@better-auth/core 1.5.0-beta.3 → 1.5.0-beta.5

package/dist/social-providers/atlassian.mjs

@@ -0,0 +1,83 @@
+import { logger } from "../env/logger.mjs";
+import "../env/index.mjs";
+import { BetterAuthError } from "../error/index.mjs";
+import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
+import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
+import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
+import "../oauth2/index.mjs";
+import { betterFetch } from "@better-fetch/fetch";
+
+//#region src/social-providers/atlassian.ts
+const atlassian = (options) => {
+	return {
+		id: "atlassian",
+		name: "Atlassian",
+		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+			if (!options.clientId || !options.clientSecret) {
+				logger.error("Client Id and Secret are required for Atlassian");
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
+			if (!codeVerifier) throw new BetterAuthError("codeVerifier is required for Atlassian");
+			const _scopes = options.disableDefaultScope ? [] : ["read:jira-user", "offline_access"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "atlassian",
+				options,
+				authorizationEndpoint: "https://auth.atlassian.com/authorize",
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+				additionalParams: { audience: "api.atlassian.com" },
+				prompt: options.prompt
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://auth.atlassian.com/oauth/token"
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint: "https://auth.atlassian.com/oauth/token"
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			if (!token.accessToken) return null;
+			try {
+				const { data: profile } = await betterFetch("https://api.atlassian.com/me", { headers: { Authorization: `Bearer ${token.accessToken}` } });
+				if (!profile) return null;
+				const userMap = await options.mapProfileToUser?.(profile);
+				return {
+					user: {
+						id: profile.account_id,
+						name: profile.name,
+						email: profile.email,
+						image: profile.picture,
+						emailVerified: false,
+						...userMap
+					},
+					data: profile
+				};
+			} catch (error) {
+				logger.error("Failed to fetch user info from Figma:", error);
+				return null;
+			}
+		},
+		options
+	};
+};
+
+//#endregion
+export { atlassian };

package/dist/social-providers/cognito.d.mts

@@ -0,0 +1,87 @@
+import { OAuth2Tokens, ProviderOptions } from "../oauth2/oauth-provider.mjs";
+import "../oauth2/index.mjs";
+
+//#region src/social-providers/cognito.d.ts
+interface CognitoProfile {
+  sub: string;
+  email: string;
+  email_verified: boolean;
+  name: string;
+  given_name?: string | undefined;
+  family_name?: string | undefined;
+  picture?: string | undefined;
+  username?: string | undefined;
+  locale?: string | undefined;
+  phone_number?: string | undefined;
+  phone_number_verified?: boolean | undefined;
+  aud: string;
+  iss: string;
+  exp: number;
+  iat: number;
+  [key: string]: any;
+}
+interface CognitoOptions extends ProviderOptions<CognitoProfile> {
+  clientId: string;
+  /**
+   * The Cognito domain (e.g., "your-app.auth.us-east-1.amazoncognito.com")
+   */
+  domain: string;
+  /**
+   * AWS region where User Pool is hosted (e.g., "us-east-1")
+   */
+  region: string;
+  userPoolId: string;
+  requireClientSecret?: boolean | undefined;
+}
+declare const cognito: (options: CognitoOptions) => {
+  id: "cognito";
+  name: string;
+  createAuthorizationURL({
+    state,
+    scopes,
+    codeVerifier,
+    redirectURI
+  }: {
+    state: string;
+    codeVerifier: string;
+    scopes?: string[] | undefined;
+    redirectURI: string;
+    display?: string | undefined;
+    loginHint?: string | undefined;
+  }): Promise<URL>;
+  validateAuthorizationCode: ({
+    code,
+    codeVerifier,
+    redirectURI
+  }: {
+    code: string;
+    redirectURI: string;
+    codeVerifier?: string | undefined;
+    deviceId?: string | undefined;
+  }) => Promise<OAuth2Tokens>;
+  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
+  verifyIdToken(token: string, nonce: string | undefined): Promise<boolean>;
+  getUserInfo(token: OAuth2Tokens & {
+    user?: {
+      name?: {
+        firstName?: string;
+        lastName?: string;
+      };
+      email?: string;
+    } | undefined;
+  }): Promise<{
+    user: {
+      id: string;
+      name?: string;
+      email?: string | null;
+      image?: string;
+      emailVerified: boolean;
+      [key: string]: any;
+    };
+    data: any;
+  } | null>;
+  options: CognitoOptions;
+};
+declare const getCognitoPublicKey: (kid: string, region: string, userPoolId: string) => Promise<Uint8Array<ArrayBufferLike> | CryptoKey>;
+//#endregion
+export { CognitoOptions, CognitoProfile, cognito, getCognitoPublicKey };

package/dist/social-providers/cognito.mjs

@@ -0,0 +1,165 @@
+import { logger } from "../env/logger.mjs";
+import "../env/index.mjs";
+import { APIError, BetterAuthError } from "../error/index.mjs";
+import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
+import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
+import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
+import "../oauth2/index.mjs";
+import { betterFetch } from "@better-fetch/fetch";
+import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
+
+//#region src/social-providers/cognito.ts
+const cognito = (options) => {
+	if (!options.domain || !options.region || !options.userPoolId) {
+		logger.error("Domain, region and userPoolId are required for Amazon Cognito. Make sure to provide them in the options.");
+		throw new BetterAuthError("DOMAIN_AND_REGION_REQUIRED");
+	}
+	const cleanDomain = options.domain.replace(/^https?:\/\//, "");
+	const authorizationEndpoint = `https://${cleanDomain}/oauth2/authorize`;
+	const tokenEndpoint = `https://${cleanDomain}/oauth2/token`;
+	const userInfoEndpoint = `https://${cleanDomain}/oauth2/userinfo`;
+	return {
+		id: "cognito",
+		name: "Cognito",
+		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+			if (!options.clientId) {
+				logger.error("ClientId is required for Amazon Cognito. Make sure to provide them in the options.");
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
+			if (options.requireClientSecret && !options.clientSecret) {
+				logger.error("Client Secret is required when requireClientSecret is true. Make sure to provide it in the options.");
+				throw new BetterAuthError("CLIENT_SECRET_REQUIRED");
+			}
+			const _scopes = options.disableDefaultScope ? [] : [
+				"openid",
+				"profile",
+				"email"
+			];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			const url = await createAuthorizationURL({
+				id: "cognito",
+				options: { ...options },
+				authorizationEndpoint,
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+				prompt: options.prompt
+			});
+			const scopeValue = url.searchParams.get("scope");
+			if (scopeValue) {
+				url.searchParams.delete("scope");
+				const encodedScope = encodeURIComponent(scopeValue);
+				const urlString = url.toString();
+				const separator = urlString.includes("?") ? "&" : "?";
+				return new URL(`${urlString}${separator}scope=${encodedScope}`);
+			}
+			return url;
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint
+			});
+		},
+		async verifyIdToken(token, nonce) {
+			if (options.disableIdTokenSignIn) return false;
+			if (options.verifyIdToken) return options.verifyIdToken(token, nonce);
+			try {
+				const { kid, alg: jwtAlg } = decodeProtectedHeader(token);
+				if (!kid || !jwtAlg) return false;
+				const publicKey = await getCognitoPublicKey(kid, options.region, options.userPoolId);
+				const expectedIssuer = `https://cognito-idp.${options.region}.amazonaws.com/${options.userPoolId}`;
+				const { payload: jwtClaims } = await jwtVerify(token, publicKey, {
+					algorithms: [jwtAlg],
+					issuer: expectedIssuer,
+					audience: options.clientId,
+					maxTokenAge: "1h"
+				});
+				if (nonce && jwtClaims.nonce !== nonce) return false;
+				return true;
+			} catch (error) {
+				logger.error("Failed to verify ID token:", error);
+				return false;
+			}
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			if (token.idToken) try {
+				const profile = decodeJwt(token.idToken);
+				if (!profile) return null;
+				const name = profile.name || profile.given_name || profile.username || profile.email;
+				const enrichedProfile = {
+					...profile,
+					name
+				};
+				const userMap = await options.mapProfileToUser?.(enrichedProfile);
+				return {
+					user: {
+						id: profile.sub,
+						name: enrichedProfile.name,
+						email: profile.email,
+						image: profile.picture,
+						emailVerified: profile.email_verified,
+						...userMap
+					},
+					data: enrichedProfile
+				};
+			} catch (error) {
+				logger.error("Failed to decode ID token:", error);
+			}
+			if (token.accessToken) try {
+				const { data: userInfo } = await betterFetch(userInfoEndpoint, { headers: { Authorization: `Bearer ${token.accessToken}` } });
+				if (userInfo) {
+					const userMap = await options.mapProfileToUser?.(userInfo);
+					return {
+						user: {
+							id: userInfo.sub,
+							name: userInfo.name || userInfo.given_name || userInfo.username,
+							email: userInfo.email,
+							image: userInfo.picture,
+							emailVerified: userInfo.email_verified,
+							...userMap
+						},
+						data: userInfo
+					};
+				}
+			} catch (error) {
+				logger.error("Failed to fetch user info from Cognito:", error);
+			}
+			return null;
+		},
+		options
+	};
+};
+const getCognitoPublicKey = async (kid, region, userPoolId) => {
+	const COGNITO_JWKS_URI = `https://cognito-idp.${region}.amazonaws.com/${userPoolId}/.well-known/jwks.json`;
+	try {
+		const { data } = await betterFetch(COGNITO_JWKS_URI);
+		if (!data?.keys) throw new APIError("BAD_REQUEST", { message: "Keys not found" });
+		const jwk = data.keys.find((key) => key.kid === kid);
+		if (!jwk) throw new Error(`JWK with kid ${kid} not found`);
+		return await importJWK(jwk, jwk.alg);
+	} catch (error) {
+		logger.error("Failed to fetch Cognito public key:", error);
+		throw error;
+	}
+};
+
+//#endregion
+export { cognito, getCognitoPublicKey };

package/dist/social-providers/discord.d.mts

@@ -0,0 +1,126 @@
+import { OAuth2Tokens, ProviderOptions } from "../oauth2/oauth-provider.mjs";
+import "../oauth2/index.mjs";
+
+//#region src/social-providers/discord.d.ts
+interface DiscordProfile extends Record<string, any> {
+  /** the user's id (i.e. the numerical snowflake) */
+  id: string;
+  /** the user's username, not unique across the platform */
+  username: string;
+  /** the user's Discord-tag */
+  discriminator: string;
+  /** the user's display name, if it is set  */
+  global_name: string | null;
+  /**
+   * the user's avatar hash:
+   * https://discord.com/developers/docs/reference#image-formatting
+   */
+  avatar: string | null;
+  /** whether the user belongs to an OAuth2 application */
+  bot?: boolean | undefined;
+  /**
+   * whether the user is an Official Discord System user (part of the urgent
+   * message system)
+   */
+  system?: boolean | undefined;
+  /** whether the user has two factor enabled on their account */
+  mfa_enabled: boolean;
+  /**
+   * the user's banner hash:
+   * https://discord.com/developers/docs/reference#image-formatting
+   */
+  banner: string | null;
+  /** the user's banner color encoded as an integer representation of hexadecimal color code */
+  accent_color: number | null;
+  /**
+   * the user's chosen language option:
+   * https://discord.com/developers/docs/reference#locales
+   */
+  locale: string;
+  /** whether the email on this account has been verified */
+  verified: boolean;
+  /** the user's email */
+  email: string;
+  /**
+   * the flags on a user's account:
+   * https://discord.com/developers/docs/resources/user#user-object-user-flags
+   */
+  flags: number;
+  /**
+   * the type of Nitro subscription on a user's account:
+   * https://discord.com/developers/docs/resources/user#user-object-premium-types
+   */
+  premium_type: number;
+  /**
+   * the public flags on a user's account:
+   * https://discord.com/developers/docs/resources/user#user-object-user-flags
+   */
+  public_flags: number;
+  /** undocumented field; corresponds to the user's custom nickname */
+  display_name: string | null;
+  /**
+   * undocumented field; corresponds to the Discord feature where you can e.g.
+   * put your avatar inside of an ice cube
+   */
+  avatar_decoration: string | null;
+  /**
+   * undocumented field; corresponds to the premium feature where you can
+   * select a custom banner color
+   */
+  banner_color: string | null;
+  /** undocumented field; the CDN URL of their profile picture */
+  image_url: string;
+}
+interface DiscordOptions extends ProviderOptions<DiscordProfile> {
+  clientId: string;
+  prompt?: ("none" | "consent") | undefined;
+  permissions?: number | undefined;
+}
+declare const discord: (options: DiscordOptions) => {
+  id: "discord";
+  name: string;
+  createAuthorizationURL({
+    state,
+    scopes,
+    redirectURI
+  }: {
+    state: string;
+    codeVerifier: string;
+    scopes?: string[] | undefined;
+    redirectURI: string;
+    display?: string | undefined;
+    loginHint?: string | undefined;
+  }): URL;
+  validateAuthorizationCode: ({
+    code,
+    redirectURI
+  }: {
+    code: string;
+    redirectURI: string;
+    codeVerifier?: string | undefined;
+    deviceId?: string | undefined;
+  }) => Promise<OAuth2Tokens>;
+  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
+  getUserInfo(token: OAuth2Tokens & {
+    user?: {
+      name?: {
+        firstName?: string;
+        lastName?: string;
+      };
+      email?: string;
+    } | undefined;
+  }): Promise<{
+    user: {
+      id: string;
+      name?: string;
+      email?: string | null;
+      image?: string;
+      emailVerified: boolean;
+      [key: string]: any;
+    };
+    data: any;
+  } | null>;
+  options: DiscordOptions;
+};
+//#endregion
+export { DiscordOptions, DiscordProfile, discord };

package/dist/social-providers/discord.mjs

@@ -0,0 +1,64 @@
+import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
+import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
+import "../oauth2/index.mjs";
+import { betterFetch } from "@better-fetch/fetch";
+
+//#region src/social-providers/discord.ts
+const discord = (options) => {
+	return {
+		id: "discord",
+		name: "Discord",
+		createAuthorizationURL({ state, scopes, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : ["identify", "email"];
+			if (scopes) _scopes.push(...scopes);
+			if (options.scope) _scopes.push(...options.scope);
+			const permissionsParam = _scopes.includes("bot") && options.permissions !== void 0 ? `&permissions=${options.permissions}` : "";
+			return new URL(`https://discord.com/api/oauth2/authorize?scope=${_scopes.join("+")}&response_type=code&client_id=${options.clientId}&redirect_uri=${encodeURIComponent(options.redirectURI || redirectURI)}&state=${state}&prompt=${options.prompt || "none"}${permissionsParam}`);
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://discord.com/api/oauth2/token"
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint: "https://discord.com/api/oauth2/token"
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			const { data: profile, error } = await betterFetch("https://discord.com/api/users/@me", { headers: { authorization: `Bearer ${token.accessToken}` } });
+			if (error) return null;
+			if (profile.avatar === null) profile.image_url = `https://cdn.discordapp.com/embed/avatars/${profile.discriminator === "0" ? Number(BigInt(profile.id) >> BigInt(22)) % 6 : parseInt(profile.discriminator) % 5}.png`;
+			else {
+				const format = profile.avatar.startsWith("a_") ? "gif" : "png";
+				profile.image_url = `https://cdn.discordapp.com/avatars/${profile.id}/${profile.avatar}.${format}`;
+			}
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.id,
+					name: profile.global_name || profile.username || "",
+					email: profile.email,
+					emailVerified: profile.verified,
+					image: profile.image_url,
+					...userMap
+				},
+				data: profile
+			};
+		},
+		options
+	};
+};
+
+//#endregion
+export { discord };

package/dist/social-providers/dropbox.d.mts

@@ -0,0 +1,71 @@
+import { OAuth2Tokens, ProviderOptions } from "../oauth2/oauth-provider.mjs";
+import "../oauth2/index.mjs";
+
+//#region src/social-providers/dropbox.d.ts
+interface DropboxProfile {
+  account_id: string;
+  name: {
+    given_name: string;
+    surname: string;
+    familiar_name: string;
+    display_name: string;
+    abbreviated_name: string;
+  };
+  email: string;
+  email_verified: boolean;
+  profile_photo_url: string;
+}
+interface DropboxOptions extends ProviderOptions<DropboxProfile> {
+  clientId: string;
+  accessType?: ("offline" | "online" | "legacy") | undefined;
+}
+declare const dropbox: (options: DropboxOptions) => {
+  id: "dropbox";
+  name: string;
+  createAuthorizationURL: ({
+    state,
+    scopes,
+    codeVerifier,
+    redirectURI
+  }: {
+    state: string;
+    codeVerifier: string;
+    scopes?: string[] | undefined;
+    redirectURI: string;
+    display?: string | undefined;
+    loginHint?: string | undefined;
+  }) => Promise<URL>;
+  validateAuthorizationCode: ({
+    code,
+    codeVerifier,
+    redirectURI
+  }: {
+    code: string;
+    redirectURI: string;
+    codeVerifier?: string | undefined;
+    deviceId?: string | undefined;
+  }) => Promise<OAuth2Tokens>;
+  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
+  getUserInfo(token: OAuth2Tokens & {
+    user?: {
+      name?: {
+        firstName?: string;
+        lastName?: string;
+      };
+      email?: string;
+    } | undefined;
+  }): Promise<{
+    user: {
+      id: string;
+      name?: string;
+      email?: string | null;
+      image?: string;
+      emailVerified: boolean;
+      [key: string]: any;
+    };
+    data: any;
+  } | null>;
+  options: DropboxOptions;
+};
+//#endregion
+export { DropboxOptions, DropboxProfile, dropbox };

package/dist/social-providers/dropbox.mjs

@@ -0,0 +1,75 @@
+import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
+import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
+import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
+import "../oauth2/index.mjs";
+import { betterFetch } from "@better-fetch/fetch";
+
+//#region src/social-providers/dropbox.ts
+const dropbox = (options) => {
+	const tokenEndpoint = "https://api.dropboxapi.com/oauth2/token";
+	return {
+		id: "dropbox",
+		name: "Dropbox",
+		createAuthorizationURL: async ({ state, scopes, codeVerifier, redirectURI }) => {
+			const _scopes = options.disableDefaultScope ? [] : ["account_info.read"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			const additionalParams = {};
+			if (options.accessType) additionalParams.token_access_type = options.accessType;
+			return await createAuthorizationURL({
+				id: "dropbox",
+				options,
+				authorizationEndpoint: "https://www.dropbox.com/oauth2/authorize",
+				scopes: _scopes,
+				state,
+				redirectURI,
+				codeVerifier,
+				additionalParams
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return await validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint: "https://api.dropbox.com/oauth2/token"
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			const { data: profile, error } = await betterFetch("https://api.dropboxapi.com/2/users/get_current_account", {
+				method: "POST",
+				headers: { Authorization: `Bearer ${token.accessToken}` }
+			});
+			if (error) return null;
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.account_id,
+					name: profile.name?.display_name,
+					email: profile.email,
+					emailVerified: profile.email_verified || false,
+					image: profile.profile_photo_url,
+					...userMap
+				},
+				data: profile
+			};
+		},
+		options
+	};
+};
+
+//#endregion
+export { dropbox };