		code,
 		codeVerifier,
 		redirectURI,
@@ -116,7 +156,6 @@ export async function validateAuthorizationCode({
 		body: body,
 		headers: requestHeaders,
 	});
-
 	if (error) {
 		throw error;
 	}
@@ -124,31 +163,18 @@ export async function validateAuthorizationCode({
 	return tokens;
 }
 
-export async function validateToken(token: string, jwksEndpoint: string) {
-	const { data, error } = await betterFetch<{
-		keys: {
-			kid: string;
-			kty: string;
-			use: string;
-			n: string;
-			e: string;
-			x5c: string[];
-		}[];
-	}>(jwksEndpoint, {
-		method: "GET",
-		headers: {
-			accept: "application/json",
-		},
+export async function validateToken(
+	token: string,
+	jwksEndpoint: string,
+	options?: {
+		audience?: string | string[];
+		issuer?: string | string[];
+	},
+) {
+	const jwks = createRemoteJWKSet(new URL(jwksEndpoint));
+	const verified = await jwtVerify(token, jwks, {
+		audience: options?.audience,
+		issuer: options?.issuer,
 	});
-	if (error) {
-		throw error;
-	}
-	const keys = data["keys"];
-	const header = JSON.parse(atob(token.split(".")[0]!));
-	const key = keys.find((key) => key.kid === header.kid);
-	if (!key) {
-		throw new Error("Key not found");
-	}
-	const verified = await jwtVerify(token, key);
 	return verified;
 }

package/src/oauth2/validate-token.test.ts

@@ -0,0 +1,229 @@
+import type { JWK } from "jose";
+import { exportJWK, generateKeyPair, SignJWT } from "jose";
+import { afterAll, beforeAll, describe, expect, it, vi } from "vitest";
+import { validateToken } from "./validate-authorization-code";
+
+describe("validateToken", () => {
+	const originalFetch = globalThis.fetch;
+	const mockedFetch = vi.fn() as unknown as typeof fetch &
+		ReturnType<typeof vi.fn>;
+
+	beforeAll(() => {
+		globalThis.fetch = mockedFetch;
+	});
+
+	afterAll(() => {
+		globalThis.fetch = originalFetch;
+	});
+
+	async function createTestJWKS(alg: string, crv?: string) {
+		const { publicKey, privateKey } = await generateKeyPair(alg, {
+			crv,
+			extractable: true,
+		});
+		const publicJWK = await exportJWK(publicKey);
+		const privateJWK = await exportJWK(privateKey);
+		const kid = `test-key-${Date.now()}`;
+		publicJWK.kid = kid;
+		publicJWK.alg = alg;
+		privateJWK.kid = kid;
+		privateJWK.alg = alg;
+		return { publicJWK, privateJWK, kid, publicKey, privateKey };
+	}
+
+	async function createSignedToken(
+		privateKey: CryptoKey,
+		alg: string,
+		kid: string,
+		payload: Record<string, unknown> = {},
+	) {
+		return await new SignJWT({
+			sub: "user-123",
+			email: "test@example.com",
+			iss: "https://example.com",
+			aud: "test-client",
+			...payload,
+		})
+			.setProtectedHeader({ alg, kid })
+			.setIssuedAt()
+			.setExpirationTime("1h")
+			.sign(privateKey);
+	}
+
+	function mockJWKSResponse(...publicJWKs: JWK[]) {
+		mockedFetch.mockResolvedValueOnce(
+			new Response(JSON.stringify({ keys: publicJWKs }), {
+				status: 200,
+				headers: { "content-type": "application/json" },
+			}),
+		);
+	}
+
+	it("should verify RS256 signed token", async () => {
+		const { publicJWK, privateKey, kid } = await createTestJWKS("RS256");
+		const token = await createSignedToken(privateKey, "RS256", kid);
+		mockJWKSResponse(publicJWK);
+
+		const result = await validateToken(
+			token,
+			"https://example.com/.well-known/jwks",
+		);
+
+		expect(result).toBeDefined();
+		expect(result.payload.sub).toBe("user-123");
+		expect(result.payload.email).toBe("test@example.com");
+	});
+
+	it("should verify ES256 signed token", async () => {
+		const { publicJWK, privateKey, kid } = await createTestJWKS("ES256");
+		const token = await createSignedToken(privateKey, "ES256", kid);
+		mockJWKSResponse(publicJWK);
+
+		const result = await validateToken(
+			token,
+			"https://example.com/.well-known/jwks",
+		);
+
+		expect(result).toBeDefined();
+		expect(result.payload.sub).toBe("user-123");
+	});
+
+	it("should verify EdDSA (Ed25519) signed token", async () => {
+		const { publicJWK, privateKey, kid } = await createTestJWKS(
+			"EdDSA",
+			"Ed25519",
+		);
+		const token = await createSignedToken(privateKey, "EdDSA", kid);
+		mockJWKSResponse(publicJWK);
+
+		const result = await validateToken(
+			token,
+			"https://example.com/.well-known/jwks",
+		);
+
+		expect(result).toBeDefined();
+		expect(result.payload.sub).toBe("user-123");
+	});
+
+	it("should throw when kid doesn't match any key", async () => {
+		const { publicJWK, privateKey } = await createTestJWKS("RS256");
+		publicJWK.kid = "different-kid";
+		const token = await createSignedToken(privateKey, "RS256", "original-kid");
+		mockJWKSResponse(publicJWK);
+
+		await expect(
+			validateToken(token, "https://example.com/.well-known/jwks"),
+		).rejects.toThrow();
+	});
+
+	it("should find correct key when multiple keys exist", async () => {
+		const key1 = await createTestJWKS("RS256");
+		const key2 = await createTestJWKS("RS256");
+		const key3 = await createTestJWKS("ES256");
+		const token = await createSignedToken(key2.privateKey, "RS256", key2.kid);
+		mockJWKSResponse(key1.publicJWK, key2.publicJWK, key3.publicJWK);
+
+		const result = await validateToken(
+			token,
+			"https://example.com/.well-known/jwks",
+		);
+
+		expect(result).toBeDefined();
+		expect(result.payload.sub).toBe("user-123");
+	});
+
+	it("should throw when JWKS returns empty keys array", async () => {
+		const { privateKey, kid } = await createTestJWKS("RS256");
+		const token = await createSignedToken(privateKey, "RS256", kid);
+		mockJWKSResponse();
+
+		await expect(
+			validateToken(token, "https://example.com/.well-known/jwks"),
+		).rejects.toThrow();
+	});
+
+	it("should throw when JWKS fetch fails", async () => {
+		const { privateKey, kid } = await createTestJWKS("RS256");
+		const token = await createSignedToken(privateKey, "RS256", kid);
+		mockedFetch.mockResolvedValueOnce(
+			new Response("Internal Server Error", { status: 500 }),
+		);
+
+		await expect(
+			validateToken(token, "https://example.com/.well-known/jwks"),
+		).rejects.toBeDefined();
+	});
+
+	it("should verify token with matching audience", async () => {
+		const { publicJWK, privateKey, kid } = await createTestJWKS("RS256");
+		const token = await createSignedToken(privateKey, "RS256", kid);
+		mockJWKSResponse(publicJWK);
+
+		const result = await validateToken(
+			token,
+			"https://example.com/.well-known/jwks",
+			{ audience: "test-client" },
+		);
+
+		expect(result).toBeDefined();
+		expect(result.payload.aud).toBe("test-client");
+	});
+
+	it("should reject token with mismatched audience", async () => {
+		const { publicJWK, privateKey, kid } = await createTestJWKS("RS256");
+		const token = await createSignedToken(privateKey, "RS256", kid);
+		mockJWKSResponse(publicJWK);
+
+		await expect(
+			validateToken(token, "https://example.com/.well-known/jwks", {
+				audience: "wrong-client",
+			}),
+		).rejects.toThrow();
+	});
+
+	it("should verify token with matching issuer", async () => {
+		const { publicJWK, privateKey, kid } = await createTestJWKS("RS256");
+		const token = await createSignedToken(privateKey, "RS256", kid);
+		mockJWKSResponse(publicJWK);
+
+		const result = await validateToken(
+			token,
+			"https://example.com/.well-known/jwks",
+			{ issuer: "https://example.com" },
+		);
+
+		expect(result).toBeDefined();
+		expect(result.payload.iss).toBe("https://example.com");
+	});
+
+	it("should reject token with mismatched issuer", async () => {
+		const { publicJWK, privateKey, kid } = await createTestJWKS("RS256");
+		const token = await createSignedToken(privateKey, "RS256", kid);
+		mockJWKSResponse(publicJWK);
+
+		await expect(
+			validateToken(token, "https://example.com/.well-known/jwks", {
+				issuer: "https://wrong-issuer.com",
+			}),
+		).rejects.toThrow();
+	});
+
+	it("should verify token with both audience and issuer", async () => {
+		const { publicJWK, privateKey, kid } = await createTestJWKS("RS256");
+		const token = await createSignedToken(privateKey, "RS256", kid);
+		mockJWKSResponse(publicJWK);
+
+		const result = await validateToken(
+			token,
+			"https://example.com/.well-known/jwks",
+			{
+				audience: "test-client",
+				issuer: "https://example.com",
+			},
+		);
+
+		expect(result).toBeDefined();
+		expect(result.payload.aud).toBe("test-client");
+		expect(result.payload.iss).toBe("https://example.com");
+	});
+});

package/src/social-providers/apple.ts

@@ -112,41 +112,41 @@ export const apple = (options: AppleOptions) => {
 			if (options.verifyIdToken) {
 				return options.verifyIdToken(token, nonce);
 			}
-			const decodedHeader = decodeProtectedHeader(token);
-			const { kid, alg: jwtAlg } = decodedHeader;
-			if (!kid || !jwtAlg) return false;
-			const publicKey = await getApplePublicKey(kid);
-			const { payload: jwtClaims } = await jwtVerify(token, publicKey, {
-				algorithms: [jwtAlg],
-				issuer: "https://appleid.apple.com",
-				audience:
-					options.audience && options.audience.length
-						? options.audience
-						: options.appBundleIdentifier
-							? options.appBundleIdentifier
-							: options.clientId,
-				maxTokenAge: "1h",
-			});
-			["email_verified", "is_private_email"].forEach((field) => {
-				if (jwtClaims[field] !== undefined) {
-					jwtClaims[field] = Boolean(jwtClaims[field]);
+			try {
+				const decodedHeader = decodeProtectedHeader(token);
+				const { kid, alg: jwtAlg } = decodedHeader;
+				if (!kid || !jwtAlg) return false;
+				const publicKey = await getApplePublicKey(kid);
+				const { payload: jwtClaims } = await jwtVerify(token, publicKey, {
+					algorithms: [jwtAlg],
+					issuer: "https://appleid.apple.com",
+					audience:
+						options.audience && options.audience.length
+							? options.audience
+							: options.appBundleIdentifier
+								? options.appBundleIdentifier
+								: options.clientId,
+					maxTokenAge: "1h",
+				});
+				["email_verified", "is_private_email"].forEach((field) => {
+					if (jwtClaims[field] !== undefined) {
+						jwtClaims[field] = Boolean(jwtClaims[field]);
+					}
+				});
+				if (nonce && jwtClaims.nonce !== nonce) {
+					return false;
 				}
-			});
-			if (nonce && jwtClaims.nonce !== nonce) {
+				return !!jwtClaims;
+			} catch {
 				return false;
 			}
-			return !!jwtClaims;
 		},
 		refreshAccessToken: options.refreshAccessToken
 			? options.refreshAccessToken
 			: async (refreshToken) => {
 					return refreshAccessToken({
 						refreshToken,
-						options: {
-							clientId: options.clientId,
-							clientKey: options.clientKey,
-							clientSecret: options.clientSecret,
-						},
+						options,
 						tokenEndpoint: "https://appleid.apple.com/auth/token",
 					});
 				},
@@ -161,9 +161,18 @@ export const apple = (options: AppleOptions) => {
 			if (!profile) {
 				return null;
 			}
-			const name = token.user
-				? `${token.user.name?.firstName} ${token.user.name?.lastName}`
-				: profile.name || profile.email;
+
+			// TODO: "" masking will be removed when the name field is made optional
+			let name: string;
+			if (token.user?.name) {
+				const firstName = token.user.name.firstName || "";
+				const lastName = token.user.name.lastName || "";
+				const fullName = `${firstName} ${lastName}`.trim();
+				name = fullName;
+			} else {
+				name = profile.name || "";
+			}
+
 			const emailVerified =
 				typeof profile.email_verified === "boolean"
 					? profile.email_verified

package/src/social-providers/cognito.ts

@@ -178,10 +178,7 @@ export const cognito = (options: CognitoOptions) => {
 						return null;
 					}
 					const name =
-						profile.name ||
-						profile.given_name ||
-						profile.username ||
-						profile.email;
+						profile.name || profile.given_name || profile.username || "";
 					const enrichedProfile = {
 						...profile,
 						name,
@@ -220,7 +217,11 @@ export const cognito = (options: CognitoOptions) => {
 						return {
 							user: {
 								id: userInfo.sub,
-								name: userInfo.name || userInfo.given_name || userInfo.username,
+								name:
+									userInfo.name ||
+									userInfo.given_name ||
+									userInfo.username ||
+									"",
 								email: userInfo.email,
 								image: userInfo.picture,
 								emailVerified: userInfo.email_verified,

package/src/social-providers/dropbox.ts

@@ -74,7 +74,7 @@ export const dropbox = (options: DropboxOptions) => {
 							clientKey: options.clientKey,
 							clientSecret: options.clientSecret,
 						},
-						tokenEndpoint: "https://api.dropbox.com/oauth2/token",
+						tokenEndpoint,
 					});
 				},
 		async getUserInfo(token) {

package/src/social-providers/facebook.ts

@@ -49,7 +49,7 @@ export const facebook = (options: FacebookOptions) => {
 			return await createAuthorizationURL({
 				id: "facebook",
 				options,
-				authorizationEndpoint: "https://www.facebook.com/v21.0/dialog/oauth",
+				authorizationEndpoint: "https://www.facebook.com/v24.0/dialog/oauth",
 				scopes: _scopes,
 				state,
 				redirectURI,
@@ -66,7 +66,7 @@ export const facebook = (options: FacebookOptions) => {
 				code,
 				redirectURI,
 				options,
-				tokenEndpoint: "https://graph.facebook.com/oauth/access_token",
+				tokenEndpoint: "https://graph.facebook.com/v24.0/oauth/access_token",
 			});
 		},
 		async verifyIdToken(token, nonce) {
@@ -121,7 +121,7 @@ export const facebook = (options: FacebookOptions) => {
 							clientSecret: options.clientSecret,
 						},
 						tokenEndpoint:
-							"https://graph.facebook.com/v18.0/oauth/access_token",
+							"https://graph.facebook.com/v24.0/oauth/access_token",
 					});
 				},
 		async getUserInfo(token) {

package/src/social-providers/figma.ts

@@ -34,7 +34,7 @@ export const figma = (options: FigmaOptions) => {
 				throw new BetterAuthError("codeVerifier is required for Figma");
 			}
 
-			const _scopes = options.disableDefaultScope ? [] : ["file_read"];
+			const _scopes = options.disableDefaultScope ? [] : ["current_user:read"];
 			if (options.scope) _scopes.push(...options.scope);
 			if (scopes) _scopes.push(...scopes);
 
@@ -56,7 +56,8 @@ export const figma = (options: FigmaOptions) => {
 				codeVerifier,
 				redirectURI,
 				options,
-				tokenEndpoint: "https://www.figma.com/api/oauth/token",
+				tokenEndpoint: "https://api.figma.com/v1/oauth/token",
+				authentication: "basic",
 			});
 		},
 		refreshAccessToken: options.refreshAccessToken
@@ -69,7 +70,8 @@ export const figma = (options: FigmaOptions) => {
 							clientKey: options.clientKey,
 							clientSecret: options.clientSecret,
 						},
-						tokenEndpoint: "https://www.figma.com/api/oauth/token",
+						tokenEndpoint: "https://api.figma.com/v1/oauth/token",
+						authentication: "basic",
 					});
 				},
 		async getUserInfo(token) {

package/src/social-providers/github.ts

@@ -1,10 +1,12 @@
 import { betterFetch } from "@better-fetch/fetch";
+import { logger } from "../env";
 import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
+	getOAuth2Tokens,
 	refreshAccessToken,
-	validateAuthorizationCode,
 } from "../oauth2";
+import { createAuthorizationCodeRequest } from "../oauth2/validate-authorization-code";
 
 export interface GithubProfile {
 	login: string;
@@ -86,13 +88,33 @@ export const github = (options: GithubOptions) => {
 			});
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
-			return validateAuthorizationCode({
+			const { body, headers: requestHeaders } = createAuthorizationCodeRequest({
 				code,
 				codeVerifier,
 				redirectURI,
 				options,
-				tokenEndpoint,
 			});
+
+			const { data, error } = await betterFetch<
+				| { access_token: string; token_type: string; scope: string }
+				| { error: string; error_description?: string; error_uri?: string }
+			>(tokenEndpoint, {
+				method: "POST",
+				body: body,
+				headers: requestHeaders,
+			});
+
+			if (error) {
+				logger.error("GitHub OAuth token exchange failed:", error);
+				return null;
+			}
+
+			if ("error" in data) {
+				logger.error("GitHub OAuth token exchange failed:", data);
+				return null;
+			}
+
+			return getOAuth2Tokens(data);
 		},
 		refreshAccessToken: options.refreshAccessToken
 			? options.refreshAccessToken
@@ -148,7 +170,7 @@ export const github = (options: GithubOptions) => {
 			return {
 				user: {
 					id: profile.id,
-					name: profile.name || profile.login,
+					name: profile.name || profile.login || "",
 					email: profile.email,
 					image: profile.avatar_url,
 					emailVerified,

package/src/social-providers/gitlab.ts

@@ -65,7 +65,7 @@ const cleanDoubleSlashes = (input: string = "") => {
 };
 
 const issuerToEndpoints = (issuer?: string | undefined) => {
-	let baseUrl = issuer || "https://gitlab.com";
+	const baseUrl = issuer || "https://gitlab.com";
 	return {
 		authorizationEndpoint: cleanDoubleSlashes(`${baseUrl}/oauth/authorize`),
 		tokenEndpoint: cleanDoubleSlashes(`${baseUrl}/oauth/token`),
@@ -141,7 +141,7 @@ export const gitlab = (options: GitlabOptions) => {
 			return {
 				user: {
 					id: profile.id,
-					name: profile.name ?? profile.username,
+					name: profile.name ?? profile.username ?? "",
 					email: profile.email,
 					image: profile.avatar_url,
 					emailVerified: profile.email_verified ?? false,