@better-auth/core 1.5.0-beta.4 → 1.5.0-beta.5

package/dist/social-providers/gitlab.mjs

@@ -0,0 +1,82 @@
+import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
+import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
+import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
+import "../oauth2/index.mjs";
+import { betterFetch } from "@better-fetch/fetch";
+
+//#region src/social-providers/gitlab.ts
+const cleanDoubleSlashes = (input = "") => {
+	return input.split("://").map((str) => str.replace(/\/{2,}/g, "/")).join("://");
+};
+const issuerToEndpoints = (issuer) => {
+	let baseUrl = issuer || "https://gitlab.com";
+	return {
+		authorizationEndpoint: cleanDoubleSlashes(`${baseUrl}/oauth/authorize`),
+		tokenEndpoint: cleanDoubleSlashes(`${baseUrl}/oauth/token`),
+		userinfoEndpoint: cleanDoubleSlashes(`${baseUrl}/api/v4/user`)
+	};
+};
+const gitlab = (options) => {
+	const { authorizationEndpoint, tokenEndpoint, userinfoEndpoint } = issuerToEndpoints(options.issuer);
+	const issuerId = "gitlab";
+	return {
+		id: issuerId,
+		name: "Gitlab",
+		createAuthorizationURL: async ({ state, scopes, codeVerifier, loginHint, redirectURI }) => {
+			const _scopes = options.disableDefaultScope ? [] : ["read_user"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return await createAuthorizationURL({
+				id: issuerId,
+				options,
+				authorizationEndpoint,
+				scopes: _scopes,
+				state,
+				redirectURI,
+				codeVerifier,
+				loginHint
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI, codeVerifier }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				codeVerifier,
+				tokenEndpoint
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			const { data: profile, error } = await betterFetch(userinfoEndpoint, { headers: { authorization: `Bearer ${token.accessToken}` } });
+			if (error || profile.state !== "active" || profile.locked) return null;
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.id,
+					name: profile.name ?? profile.username,
+					email: profile.email,
+					image: profile.avatar_url,
+					emailVerified: profile.email_verified ?? false,
+					...userMap
+				},
+				data: profile
+			};
+		},
+		options
+	};
+};
+
+//#endregion
+export { gitlab };

package/dist/social-providers/google.d.mts

@@ -0,0 +1,99 @@
+import { OAuth2Tokens, ProviderOptions } from "../oauth2/oauth-provider.mjs";
+import "../oauth2/index.mjs";
+
+//#region src/social-providers/google.d.ts
+interface GoogleProfile {
+  aud: string;
+  azp: string;
+  email: string;
+  email_verified: boolean;
+  exp: number;
+  /**
+   * The family name of the user, or last name in most
+   * Western languages.
+   */
+  family_name: string;
+  /**
+   * The given name of the user, or first name in most
+   * Western languages.
+   */
+  given_name: string;
+  hd?: string | undefined;
+  iat: number;
+  iss: string;
+  jti?: string | undefined;
+  locale?: string | undefined;
+  name: string;
+  nbf?: number | undefined;
+  picture: string;
+  sub: string;
+}
+interface GoogleOptions extends ProviderOptions<GoogleProfile> {
+  clientId: string;
+  /**
+   * The access type to use for the authorization code request
+   */
+  accessType?: ("offline" | "online") | undefined;
+  /**
+   * The display mode to use for the authorization code request
+   */
+  display?: ("page" | "popup" | "touch" | "wap") | undefined;
+  /**
+   * The hosted domain of the user
+   */
+  hd?: string | undefined;
+}
+declare const google: (options: GoogleOptions) => {
+  id: "google";
+  name: string;
+  createAuthorizationURL({
+    state,
+    scopes,
+    codeVerifier,
+    redirectURI,
+    loginHint,
+    display
+  }: {
+    state: string;
+    codeVerifier: string;
+    scopes?: string[] | undefined;
+    redirectURI: string;
+    display?: string | undefined;
+    loginHint?: string | undefined;
+  }): Promise<URL>;
+  validateAuthorizationCode: ({
+    code,
+    codeVerifier,
+    redirectURI
+  }: {
+    code: string;
+    redirectURI: string;
+    codeVerifier?: string | undefined;
+    deviceId?: string | undefined;
+  }) => Promise<OAuth2Tokens>;
+  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
+  verifyIdToken(token: string, nonce: string | undefined): Promise<boolean>;
+  getUserInfo(token: OAuth2Tokens & {
+    user?: {
+      name?: {
+        firstName?: string;
+        lastName?: string;
+      };
+      email?: string;
+    } | undefined;
+  }): Promise<{
+    user: {
+      id: string;
+      name?: string;
+      email?: string | null;
+      image?: string;
+      emailVerified: boolean;
+      [key: string]: any;
+    };
+    data: any;
+  } | null>;
+  options: GoogleOptions;
+};
+declare const getGooglePublicKey: (kid: string) => Promise<Uint8Array<ArrayBufferLike> | CryptoKey>;
+//#endregion
+export { GoogleOptions, GoogleProfile, getGooglePublicKey, google };

package/dist/social-providers/google.mjs

@@ -0,0 +1,108 @@
+import { logger } from "../env/logger.mjs";
+import "../env/index.mjs";
+import { APIError, BetterAuthError } from "../error/index.mjs";
+import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
+import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
+import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
+import "../oauth2/index.mjs";
+import { betterFetch } from "@better-fetch/fetch";
+import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
+
+//#region src/social-providers/google.ts
+const google = (options) => {
+	return {
+		id: "google",
+		name: "Google",
+		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, loginHint, display }) {
+			if (!options.clientId || !options.clientSecret) {
+				logger.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options.");
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
+			if (!codeVerifier) throw new BetterAuthError("codeVerifier is required for Google");
+			const _scopes = options.disableDefaultScope ? [] : [
+				"email",
+				"profile",
+				"openid"
+			];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return await createAuthorizationURL({
+				id: "google",
+				options,
+				authorizationEndpoint: "https://accounts.google.com/o/oauth2/auth",
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+				prompt: options.prompt,
+				accessType: options.accessType,
+				display: display || options.display,
+				loginHint,
+				hd: options.hd,
+				additionalParams: { include_granted_scopes: "true" }
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://oauth2.googleapis.com/token"
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint: "https://www.googleapis.com/oauth2/v4/token"
+			});
+		},
+		async verifyIdToken(token, nonce) {
+			if (options.disableIdTokenSignIn) return false;
+			if (options.verifyIdToken) return options.verifyIdToken(token, nonce);
+			const { kid, alg: jwtAlg } = decodeProtectedHeader(token);
+			if (!kid || !jwtAlg) return false;
+			const { payload: jwtClaims } = await jwtVerify(token, await getGooglePublicKey(kid), {
+				algorithms: [jwtAlg],
+				issuer: ["https://accounts.google.com", "accounts.google.com"],
+				audience: options.clientId,
+				maxTokenAge: "1h"
+			});
+			if (nonce && jwtClaims.nonce !== nonce) return false;
+			return true;
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			if (!token.idToken) return null;
+			const user = decodeJwt(token.idToken);
+			const userMap = await options.mapProfileToUser?.(user);
+			return {
+				user: {
+					id: user.sub,
+					name: user.name,
+					email: user.email,
+					image: user.picture,
+					emailVerified: user.email_verified,
+					...userMap
+				},
+				data: user
+			};
+		},
+		options
+	};
+};
+const getGooglePublicKey = async (kid) => {
+	const { data } = await betterFetch("https://www.googleapis.com/oauth2/v3/certs");
+	if (!data?.keys) throw new APIError("BAD_REQUEST", { message: "Keys not found" });
+	const jwk = data.keys.find((key) => key.kid === kid);
+	if (!jwk) throw new Error(`JWK with kid ${kid} not found`);
+	return await importJWK(jwk, jwk.alg);
+};
+
+//#endregion
+export { getGooglePublicKey, google };

package/dist/social-providers/huggingface.d.mts

@@ -0,0 +1,85 @@
+import { OAuth2Tokens, ProviderOptions } from "../oauth2/oauth-provider.mjs";
+import "../oauth2/index.mjs";
+
+//#region src/social-providers/huggingface.d.ts
+interface HuggingFaceProfile {
+  sub: string;
+  name: string;
+  preferred_username: string;
+  profile: string;
+  picture: string;
+  website?: string | undefined;
+  email?: string | undefined;
+  email_verified?: boolean | undefined;
+  isPro: boolean;
+  canPay?: boolean | undefined;
+  orgs?: {
+    sub: string;
+    name: string;
+    picture: string;
+    preferred_username: string;
+    isEnterprise: boolean | "plus";
+    canPay?: boolean;
+    roleInOrg?: "admin" | "write" | "contributor" | "read";
+    pendingSSO?: boolean;
+    missingMFA?: boolean;
+    resourceGroups?: {
+      sub: string;
+      name: string;
+      role: "admin" | "write" | "contributor" | "read";
+    }[];
+  } | undefined;
+}
+interface HuggingFaceOptions extends ProviderOptions<HuggingFaceProfile> {
+  clientId: string;
+}
+declare const huggingface: (options: HuggingFaceOptions) => {
+  id: "huggingface";
+  name: string;
+  createAuthorizationURL({
+    state,
+    scopes,
+    codeVerifier,
+    redirectURI
+  }: {
+    state: string;
+    codeVerifier: string;
+    scopes?: string[] | undefined;
+    redirectURI: string;
+    display?: string | undefined;
+    loginHint?: string | undefined;
+  }): Promise<URL>;
+  validateAuthorizationCode: ({
+    code,
+    codeVerifier,
+    redirectURI
+  }: {
+    code: string;
+    redirectURI: string;
+    codeVerifier?: string | undefined;
+    deviceId?: string | undefined;
+  }) => Promise<OAuth2Tokens>;
+  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
+  getUserInfo(token: OAuth2Tokens & {
+    user?: {
+      name?: {
+        firstName?: string;
+        lastName?: string;
+      };
+      email?: string;
+    } | undefined;
+  }): Promise<{
+    user: {
+      id: string;
+      name?: string;
+      email?: string | null;
+      image?: string;
+      emailVerified: boolean;
+      [key: string]: any;
+    };
+    data: any;
+  } | null>;
+  options: HuggingFaceOptions;
+};
+//#endregion
+export { HuggingFaceOptions, HuggingFaceProfile, huggingface };

package/dist/social-providers/huggingface.mjs

@@ -0,0 +1,75 @@
+import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
+import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
+import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
+import "../oauth2/index.mjs";
+import { betterFetch } from "@better-fetch/fetch";
+
+//#region src/social-providers/huggingface.ts
+const huggingface = (options) => {
+	return {
+		id: "huggingface",
+		name: "Hugging Face",
+		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : [
+				"openid",
+				"profile",
+				"email"
+			];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "huggingface",
+				options,
+				authorizationEndpoint: "https://huggingface.co/oauth/authorize",
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://huggingface.co/oauth/token"
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint: "https://huggingface.co/oauth/token"
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			const { data: profile, error } = await betterFetch("https://huggingface.co/oauth/userinfo", {
+				method: "GET",
+				headers: { Authorization: `Bearer ${token.accessToken}` }
+			});
+			if (error) return null;
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.sub,
+					name: profile.name || profile.preferred_username,
+					email: profile.email,
+					image: profile.picture,
+					emailVerified: profile.email_verified ?? false,
+					...userMap
+				},
+				data: profile
+			};
+		},
+		options
+	};
+};
+
+//#endregion
+export { huggingface };