@better-auth/core 1.5.0-beta.3 → 1.5.0-beta.5

package/dist/error/index.d.mts

@@ -1,190 +1,6 @@
+import { APIErrorCode, BASE_ERROR_CODES } from "./codes.mjs";
 import { APIError as APIError$1 } from "better-call/error";
 
-//#region src/error/codes.d.ts
-declare const BASE_ERROR_CODES: {
-  readonly USER_NOT_FOUND: {
-    code: "USER_NOT_FOUND";
-    message: "User not found";
-  };
-  readonly FAILED_TO_CREATE_USER: {
-    code: "FAILED_TO_CREATE_USER";
-    message: "Failed to create user";
-  };
-  readonly FAILED_TO_CREATE_SESSION: {
-    code: "FAILED_TO_CREATE_SESSION";
-    message: "Failed to create session";
-  };
-  readonly FAILED_TO_UPDATE_USER: {
-    code: "FAILED_TO_UPDATE_USER";
-    message: "Failed to update user";
-  };
-  readonly FAILED_TO_GET_SESSION: {
-    code: "FAILED_TO_GET_SESSION";
-    message: "Failed to get session";
-  };
-  readonly INVALID_PASSWORD: {
-    code: "INVALID_PASSWORD";
-    message: "Invalid password";
-  };
-  readonly INVALID_EMAIL: {
-    code: "INVALID_EMAIL";
-    message: "Invalid email";
-  };
-  readonly INVALID_EMAIL_OR_PASSWORD: {
-    code: "INVALID_EMAIL_OR_PASSWORD";
-    message: "Invalid email or password";
-  };
-  readonly INVALID_USER: {
-    code: "INVALID_USER";
-    message: "Invalid user";
-  };
-  readonly SOCIAL_ACCOUNT_ALREADY_LINKED: {
-    code: "SOCIAL_ACCOUNT_ALREADY_LINKED";
-    message: "Social account already linked";
-  };
-  readonly PROVIDER_NOT_FOUND: {
-    code: "PROVIDER_NOT_FOUND";
-    message: "Provider not found";
-  };
-  readonly INVALID_TOKEN: {
-    code: "INVALID_TOKEN";
-    message: "Invalid token";
-  };
-  readonly TOKEN_EXPIRED: {
-    code: "TOKEN_EXPIRED";
-    message: "Token expired";
-  };
-  readonly ID_TOKEN_NOT_SUPPORTED: {
-    code: "ID_TOKEN_NOT_SUPPORTED";
-    message: "id_token not supported";
-  };
-  readonly FAILED_TO_GET_USER_INFO: {
-    code: "FAILED_TO_GET_USER_INFO";
-    message: "Failed to get user info";
-  };
-  readonly USER_EMAIL_NOT_FOUND: {
-    code: "USER_EMAIL_NOT_FOUND";
-    message: "User email not found";
-  };
-  readonly EMAIL_NOT_VERIFIED: {
-    code: "EMAIL_NOT_VERIFIED";
-    message: "Email not verified";
-  };
-  readonly PASSWORD_TOO_SHORT: {
-    code: "PASSWORD_TOO_SHORT";
-    message: "Password too short";
-  };
-  readonly PASSWORD_TOO_LONG: {
-    code: "PASSWORD_TOO_LONG";
-    message: "Password too long";
-  };
-  readonly USER_ALREADY_EXISTS: {
-    code: "USER_ALREADY_EXISTS";
-    message: "User already exists.";
-  };
-  readonly USER_ALREADY_EXISTS_USE_ANOTHER_EMAIL: {
-    code: "USER_ALREADY_EXISTS_USE_ANOTHER_EMAIL";
-    message: "User already exists. Use another email.";
-  };
-  readonly EMAIL_CAN_NOT_BE_UPDATED: {
-    code: "EMAIL_CAN_NOT_BE_UPDATED";
-    message: "Email can not be updated";
-  };
-  readonly CREDENTIAL_ACCOUNT_NOT_FOUND: {
-    code: "CREDENTIAL_ACCOUNT_NOT_FOUND";
-    message: "Credential account not found";
-  };
-  readonly SESSION_EXPIRED: {
-    code: "SESSION_EXPIRED";
-    message: "Session expired. Re-authenticate to perform this action.";
-  };
-  readonly FAILED_TO_UNLINK_LAST_ACCOUNT: {
-    code: "FAILED_TO_UNLINK_LAST_ACCOUNT";
-    message: "You can't unlink your last account";
-  };
-  readonly ACCOUNT_NOT_FOUND: {
-    code: "ACCOUNT_NOT_FOUND";
-    message: "Account not found";
-  };
-  readonly USER_ALREADY_HAS_PASSWORD: {
-    code: "USER_ALREADY_HAS_PASSWORD";
-    message: "User already has a password. Provide that to delete the account.";
-  };
-  readonly CROSS_SITE_NAVIGATION_LOGIN_BLOCKED: {
-    code: "CROSS_SITE_NAVIGATION_LOGIN_BLOCKED";
-    message: "Cross-site navigation login blocked. This request appears to be a CSRF attack.";
-  };
-  readonly VERIFICATION_EMAIL_NOT_ENABLED: {
-    code: "VERIFICATION_EMAIL_NOT_ENABLED";
-    message: "Verification email isn't enabled";
-  };
-  readonly EMAIL_ALREADY_VERIFIED: {
-    code: "EMAIL_ALREADY_VERIFIED";
-    message: "Email is already verified";
-  };
-  readonly EMAIL_MISMATCH: {
-    code: "EMAIL_MISMATCH";
-    message: "Email mismatch";
-  };
-  readonly SESSION_NOT_FRESH: {
-    code: "SESSION_NOT_FRESH";
-    message: "Session is not fresh";
-  };
-  readonly LINKED_ACCOUNT_ALREADY_EXISTS: {
-    code: "LINKED_ACCOUNT_ALREADY_EXISTS";
-    message: "Linked account already exists";
-  };
-  readonly INVALID_ORIGIN: {
-    code: "INVALID_ORIGIN";
-    message: "Invalid origin";
-  };
-  readonly INVALID_CALLBACK_URL: {
-    code: "INVALID_CALLBACK_URL";
-    message: "Invalid callbackURL";
-  };
-  readonly INVALID_REDIRECT_URL: {
-    code: "INVALID_REDIRECT_URL";
-    message: "Invalid redirectURL";
-  };
-  readonly INVALID_ERROR_CALLBACK_URL: {
-    code: "INVALID_ERROR_CALLBACK_URL";
-    message: "Invalid errorCallbackURL";
-  };
-  readonly INVALID_NEW_USER_CALLBACK_URL: {
-    code: "INVALID_NEW_USER_CALLBACK_URL";
-    message: "Invalid newUserCallbackURL";
-  };
-  readonly MISSING_OR_NULL_ORIGIN: {
-    code: "MISSING_OR_NULL_ORIGIN";
-    message: "Missing or null Origin";
-  };
-  readonly CALLBACK_URL_REQUIRED: {
-    code: "CALLBACK_URL_REQUIRED";
-    message: "callbackURL is required";
-  };
-  readonly FAILED_TO_CREATE_VERIFICATION: {
-    code: "FAILED_TO_CREATE_VERIFICATION";
-    message: "Unable to create verification";
-  };
-  readonly FIELD_NOT_ALLOWED: {
-    code: "FIELD_NOT_ALLOWED";
-    message: "Field not allowed to be set";
-  };
-  readonly ASYNC_VALIDATION_NOT_SUPPORTED: {
-    code: "ASYNC_VALIDATION_NOT_SUPPORTED";
-    message: "Async validation is not supported";
-  };
-  readonly VALIDATION_ERROR: {
-    code: "VALIDATION_ERROR";
-    message: "Validation Error";
-  };
-  readonly MISSING_FIELD: {
-    code: "MISSING_FIELD";
-    message: "Field is required";
-  };
-};
-type APIErrorCode = keyof typeof BASE_ERROR_CODES;
-//#endregion
 //#region src/error/index.d.ts
 declare class BetterAuthError extends Error {
   constructor(message: string, cause?: string | undefined);

package/dist/error/index.mjs

@@ -1,5 +1,30 @@
-import "../env-DbssmzoK.mjs";
-import "../utils-puAL36Bz.mjs";
-import { n as BetterAuthError, r as BASE_ERROR_CODES, t as APIError } from "../error-GNtLPYaS.mjs";
+import { BASE_ERROR_CODES } from "./codes.mjs";
+import { APIError as APIError$1 } from "better-call/error";
 
+//#region src/error/index.ts
+var BetterAuthError = class extends Error {
+	constructor(message, cause) {
+		super(message);
+		this.name = "BetterAuthError";
+		this.message = message;
+		this.cause = cause;
+		this.stack = "";
+	}
+};
+var APIError = class APIError extends APIError$1 {
+	constructor(...args) {
+		super(...args);
+	}
+	static fromStatus(status, body) {
+		return new APIError(status, body);
+	}
+	static from(status, error) {
+		return new APIError(status, {
+			message: error.message,
+			code: error.code
+		});
+	}
+};
+
+//#endregion
 export { APIError, BASE_ERROR_CODES, BetterAuthError };

package/dist/index.d.mts

@@ -1,2 +1,8 @@
-import { C as HookEndpointContext, Cr as Primitive, Mn as BetterAuthCookies, S as BetterAuthPlugin, Sr as Prettify, _ as PluginContext, b as BetterAuthRateLimitOptions, br as LiteralString, c as BetterAuthClientPlugin, d as ClientStore, f as AuthContext, g as InternalAdapter, h as GenericEndpointContext, l as ClientAtomListener, m as BetterAuthPluginRegistryIdentifier, o as StandardSchemaV1, p as BetterAuthPluginRegistry, s as BetterAuthClientOptions, u as ClientFetchOption, v as BetterAuthAdvancedOptions, x as GenerateIdFn, xr as LiteralUnion, y as BetterAuthOptions, yr as Awaitable } from "./index-CGr4Qrv8.mjs";
+import { Awaitable, LiteralString, LiteralUnion, Prettify, Primitive } from "./types/helper.mjs";
+import { BetterAuthCookies } from "./types/cookie.mjs";
+import { BetterAuthPlugin, HookEndpointContext } from "./types/plugin.mjs";
+import { BetterAuthAdvancedOptions, BetterAuthOptions, BetterAuthRateLimitOptions, GenerateIdFn } from "./types/init-options.mjs";
+import { AuthContext, BetterAuthPluginRegistry, BetterAuthPluginRegistryIdentifier, GenericEndpointContext, InternalAdapter, PluginContext } from "./types/context.mjs";
+import { BetterAuthClientOptions, BetterAuthClientPlugin, ClientAtomListener, ClientFetchOption, ClientStore } from "./types/plugin-client.mjs";
+import { StandardSchemaV1 } from "./types/index.mjs";
 export { AuthContext, Awaitable, BetterAuthAdvancedOptions, BetterAuthClientOptions, BetterAuthClientPlugin, BetterAuthCookies, BetterAuthOptions, BetterAuthPlugin, BetterAuthPluginRegistry, BetterAuthPluginRegistryIdentifier, BetterAuthRateLimitOptions, ClientAtomListener, ClientFetchOption, ClientStore, GenerateIdFn, GenericEndpointContext, HookEndpointContext, InternalAdapter, LiteralString, LiteralUnion, PluginContext, Prettify, Primitive, StandardSchemaV1 };

package/dist/oauth2/client-credentials-token.d.mts

@@ -0,0 +1,36 @@
+import { OAuth2Tokens, ProviderOptions } from "./oauth-provider.mjs";
+
+//#region src/oauth2/client-credentials-token.d.ts
+declare function createClientCredentialsTokenRequest({
+  options,
+  scope,
+  authentication,
+  resource
+}: {
+  options: ProviderOptions & {
+    clientSecret: string;
+  };
+  scope?: string | undefined;
+  authentication?: ("basic" | "post") | undefined;
+  resource?: (string | string[]) | undefined;
+}): {
+  body: URLSearchParams;
+  headers: Record<string, any>;
+};
+declare function clientCredentialsToken({
+  options,
+  tokenEndpoint,
+  scope,
+  authentication,
+  resource
+}: {
+  options: ProviderOptions & {
+    clientSecret: string;
+  };
+  tokenEndpoint: string;
+  scope: string;
+  authentication?: ("basic" | "post") | undefined;
+  resource?: (string | string[]) | undefined;
+}): Promise<OAuth2Tokens>;
+//#endregion
+export { clientCredentialsToken, createClientCredentialsTokenRequest };

package/dist/oauth2/client-credentials-token.mjs

@@ -0,0 +1,54 @@
+import { base64Url } from "@better-auth/utils/base64";
+import { betterFetch } from "@better-fetch/fetch";
+
+//#region src/oauth2/client-credentials-token.ts
+function createClientCredentialsTokenRequest({ options, scope, authentication, resource }) {
+	const body = new URLSearchParams();
+	const headers = {
+		"content-type": "application/x-www-form-urlencoded",
+		accept: "application/json"
+	};
+	body.set("grant_type", "client_credentials");
+	scope && body.set("scope", scope);
+	if (resource) if (typeof resource === "string") body.append("resource", resource);
+	else for (const _resource of resource) body.append("resource", _resource);
+	if (authentication === "basic") {
+		const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+		headers["authorization"] = `Basic ${base64Url.encode(`${primaryClientId}:${options.clientSecret}`)}`;
+	} else {
+		const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+		body.set("client_id", primaryClientId);
+		body.set("client_secret", options.clientSecret);
+	}
+	return {
+		body,
+		headers
+	};
+}
+async function clientCredentialsToken({ options, tokenEndpoint, scope, authentication, resource }) {
+	const { body, headers } = createClientCredentialsTokenRequest({
+		options,
+		scope,
+		authentication,
+		resource
+	});
+	const { data, error } = await betterFetch(tokenEndpoint, {
+		method: "POST",
+		body,
+		headers
+	});
+	if (error) throw error;
+	const tokens = {
+		accessToken: data.access_token,
+		tokenType: data.token_type,
+		scopes: data.scope?.split(" ")
+	};
+	if (data.expires_in) {
+		const now = /* @__PURE__ */ new Date();
+		tokens.accessTokenExpiresAt = new Date(now.getTime() + data.expires_in * 1e3);
+	}
+	return tokens;
+}
+
+//#endregion
+export { clientCredentialsToken, createClientCredentialsTokenRequest };

package/dist/oauth2/create-authorization-url.d.mts

@@ -0,0 +1,45 @@
+import { ProviderOptions } from "./oauth-provider.mjs";
+import "./index.mjs";
+
+//#region src/oauth2/create-authorization-url.d.ts
+declare function createAuthorizationURL({
+  id,
+  options,
+  authorizationEndpoint,
+  state,
+  codeVerifier,
+  scopes,
+  claims,
+  redirectURI,
+  duration,
+  prompt,
+  accessType,
+  responseType,
+  display,
+  loginHint,
+  hd,
+  responseMode,
+  additionalParams,
+  scopeJoiner
+}: {
+  id: string;
+  options: ProviderOptions;
+  redirectURI: string;
+  authorizationEndpoint: string;
+  state: string;
+  codeVerifier?: string | undefined;
+  scopes?: string[] | undefined;
+  claims?: string[] | undefined;
+  duration?: string | undefined;
+  prompt?: string | undefined;
+  accessType?: string | undefined;
+  responseType?: string | undefined;
+  display?: string | undefined;
+  loginHint?: string | undefined;
+  hd?: string | undefined;
+  responseMode?: string | undefined;
+  additionalParams?: Record<string, string> | undefined;
+  scopeJoiner?: string | undefined;
+}): Promise<URL>;
+//#endregion
+export { createAuthorizationURL };

package/dist/oauth2/create-authorization-url.mjs

@@ -0,0 +1,42 @@
+import { generateCodeChallenge } from "./utils.mjs";
+
+//#region src/oauth2/create-authorization-url.ts
+async function createAuthorizationURL({ id, options, authorizationEndpoint, state, codeVerifier, scopes, claims, redirectURI, duration, prompt, accessType, responseType, display, loginHint, hd, responseMode, additionalParams, scopeJoiner }) {
+	const url = new URL(options.authorizationEndpoint || authorizationEndpoint);
+	url.searchParams.set("response_type", responseType || "code");
+	const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+	url.searchParams.set("client_id", primaryClientId);
+	url.searchParams.set("state", state);
+	if (scopes) url.searchParams.set("scope", scopes.join(scopeJoiner || " "));
+	url.searchParams.set("redirect_uri", options.redirectURI || redirectURI);
+	duration && url.searchParams.set("duration", duration);
+	display && url.searchParams.set("display", display);
+	loginHint && url.searchParams.set("login_hint", loginHint);
+	prompt && url.searchParams.set("prompt", prompt);
+	hd && url.searchParams.set("hd", hd);
+	accessType && url.searchParams.set("access_type", accessType);
+	responseMode && url.searchParams.set("response_mode", responseMode);
+	if (codeVerifier) {
+		const codeChallenge = await generateCodeChallenge(codeVerifier);
+		url.searchParams.set("code_challenge_method", "S256");
+		url.searchParams.set("code_challenge", codeChallenge);
+	}
+	if (claims) {
+		const claimsObj = claims.reduce((acc, claim) => {
+			acc[claim] = null;
+			return acc;
+		}, {});
+		url.searchParams.set("claims", JSON.stringify({ id_token: {
+			email: null,
+			email_verified: null,
+			...claimsObj
+		} }));
+	}
+	if (additionalParams) Object.entries(additionalParams).forEach(([key, value]) => {
+		url.searchParams.set(key, value);
+	});
+	return url;
+}
+
+//#endregion
+export { createAuthorizationURL };

package/dist/oauth2/index.d.mts

@@ -1,2 +1,8 @@
-import { Bn as getOAuth2Tokens, Fn as verifyJwsAccessToken, Gn as createClientCredentialsTokenRequest, Hn as refreshAccessToken, In as createAuthorizationCodeRequest, Jn as OAuthProvider, Kn as OAuth2Tokens, Ln as validateAuthorizationCode, Nn as getJwks, Pn as verifyAccessToken, Rn as validateToken, Un as createAuthorizationURL, Vn as createRefreshAccessTokenRequest, Wn as clientCredentialsToken, Yn as ProviderOptions, qn as OAuth2UserInfo, zn as generateCodeChallenge } from "../index-CGr4Qrv8.mjs";
-export { OAuth2Tokens, OAuth2UserInfo, OAuthProvider, ProviderOptions, clientCredentialsToken, createAuthorizationCodeRequest, createAuthorizationURL, createClientCredentialsTokenRequest, createRefreshAccessTokenRequest, generateCodeChallenge, getJwks, getOAuth2Tokens, refreshAccessToken, validateAuthorizationCode, validateToken, verifyAccessToken, verifyJwsAccessToken };
+import { OAuth2Tokens, OAuth2UserInfo, OAuthProvider, ProviderOptions } from "./oauth-provider.mjs";
+import { clientCredentialsToken, createClientCredentialsTokenRequest } from "./client-credentials-token.mjs";
+import { createAuthorizationURL } from "./create-authorization-url.mjs";
+import { createRefreshAccessTokenRequest, refreshAccessToken } from "./refresh-access-token.mjs";
+import { generateCodeChallenge, getOAuth2Tokens } from "./utils.mjs";
+import { createAuthorizationCodeRequest, validateAuthorizationCode, validateToken } from "./validate-authorization-code.mjs";
+import { getJwks, verifyAccessToken, verifyJwsAccessToken } from "./verify.mjs";
+export { type OAuth2Tokens, type OAuth2UserInfo, type OAuthProvider, type ProviderOptions, clientCredentialsToken, createAuthorizationCodeRequest, createAuthorizationURL, createClientCredentialsTokenRequest, createRefreshAccessTokenRequest, generateCodeChallenge, getJwks, getOAuth2Tokens, refreshAccessToken, validateAuthorizationCode, validateToken, verifyAccessToken, verifyJwsAccessToken };

package/dist/oauth2/index.mjs

@@ -1,4 +1,8 @@
-import "../env-DbssmzoK.mjs";
-import { a as validateAuthorizationCode, c as refreshAccessToken, d as getOAuth2Tokens, f as clientCredentialsToken, i as createAuthorizationCodeRequest, l as createAuthorizationURL, n as verifyAccessToken, o as validateToken, p as createClientCredentialsTokenRequest, r as verifyJwsAccessToken, s as createRefreshAccessTokenRequest, t as getJwks, u as generateCodeChallenge } from "../oauth2-BjWM15hm.mjs";
+import { clientCredentialsToken, createClientCredentialsTokenRequest } from "./client-credentials-token.mjs";
+import { generateCodeChallenge, getOAuth2Tokens } from "./utils.mjs";
+import { createAuthorizationURL } from "./create-authorization-url.mjs";
+import { createRefreshAccessTokenRequest, refreshAccessToken } from "./refresh-access-token.mjs";
+import { createAuthorizationCodeRequest, validateAuthorizationCode, validateToken } from "./validate-authorization-code.mjs";
+import { getJwks, verifyAccessToken, verifyJwsAccessToken } from "./verify.mjs";
 
 export { clientCredentialsToken, createAuthorizationCodeRequest, createAuthorizationURL, createClientCredentialsTokenRequest, createRefreshAccessTokenRequest, generateCodeChallenge, getJwks, getOAuth2Tokens, refreshAccessToken, validateAuthorizationCode, validateToken, verifyAccessToken, verifyJwsAccessToken };

package/dist/oauth2/oauth-provider.d.mts

@@ -0,0 +1,194 @@
+import { Awaitable, LiteralString } from "../types/helper.mjs";
+import "../types/index.mjs";
+
+//#region src/oauth2/oauth-provider.d.ts
+interface OAuth2Tokens {
+  tokenType?: string | undefined;
+  accessToken?: string | undefined;
+  refreshToken?: string | undefined;
+  accessTokenExpiresAt?: Date | undefined;
+  refreshTokenExpiresAt?: Date | undefined;
+  scopes?: string[] | undefined;
+  idToken?: string | undefined;
+  /**
+   * Raw token response from the provider.
+   * Preserves provider-specific fields that are not part of the standard OAuth2 token response.
+   */
+  raw?: Record<string, unknown> | undefined;
+}
+type OAuth2UserInfo = {
+  id: string | number;
+  name?: string | undefined;
+  email?: (string | null) | undefined;
+  image?: string | undefined;
+  emailVerified: boolean;
+};
+interface OAuthProvider<T extends Record<string, any> = Record<string, any>, O extends Record<string, any> = Partial<ProviderOptions>> {
+  id: LiteralString;
+  createAuthorizationURL: (data: {
+    state: string;
+    codeVerifier: string;
+    scopes?: string[] | undefined;
+    redirectURI: string;
+    display?: string | undefined;
+    loginHint?: string | undefined;
+  }) => Awaitable<URL>;
+  name: string;
+  validateAuthorizationCode: (data: {
+    code: string;
+    redirectURI: string;
+    codeVerifier?: string | undefined;
+    deviceId?: string | undefined;
+  }) => Promise<OAuth2Tokens>;
+  getUserInfo: (token: OAuth2Tokens & {
+    /**
+     * The user object from the provider
+     * This is only available for some providers like Apple
+     */
+    user?: {
+      name?: {
+        firstName?: string;
+        lastName?: string;
+      };
+      email?: string;
+    } | undefined;
+  }) => Promise<{
+    user: OAuth2UserInfo;
+    data: T;
+  } | null>;
+  /**
+   * Custom function to refresh a token
+   */
+  refreshAccessToken?: ((refreshToken: string) => Promise<OAuth2Tokens>) | undefined;
+  revokeToken?: ((token: string) => Promise<void>) | undefined;
+  /**
+   * Verify the id token
+   * @param token - The id token
+   * @param nonce - The nonce
+   * @returns True if the id token is valid, false otherwise
+   */
+  verifyIdToken?: ((token: string, nonce?: string) => Promise<boolean>) | undefined;
+  /**
+   * Disable implicit sign up for new users. When set to true for the provider,
+   * sign-in need to be called with with requestSignUp as true to create new users.
+   */
+  disableImplicitSignUp?: boolean | undefined;
+  /**
+   * Disable sign up for new users.
+   */
+  disableSignUp?: boolean | undefined;
+  /**
+   * Options for the provider
+   */
+  options?: O | undefined;
+}
+type ProviderOptions<Profile extends Record<string, any> = any> = {
+  /**
+   * The client ID of your application.
+   *
+   * This is usually a string but can be any type depending on the provider.
+   */
+  clientId?: unknown | undefined;
+  /**
+   * The client secret of your application
+   */
+  clientSecret?: string | undefined;
+  /**
+   * The scopes you want to request from the provider
+   */
+  scope?: string[] | undefined;
+  /**
+   * Remove default scopes of the provider
+   */
+  disableDefaultScope?: boolean | undefined;
+  /**
+   * The redirect URL for your application. This is where the provider will
+   * redirect the user after the sign in process. Make sure this URL is
+   * whitelisted in the provider's dashboard.
+   */
+  redirectURI?: string | undefined;
+  /**
+   * Custom authorization endpoint URL.
+   * Use this to override the default authorization endpoint of the provider.
+   * Useful for testing with local OAuth servers or using sandbox environments.
+   */
+  authorizationEndpoint?: string | undefined;
+  /**
+   * The client key of your application
+   * Tiktok Social Provider uses this field instead of clientId
+   */
+  clientKey?: string | undefined;
+  /**
+   * Disable provider from allowing users to sign in
+   * with this provider with an id token sent from the
+   * client.
+   */
+  disableIdTokenSignIn?: boolean | undefined;
+  /**
+   * verifyIdToken function to verify the id token
+   */
+  verifyIdToken?: ((token: string, nonce?: string) => Promise<boolean>) | undefined;
+  /**
+   * Custom function to get user info from the provider
+   */
+  getUserInfo?: ((token: OAuth2Tokens) => Promise<{
+    user: {
+      id: string;
+      name?: string;
+      email?: string | null;
+      image?: string;
+      emailVerified: boolean;
+      [key: string]: any;
+    };
+    data: any;
+  } | null>) | undefined;
+  /**
+   * Custom function to refresh a token
+   */
+  refreshAccessToken?: ((refreshToken: string) => Promise<OAuth2Tokens>) | undefined;
+  /**
+   * Custom function to map the provider profile to a
+   * user.
+   */
+  mapProfileToUser?: ((profile: Profile) => {
+    id?: string;
+    name?: string;
+    email?: string | null;
+    image?: string;
+    emailVerified?: boolean;
+    [key: string]: any;
+  } | Promise<{
+    id?: string;
+    name?: string;
+    email?: string | null;
+    image?: string;
+    emailVerified?: boolean;
+    [key: string]: any;
+  }>) | undefined;
+  /**
+   * Disable implicit sign up for new users. When set to true for the provider,
+   * sign-in need to be called with with requestSignUp as true to create new users.
+   */
+  disableImplicitSignUp?: boolean | undefined;
+  /**
+   * Disable sign up for new users.
+   */
+  disableSignUp?: boolean | undefined;
+  /**
+   * The prompt to use for the authorization code request
+   */
+  prompt?: ("select_account" | "consent" | "login" | "none" | "select_account consent") | undefined;
+  /**
+   * The response mode to use for the authorization code request
+   */
+  responseMode?: ("query" | "form_post") | undefined;
+  /**
+   * If enabled, the user info will be overridden with the provider user info
+   * This is useful if you want to use the provider user info to update the user info
+   *
+   * @default false
+   */
+  overrideUserInfoOnSignIn?: boolean | undefined;
+};
+//#endregion
+export { OAuth2Tokens, OAuth2UserInfo, OAuthProvider, ProviderOptions };

package/dist/oauth2/refresh-access-token.d.mts

@@ -0,0 +1,36 @@
+import { OAuth2Tokens, ProviderOptions } from "./oauth-provider.mjs";
+
+//#region src/oauth2/refresh-access-token.d.ts
+declare function createRefreshAccessTokenRequest({
+  refreshToken,
+  options,
+  authentication,
+  extraParams,
+  resource
+}: {
+  refreshToken: string;
+  options: Partial<ProviderOptions>;
+  authentication?: ("basic" | "post") | undefined;
+  extraParams?: Record<string, string> | undefined;
+  resource?: (string | string[]) | undefined;
+}): {
+  body: URLSearchParams;
+  headers: Record<string, any>;
+};
+declare function refreshAccessToken({
+  refreshToken,
+  options,
+  tokenEndpoint,
+  authentication,
+  extraParams
+}: {
+  refreshToken: string;
+  options: Partial<ProviderOptions>;
+  tokenEndpoint: string;
+  authentication?: ("basic" | "post") | undefined;
+  extraParams?: Record<string, string> | undefined;
+  /** @deprecated always "refresh_token" */
+  grantType?: string | undefined;
+}): Promise<OAuth2Tokens>;
+//#endregion
+export { createRefreshAccessTokenRequest, refreshAccessToken };