@better-auth/core 1.5.0-beta.2 → 1.5.0-beta.20

package/src/social-providers/google.ts

@@ -81,7 +81,7 @@ export const google = (options: GoogleOptions) => {
 			const url = await createAuthorizationURL({
 				id: "google",
 				options,
-				authorizationEndpoint: "https://accounts.google.com/o/oauth2/auth",
+				authorizationEndpoint: "https://accounts.google.com/o/oauth2/v2/auth",
 				scopes: _scopes,
 				state,
 				codeVerifier,
@@ -116,7 +116,7 @@ export const google = (options: GoogleOptions) => {
 							clientKey: options.clientKey,
 							clientSecret: options.clientSecret,
 						},
-						tokenEndpoint: "https://www.googleapis.com/oauth2/v4/token",
+						tokenEndpoint: "https://oauth2.googleapis.com/token",
 					});
 				},
 		async verifyIdToken(token, nonce) {
@@ -130,22 +130,26 @@ export const google = (options: GoogleOptions) => {
 			// Verify JWT integrity
 			// See https://developers.google.com/identity/sign-in/web/backend-auth#verify-the-integrity-of-the-id-token
 
-			const { kid, alg: jwtAlg } = decodeProtectedHeader(token);
-			if (!kid || !jwtAlg) return false;
+			try {
+				const { kid, alg: jwtAlg } = decodeProtectedHeader(token);
+				if (!kid || !jwtAlg) return false;
 
-			const publicKey = await getGooglePublicKey(kid);
-			const { payload: jwtClaims } = await jwtVerify(token, publicKey, {
-				algorithms: [jwtAlg],
-				issuer: ["https://accounts.google.com", "accounts.google.com"],
-				audience: options.clientId,
-				maxTokenAge: "1h",
-			});
+				const publicKey = await getGooglePublicKey(kid);
+				const { payload: jwtClaims } = await jwtVerify(token, publicKey, {
+					algorithms: [jwtAlg],
+					issuer: ["https://accounts.google.com", "accounts.google.com"],
+					audience: options.clientId,
+					maxTokenAge: "1h",
+				});
+
+				if (nonce && jwtClaims.nonce !== nonce) {
+					return false;
+				}
 
-			if (nonce && jwtClaims.nonce !== nonce) {
+				return true;
+			} catch {
 				return false;
 			}
-
-			return true;
 		},
 		async getUserInfo(token) {
 			if (options.getUserInfo) {

package/src/social-providers/huggingface.ts

@@ -104,7 +104,7 @@ export const huggingface = (options: HuggingFaceOptions) => {
 			return {
 				user: {
 					id: profile.sub,
-					name: profile.name || profile.preferred_username,
+					name: profile.name || profile.preferred_username || "",
 					email: profile.email,
 					image: profile.picture,
 					emailVerified: profile.email_verified ?? false,

package/src/social-providers/index.ts

@@ -1,4 +1,5 @@
 import * as z from "zod";
+import type { AwaitableFunction } from "../types";
 import { apple } from "./apple";
 import { atlassian } from "./atlassian";
 import { cognito } from "./cognito";
@@ -21,6 +22,7 @@ import { notion } from "./notion";
 import { paybin } from "./paybin";
 import { paypal } from "./paypal";
 import { polar } from "./polar";
+import { railway } from "./railway";
 import { reddit } from "./reddit";
 import { roblox } from "./roblox";
 import { salesforce } from "./salesforce";
@@ -66,6 +68,7 @@ export const socialProviders = {
 	paybin,
 	paypal,
 	polar,
+	railway,
 	vercel,
 };
 
@@ -81,11 +84,11 @@ export const SocialProviderListEnum = z
 export type SocialProvider = z.infer<typeof SocialProviderListEnum>;
 
 export type SocialProviders = {
-	[K in SocialProviderList[number]]?: Parameters<
-		(typeof socialProviders)[K]
-	>[0] & {
-		enabled?: boolean | undefined;
-	};
+	[K in SocialProviderList[number]]?: AwaitableFunction<
+		Parameters<(typeof socialProviders)[K]>[0] & {
+			enabled?: boolean | undefined;
+		}
+	>;
 };
 
 export * from "./apple";
@@ -112,6 +115,7 @@ export * from "./notion";
 export * from "./paybin";
 export * from "./paypal";
 export * from "./polar";
+export * from "./railway";
 export * from "./reddit";
 export * from "./roblox";
 export * from "./salesforce";

package/src/social-providers/kakao.ts

@@ -161,7 +161,7 @@ export const kakao = (options: KakaoOptions) => {
 			const kakaoProfile = account.profile || {};
 			const user = {
 				id: String(profile.id),
-				name: kakaoProfile.nickname || account.name || undefined,
+				name: kakaoProfile.nickname || account.name || "",
 				email: account.email,
 				image:
 					kakaoProfile.profile_image_url || kakaoProfile.thumbnail_image_url,

package/src/social-providers/line.ts

@@ -147,7 +147,7 @@ export const line = (options: LineOptions) => {
 			const userMap = await options.mapProfileToUser?.(profile as any);
 			// ID preference order
 			const id = (profile as any).sub || (profile as any).userId;
-			const name = (profile as any).name || (profile as any).displayName;
+			const name = (profile as any).name || (profile as any).displayName || "";
 			const image =
 				(profile as any).picture || (profile as any).pictureUrl || undefined;
 			const email = (profile as any).email;

package/src/social-providers/microsoft-entra-id.ts

@@ -1,7 +1,8 @@
 import { base64 } from "@better-auth/utils/base64";
 import { betterFetch } from "@better-fetch/fetch";
-import { decodeJwt } from "jose";
+import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
 import { logger } from "../env";
+import { APIError } from "../error";
 import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
@@ -174,6 +175,56 @@ export const microsoft = (options: MicrosoftOptions) => {
 				tokenEndpoint,
 			});
 		},
+		async verifyIdToken(token, nonce) {
+			if (options.disableIdTokenSignIn) {
+				return false;
+			}
+			if (options.verifyIdToken) {
+				return options.verifyIdToken(token, nonce);
+			}
+
+			try {
+				const { kid, alg: jwtAlg } = decodeProtectedHeader(token);
+				if (!kid || !jwtAlg) return false;
+
+				const publicKey = await getMicrosoftPublicKey(kid, tenant, authority);
+				const verifyOptions: {
+					algorithms: [string];
+					audience: string;
+					maxTokenAge: string;
+					issuer?: string;
+				} = {
+					algorithms: [jwtAlg],
+					audience: options.clientId,
+					maxTokenAge: "1h",
+				};
+				/**
+				 * Issuer varies per user's tenant for multi-tenant endpoints, so only validate for specific tenants.
+				 * @see https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols#endpoints
+				 */
+				if (
+					tenant !== "common" &&
+					tenant !== "organizations" &&
+					tenant !== "consumers"
+				) {
+					verifyOptions.issuer = `${authority}/${tenant}/v2.0`;
+				}
+				const { payload: jwtClaims } = await jwtVerify(
+					token,
+					publicKey,
+					verifyOptions,
+				);
+
+				if (nonce && jwtClaims.nonce !== nonce) {
+					return false;
+				}
+
+				return true;
+			} catch (error) {
+				logger.error("Failed to verify ID token:", error);
+				return false;
+			}
+		},
 		async getUserInfo(token) {
 			if (options.getUserInfo) {
 				return options.getUserInfo(token);
@@ -257,3 +308,35 @@ export const microsoft = (options: MicrosoftOptions) => {
 		options,
 	} satisfies OAuthProvider;
 };
+
+export const getMicrosoftPublicKey = async (
+	kid: string,
+	tenant: string,
+	authority: string,
+) => {
+	const { data } = await betterFetch<{
+		keys: Array<{
+			kid: string;
+			alg: string;
+			kty: string;
+			use: string;
+			n: string;
+			e: string;
+			x5c?: string[];
+			x5t?: string;
+		}>;
+	}>(`${authority}/${tenant}/discovery/v2.0/keys`);
+
+	if (!data?.keys) {
+		throw new APIError("BAD_REQUEST", {
+			message: "Keys not found",
+		});
+	}
+
+	const jwk = data.keys.find((key) => key.kid === kid);
+	if (!jwk) {
+		throw new Error(`JWK with kid ${kid} not found`);
+	}
+
+	return await importJWK(jwk, jwk.alg);
+};

package/src/social-providers/naver.ts

@@ -96,7 +96,7 @@ export const naver = (options: NaverOptions) => {
 			const res = profile.response || {};
 			const user = {
 				id: res.id,
-				name: res.name || res.nickname,
+				name: res.name || res.nickname || "",
 				email: res.email,
 				image: res.profile_image,
 				emailVerified: false,

package/src/social-providers/notion.ts

@@ -94,7 +94,7 @@ export const notion = (options: NotionOptions) => {
 			return {
 				user: {
 					id: userProfile.id,
-					name: userProfile.name || "Notion User",
+					name: userProfile.name || "",
 					email: userProfile.person?.email || null,
 					image: userProfile.avatar_url,
 					emailVerified: false,

package/src/social-providers/paybin.ts

@@ -104,11 +104,7 @@ export const paybin = (options: PaybinOptions) => {
 			return {
 				user: {
 					id: user.sub,
-					name:
-						user.name ||
-						user.preferred_username ||
-						(user.email ? user.email.split("@")[0] : "User") ||
-						"User",
+					name: user.name || user.preferred_username || "",
 					email: user.email,
 					image: user.picture,
 					emailVerified: user.email_verified || false,

package/src/social-providers/polar.ts

@@ -96,7 +96,7 @@ export const polar = (options: PolarOptions) => {
 			return {
 				user: {
 					id: profile.id,
-					name: profile.public_name || profile.username,
+					name: profile.public_name || profile.username || "",
 					email: profile.email,
 					image: profile.avatar_url,
 					emailVerified: profile.email_verified ?? false,

package/src/social-providers/railway.ts

@@ -0,0 +1,100 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import {
+	createAuthorizationURL,
+	refreshAccessToken,
+	validateAuthorizationCode,
+} from "../oauth2";
+
+const authorizationEndpoint = "https://backboard.railway.com/oauth/auth";
+const tokenEndpoint = "https://backboard.railway.com/oauth/token";
+const userinfoEndpoint = "https://backboard.railway.com/oauth/me";
+
+export interface RailwayProfile {
+	/** The user's unique ID (OAuth `sub` claim). */
+	sub: string;
+	/** The user's email address. */
+	email: string;
+	/** The user's display name. */
+	name: string;
+	/** URL of the user's profile picture. */
+	picture: string;
+}
+
+export interface RailwayOptions extends ProviderOptions<RailwayProfile> {
+	clientId: string;
+}
+
+export const railway = (options: RailwayOptions) => {
+	return {
+		id: "railway",
+		name: "Railway",
+		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["openid", "email", "profile"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "railway",
+				options,
+				authorizationEndpoint,
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint,
+				authentication: "basic",
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint,
+						authentication: "basic",
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			const { data: profile, error } = await betterFetch<RailwayProfile>(
+				userinfoEndpoint,
+				{ headers: { authorization: `Bearer ${token.accessToken}` } },
+			);
+			if (error || !profile) {
+				return null;
+			}
+			const userMap = await options.mapProfileToUser?.(profile);
+			// Railway does not provide an email_verified claim.
+			// We default to false for security consistency.
+			return {
+				user: {
+					id: profile.sub,
+					name: profile.name,
+					email: profile.email,
+					image: profile.picture,
+					emailVerified: false,
+					...userMap,
+				},
+				data: profile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<RailwayProfile>;
+};

package/src/social-providers/tiktok.ts

@@ -197,7 +197,8 @@ export const tiktok = (options: TiktokOptions) => {
 				user: {
 					email: profile.data.user.email || profile.data.user.username,
 					id: profile.data.user.open_id,
-					name: profile.data.user.display_name || profile.data.user.username,
+					name:
+						profile.data.user.display_name || profile.data.user.username || "",
 					image: profile.data.user.avatar_large_url,
 					emailVerified: false,
 				},

package/src/social-providers/vercel.ts

@@ -73,7 +73,7 @@ export const vercel = (options: VercelOptions) => {
 			return {
 				user: {
 					id: profile.sub,
-					name: profile.name ?? profile.preferred_username,
+					name: profile.name ?? profile.preferred_username ?? "",
 					email: profile.email,
 					image: profile.picture,
 					emailVerified: profile.email_verified ?? false,

package/src/social-providers/zoom.ts

@@ -96,11 +96,6 @@ export interface ZoomProfile extends Record<string, any> {
 	login_types: LoginType[];
 	/** User's personal meeting URL (Example: "example.com") */
 	personal_meeting_url: string;
-	/** This field has been deprecated and will not be supported in the future.
-	 * Use the phone_numbers field instead of this field.
-	 * The user's phone number (Example: "+1 800000000") */
-	// @deprecated true
-	phone_number?: string | undefined;
 	/** The URL for user's profile picture (Example: "example.com") */
 	pic_url: string;
 	/** Personal Meeting ID (PMI) (Example: 3542471135) */
@@ -131,9 +126,6 @@ export interface ZoomProfile extends Record<string, any> {
 	employee_unique_id?: string | undefined;
 	/** The manager for the user (Example: "thill@example.com") */
 	manager?: string | undefined;
-	/** The user's country for the company phone number (Example: "US")
-	 * @deprecated true */
-	phone_country?: string | undefined;
 	/** The phone number's ISO country code (Example: "+1") */
 	phone_numbers?: PhoneNumber[] | undefined;
 	/** The user's plan type (Example: "1") */