@better-auth/core 1.5.0-beta.4 → 1.5.0-beta.6

package/dist/oauth2/refresh-access-token.mjs

@@ -0,0 +1,58 @@
+import { base64 } from "@better-auth/utils/base64";
+import { betterFetch } from "@better-fetch/fetch";
+
+//#region src/oauth2/refresh-access-token.ts
+function createRefreshAccessTokenRequest({ refreshToken, options, authentication, extraParams, resource }) {
+	const body = new URLSearchParams();
+	const headers = {
+		"content-type": "application/x-www-form-urlencoded",
+		accept: "application/json"
+	};
+	body.set("grant_type", "refresh_token");
+	body.set("refresh_token", refreshToken);
+	if (authentication === "basic") {
+		const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+		if (primaryClientId) headers["authorization"] = "Basic " + base64.encode(`${primaryClientId}:${options.clientSecret ?? ""}`);
+		else headers["authorization"] = "Basic " + base64.encode(`:${options.clientSecret ?? ""}`);
+	} else {
+		const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+		body.set("client_id", primaryClientId);
+		if (options.clientSecret) body.set("client_secret", options.clientSecret);
+	}
+	if (resource) if (typeof resource === "string") body.append("resource", resource);
+	else for (const _resource of resource) body.append("resource", _resource);
+	if (extraParams) for (const [key, value] of Object.entries(extraParams)) body.set(key, value);
+	return {
+		body,
+		headers
+	};
+}
+async function refreshAccessToken({ refreshToken, options, tokenEndpoint, authentication, extraParams }) {
+	const { body, headers } = createRefreshAccessTokenRequest({
+		refreshToken,
+		options,
+		authentication,
+		extraParams
+	});
+	const { data, error } = await betterFetch(tokenEndpoint, {
+		method: "POST",
+		body,
+		headers
+	});
+	if (error) throw error;
+	const tokens = {
+		accessToken: data.access_token,
+		refreshToken: data.refresh_token,
+		tokenType: data.token_type,
+		scopes: data.scope?.split(" "),
+		idToken: data.id_token
+	};
+	if (data.expires_in) {
+		const now = /* @__PURE__ */ new Date();
+		tokens.accessTokenExpiresAt = new Date(now.getTime() + data.expires_in * 1e3);
+	}
+	return tokens;
+}
+
+//#endregion
+export { createRefreshAccessTokenRequest, refreshAccessToken };

package/dist/oauth2/utils.d.mts

@@ -0,0 +1,7 @@
+import { OAuth2Tokens } from "./oauth-provider.mjs";
+
+//#region src/oauth2/utils.d.ts
+declare function getOAuth2Tokens(data: Record<string, any>): OAuth2Tokens;
+declare function generateCodeChallenge(codeVerifier: string): Promise<string>;
+//#endregion
+export { generateCodeChallenge, getOAuth2Tokens };

package/dist/oauth2/utils.mjs

@@ -0,0 +1,27 @@
+import { base64Url } from "@better-auth/utils/base64";
+
+//#region src/oauth2/utils.ts
+function getOAuth2Tokens(data) {
+	const getDate = (seconds) => {
+		const now = /* @__PURE__ */ new Date();
+		return new Date(now.getTime() + seconds * 1e3);
+	};
+	return {
+		tokenType: data.token_type,
+		accessToken: data.access_token,
+		refreshToken: data.refresh_token,
+		accessTokenExpiresAt: data.expires_in ? getDate(data.expires_in) : void 0,
+		refreshTokenExpiresAt: data.refresh_token_expires_in ? getDate(data.refresh_token_expires_in) : void 0,
+		scopes: data?.scope ? typeof data.scope === "string" ? data.scope.split(" ") : data.scope : [],
+		idToken: data.id_token,
+		raw: data
+	};
+}
+async function generateCodeChallenge(codeVerifier) {
+	const data = new TextEncoder().encode(codeVerifier);
+	const hash = await crypto.subtle.digest("SHA-256", data);
+	return base64Url.encode(new Uint8Array(hash), { padding: false });
+}
+
+//#endregion
+export { generateCodeChallenge, getOAuth2Tokens };

package/dist/oauth2/validate-authorization-code.d.mts

@@ -0,0 +1,55 @@
+import { OAuth2Tokens, ProviderOptions } from "./oauth-provider.mjs";
+import "./index.mjs";
+import * as jose0 from "jose";
+
+//#region src/oauth2/validate-authorization-code.d.ts
+declare function createAuthorizationCodeRequest({
+  code,
+  codeVerifier,
+  redirectURI,
+  options,
+  authentication,
+  deviceId,
+  headers,
+  additionalParams,
+  resource
+}: {
+  code: string;
+  redirectURI: string;
+  options: Partial<ProviderOptions>;
+  codeVerifier?: string | undefined;
+  deviceId?: string | undefined;
+  authentication?: ("basic" | "post") | undefined;
+  headers?: Record<string, string> | undefined;
+  additionalParams?: Record<string, string> | undefined;
+  resource?: (string | string[]) | undefined;
+}): {
+  body: URLSearchParams;
+  headers: Record<string, any>;
+};
+declare function validateAuthorizationCode({
+  code,
+  codeVerifier,
+  redirectURI,
+  options,
+  tokenEndpoint,
+  authentication,
+  deviceId,
+  headers,
+  additionalParams,
+  resource
+}: {
+  code: string;
+  redirectURI: string;
+  options: Partial<ProviderOptions>;
+  codeVerifier?: string | undefined;
+  deviceId?: string | undefined;
+  tokenEndpoint: string;
+  authentication?: ("basic" | "post") | undefined;
+  headers?: Record<string, string> | undefined;
+  additionalParams?: Record<string, string> | undefined;
+  resource?: (string | string[]) | undefined;
+}): Promise<OAuth2Tokens>;
+declare function validateToken(token: string, jwksEndpoint: string): Promise<jose0.JWTVerifyResult<jose0.JWTPayload>>;
+//#endregion
+export { createAuthorizationCodeRequest, validateAuthorizationCode, validateToken };

package/dist/oauth2/validate-authorization-code.mjs

@@ -0,0 +1,71 @@
+import { getOAuth2Tokens } from "./utils.mjs";
+import "./index.mjs";
+import { base64 } from "@better-auth/utils/base64";
+import { betterFetch } from "@better-fetch/fetch";
+import { jwtVerify } from "jose";
+
+//#region src/oauth2/validate-authorization-code.ts
+function createAuthorizationCodeRequest({ code, codeVerifier, redirectURI, options, authentication, deviceId, headers, additionalParams = {}, resource }) {
+	const body = new URLSearchParams();
+	const requestHeaders = {
+		"content-type": "application/x-www-form-urlencoded",
+		accept: "application/json",
+		...headers
+	};
+	body.set("grant_type", "authorization_code");
+	body.set("code", code);
+	codeVerifier && body.set("code_verifier", codeVerifier);
+	options.clientKey && body.set("client_key", options.clientKey);
+	deviceId && body.set("device_id", deviceId);
+	body.set("redirect_uri", options.redirectURI || redirectURI);
+	if (resource) if (typeof resource === "string") body.append("resource", resource);
+	else for (const _resource of resource) body.append("resource", _resource);
+	if (authentication === "basic") {
+		const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+		requestHeaders["authorization"] = `Basic ${base64.encode(`${primaryClientId}:${options.clientSecret ?? ""}`)}`;
+	} else {
+		const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+		body.set("client_id", primaryClientId);
+		if (options.clientSecret) body.set("client_secret", options.clientSecret);
+	}
+	for (const [key, value] of Object.entries(additionalParams)) if (!body.has(key)) body.append(key, value);
+	return {
+		body,
+		headers: requestHeaders
+	};
+}
+async function validateAuthorizationCode({ code, codeVerifier, redirectURI, options, tokenEndpoint, authentication, deviceId, headers, additionalParams = {}, resource }) {
+	const { body, headers: requestHeaders } = createAuthorizationCodeRequest({
+		code,
+		codeVerifier,
+		redirectURI,
+		options,
+		authentication,
+		deviceId,
+		headers,
+		additionalParams,
+		resource
+	});
+	const { data, error } = await betterFetch(tokenEndpoint, {
+		method: "POST",
+		body,
+		headers: requestHeaders
+	});
+	if (error) throw error;
+	return getOAuth2Tokens(data);
+}
+async function validateToken(token, jwksEndpoint) {
+	const { data, error } = await betterFetch(jwksEndpoint, {
+		method: "GET",
+		headers: { accept: "application/json" }
+	});
+	if (error) throw error;
+	const keys = data["keys"];
+	const header = JSON.parse(atob(token.split(".")[0]));
+	const key = keys.find((key$1) => key$1.kid === header.kid);
+	if (!key) throw new Error("Key not found");
+	return await jwtVerify(token, key);
+}
+
+//#endregion
+export { createAuthorizationCodeRequest, validateAuthorizationCode, validateToken };

package/dist/oauth2/verify.d.mts

@@ -0,0 +1,49 @@
+import { JSONWebKeySet, JWTPayload, JWTVerifyOptions } from "jose";
+
+//#region src/oauth2/verify.d.ts
+interface VerifyAccessTokenRemote {
+  /** Full url of the introspect endpoint. Should end with `/oauth2/introspect` */
+  introspectUrl: string;
+  /** Client Secret */
+  clientId: string;
+  /** Client Secret */
+  clientSecret: string;
+  /**
+   * Forces remote verification of a token.
+   * This ensures attached session (if applicable)
+   * is also still active.
+   */
+  force?: boolean;
+}
+/**
+ * Performs local verification of an access token for your APIs.
+ *
+ * Can also be configured for remote verification.
+ */
+declare function verifyJwsAccessToken(token: string, opts: {
+  /** Jwks url or promise of a Jwks */
+  jwksFetch: string | (() => Promise<JSONWebKeySet | undefined>);
+  /** Verify options */
+  verifyOptions: JWTVerifyOptions & Required<Pick<JWTVerifyOptions, "audience" | "issuer">>;
+}): Promise<JWTPayload>;
+declare function getJwks(token: string, opts: {
+  /** Jwks url or promise of a Jwks */
+  jwksFetch: string | (() => Promise<JSONWebKeySet | undefined>);
+}): Promise<JSONWebKeySet>;
+/**
+ * Performs local verification of an access token for your API.
+ *
+ * Can also be configured for remote verification.
+ */
+declare function verifyAccessToken(token: string, opts: {
+  /** Verify options */
+  verifyOptions: JWTVerifyOptions & Required<Pick<JWTVerifyOptions, "audience" | "issuer">>;
+  /** Scopes to additionally verify. Token must include all but not exact. */
+  scopes?: string[];
+  /** Required to verify access token locally */
+  jwksUrl?: string;
+  /** If provided, can verify a token remotely */
+  remoteVerify?: VerifyAccessTokenRemote;
+}): Promise<JWTPayload>;
+//#endregion
+export { getJwks, verifyAccessToken, verifyJwsAccessToken };

package/dist/oauth2/verify.mjs

@@ -0,0 +1,95 @@
+import { logger } from "../env/logger.mjs";
+import "../env/index.mjs";
+import { APIError } from "better-call";
+import { betterFetch } from "@better-fetch/fetch";
+import { UnsecuredJWT, createLocalJWKSet, decodeProtectedHeader, jwtVerify } from "jose";
+
+//#region src/oauth2/verify.ts
+/** Last fetched jwks used locally in getJwks @internal */
+let jwks;
+/**
+* Performs local verification of an access token for your APIs.
+*
+* Can also be configured for remote verification.
+*/
+async function verifyJwsAccessToken(token, opts) {
+	try {
+		const jwt = await jwtVerify(token, createLocalJWKSet(await getJwks(token, opts)), opts.verifyOptions);
+		if (jwt.payload.azp) jwt.payload.client_id = jwt.payload.azp;
+		return jwt.payload;
+	} catch (error) {
+		if (error instanceof Error) throw error;
+		throw new Error(error);
+	}
+}
+async function getJwks(token, opts) {
+	let jwtHeaders;
+	try {
+		jwtHeaders = decodeProtectedHeader(token);
+	} catch (error) {
+		if (error instanceof Error) throw error;
+		throw new Error(error);
+	}
+	if (!jwtHeaders.kid) throw new Error("Missing jwt kid");
+	if (!jwks || !jwks.keys.find((jwk) => jwk.kid === jwtHeaders.kid)) {
+		jwks = typeof opts.jwksFetch === "string" ? await betterFetch(opts.jwksFetch, { headers: { Accept: "application/json" } }).then(async (res) => {
+			if (res.error) throw new Error(`Jwks failed: ${res.error.message ?? res.error.statusText}`);
+			return res.data;
+		}) : await opts.jwksFetch();
+		if (!jwks) throw new Error("No jwks found");
+	}
+	return jwks;
+}
+/**
+* Performs local verification of an access token for your API.
+*
+* Can also be configured for remote verification.
+*/
+async function verifyAccessToken(token, opts) {
+	let payload;
+	if (opts.jwksUrl && !opts?.remoteVerify?.force) try {
+		payload = await verifyJwsAccessToken(token, {
+			jwksFetch: opts.jwksUrl,
+			verifyOptions: opts.verifyOptions
+		});
+	} catch (error) {
+		if (error instanceof Error) if (error.name === "TypeError" || error.name === "JWSInvalid") {} else if (error.name === "JWTExpired") throw new APIError("UNAUTHORIZED", { message: "token expired" });
+		else if (error.name === "JWTInvalid") throw new APIError("UNAUTHORIZED", { message: "token invalid" });
+		else throw error;
+		else throw new Error(error);
+	}
+	if (opts?.remoteVerify) {
+		const { data: introspect, error: introspectError } = await betterFetch(opts.remoteVerify.introspectUrl, {
+			method: "POST",
+			headers: {
+				Accept: "application/json",
+				"Content-Type": "application/x-www-form-urlencoded"
+			},
+			body: new URLSearchParams({
+				client_id: opts.remoteVerify.clientId,
+				client_secret: opts.remoteVerify.clientSecret,
+				token,
+				token_type_hint: "access_token"
+			}).toString()
+		});
+		if (introspectError) logger.error(`Introspection failed: ${introspectError.message ?? introspectError.statusText}`);
+		if (!introspect) throw new APIError("INTERNAL_SERVER_ERROR", { message: "introspection failed" });
+		if (!introspect.active) throw new APIError("UNAUTHORIZED", { message: "token inactive" });
+		try {
+			const unsecuredJwt = new UnsecuredJWT(introspect).encode();
+			const { audience: _audience, ...verifyOptions } = opts.verifyOptions;
+			payload = (introspect.aud ? UnsecuredJWT.decode(unsecuredJwt, opts.verifyOptions) : UnsecuredJWT.decode(unsecuredJwt, verifyOptions)).payload;
+		} catch (error) {
+			throw new Error(error);
+		}
+	}
+	if (!payload) throw new APIError("UNAUTHORIZED", { message: `no token payload` });
+	if (opts.scopes) {
+		const validScopes = new Set(payload.scope?.split(" "));
+		for (const sc of opts.scopes) if (!validScopes.has(sc)) throw new APIError("FORBIDDEN", { message: `invalid scope ${sc}` });
+	}
+	return payload;
+}
+
+//#endregion
+export { getJwks, verifyAccessToken, verifyJwsAccessToken };

package/dist/social-providers/apple.d.mts

@@ -0,0 +1,119 @@
+import { OAuth2Tokens, ProviderOptions } from "../oauth2/oauth-provider.mjs";
+import "../oauth2/index.mjs";
+
+//#region src/social-providers/apple.d.ts
+interface AppleProfile {
+  /**
+   * The subject registered claim identifies the principal that’s the subject
+   * of the identity token. Because this token is for your app, the value is
+   * the unique identifier for the user.
+   */
+  sub: string;
+  /**
+   * A String value representing the user's email address.
+   * The email address is either the user's real email address or the proxy
+   * address, depending on their status private email relay service.
+   */
+  email: string;
+  /**
+   * A string or Boolean value that indicates whether the service verifies
+   * the email. The value can either be a string ("true" or "false") or a
+   * Boolean (true or false). The system may not verify email addresses for
+   * Sign in with Apple at Work & School users, and this claim is "false" or
+   * false for those users.
+   */
+  email_verified: true | "true";
+  /**
+   * A string or Boolean value that indicates whether the email that the user
+   * shares is the proxy address. The value can either be a string ("true" or
+   * "false") or a Boolean (true or false).
+   */
+  is_private_email: boolean;
+  /**
+   * An Integer value that indicates whether the user appears to be a real
+   * person. Use the value of this claim to mitigate fraud. The possible
+   * values are: 0 (or Unsupported), 1 (or Unknown), 2 (or LikelyReal). For
+   * more information, see ASUserDetectionStatus. This claim is present only
+   * in iOS 14 and later, macOS 11 and later, watchOS 7 and later, tvOS 14
+   * and later. The claim isn’t present or supported for web-based apps.
+   */
+  real_user_status: number;
+  /**
+   * The user’s full name in the format provided during the authorization
+   * process.
+   */
+  name: string;
+  /**
+   * The URL to the user's profile picture.
+   */
+  picture: string;
+  user?: AppleNonConformUser | undefined;
+}
+/**
+ * This is the shape of the `user` query parameter that Apple sends the first
+ * time the user consents to the app.
+ * @see https://developer.apple.com/documentation/signinwithapplerestapi/request-an-authorization-to-the-sign-in-with-apple-server./
+ */
+interface AppleNonConformUser {
+  name: {
+    firstName: string;
+    lastName: string;
+  };
+  email: string;
+}
+interface AppleOptions extends ProviderOptions<AppleProfile> {
+  clientId: string;
+  appBundleIdentifier?: string | undefined;
+  audience?: (string | string[]) | undefined;
+}
+declare const apple: (options: AppleOptions) => {
+  id: "apple";
+  name: string;
+  createAuthorizationURL({
+    state,
+    scopes,
+    redirectURI
+  }: {
+    state: string;
+    codeVerifier: string;
+    scopes?: string[] | undefined;
+    redirectURI: string;
+    display?: string | undefined;
+    loginHint?: string | undefined;
+  }): Promise<URL>;
+  validateAuthorizationCode: ({
+    code,
+    codeVerifier,
+    redirectURI
+  }: {
+    code: string;
+    redirectURI: string;
+    codeVerifier?: string | undefined;
+    deviceId?: string | undefined;
+  }) => Promise<OAuth2Tokens>;
+  verifyIdToken(token: string, nonce: string | undefined): Promise<boolean>;
+  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
+  getUserInfo(token: OAuth2Tokens & {
+    user?: {
+      name?: {
+        firstName?: string;
+        lastName?: string;
+      };
+      email?: string;
+    } | undefined;
+  }): Promise<{
+    user: {
+      id: string;
+      name?: string;
+      email?: string | null;
+      image?: string;
+      emailVerified: boolean;
+      [key: string]: any;
+    };
+    data: any;
+  } | null>;
+  options: AppleOptions;
+};
+declare const getApplePublicKey: (kid: string) => Promise<Uint8Array<ArrayBufferLike> | CryptoKey>;
+//#endregion
+export { AppleNonConformUser, AppleOptions, AppleProfile, apple, getApplePublicKey };

package/dist/social-providers/apple.mjs

@@ -0,0 +1,102 @@
+import { APIError } from "../error/index.mjs";
+import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
+import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
+import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
+import "../oauth2/index.mjs";
+import { betterFetch } from "@better-fetch/fetch";
+import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
+
+//#region src/social-providers/apple.ts
+const apple = (options) => {
+	const tokenEndpoint = "https://appleid.apple.com/auth/token";
+	return {
+		id: "apple",
+		name: "Apple",
+		async createAuthorizationURL({ state, scopes, redirectURI }) {
+			const _scope = options.disableDefaultScope ? [] : ["email", "name"];
+			if (options.scope) _scope.push(...options.scope);
+			if (scopes) _scope.push(...scopes);
+			return await createAuthorizationURL({
+				id: "apple",
+				options,
+				authorizationEndpoint: "https://appleid.apple.com/auth/authorize",
+				scopes: _scope,
+				state,
+				redirectURI,
+				responseMode: "form_post",
+				responseType: "code id_token"
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint
+			});
+		},
+		async verifyIdToken(token, nonce) {
+			if (options.disableIdTokenSignIn) return false;
+			if (options.verifyIdToken) return options.verifyIdToken(token, nonce);
+			const { kid, alg: jwtAlg } = decodeProtectedHeader(token);
+			if (!kid || !jwtAlg) return false;
+			const { payload: jwtClaims } = await jwtVerify(token, await getApplePublicKey(kid), {
+				algorithms: [jwtAlg],
+				issuer: "https://appleid.apple.com",
+				audience: options.audience && options.audience.length ? options.audience : options.appBundleIdentifier ? options.appBundleIdentifier : options.clientId,
+				maxTokenAge: "1h"
+			});
+			["email_verified", "is_private_email"].forEach((field) => {
+				if (jwtClaims[field] !== void 0) jwtClaims[field] = Boolean(jwtClaims[field]);
+			});
+			if (nonce && jwtClaims.nonce !== nonce) return false;
+			return !!jwtClaims;
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint: "https://appleid.apple.com/auth/token"
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			if (!token.idToken) return null;
+			const profile = decodeJwt(token.idToken);
+			if (!profile) return null;
+			const name = token.user ? `${token.user.name?.firstName} ${token.user.name?.lastName}` : profile.name || profile.email;
+			const emailVerified = typeof profile.email_verified === "boolean" ? profile.email_verified : profile.email_verified === "true";
+			const enrichedProfile = {
+				...profile,
+				name
+			};
+			const userMap = await options.mapProfileToUser?.(enrichedProfile);
+			return {
+				user: {
+					id: profile.sub,
+					name: enrichedProfile.name,
+					emailVerified,
+					email: profile.email,
+					...userMap
+				},
+				data: enrichedProfile
+			};
+		},
+		options
+	};
+};
+const getApplePublicKey = async (kid) => {
+	const { data } = await betterFetch(`https://appleid.apple.com/auth/keys`);
+	if (!data?.keys) throw new APIError("BAD_REQUEST", { message: "Keys not found" });
+	const jwk = data.keys.find((key) => key.kid === kid);
+	if (!jwk) throw new Error(`JWK with kid ${kid} not found`);
+	return await importJWK(jwk, jwk.alg);
+};
+
+//#endregion
+export { apple, getApplePublicKey };

package/dist/social-providers/atlassian.d.mts

@@ -0,0 +1,72 @@
+import { OAuth2Tokens, ProviderOptions } from "../oauth2/oauth-provider.mjs";
+import "../oauth2/index.mjs";
+
+//#region src/social-providers/atlassian.d.ts
+interface AtlassianProfile {
+  account_type?: string | undefined;
+  account_id: string;
+  email?: string | undefined;
+  name: string;
+  picture?: string | undefined;
+  nickname?: string | undefined;
+  locale?: string | undefined;
+  extended_profile?: {
+    job_title?: string;
+    organization?: string;
+    department?: string;
+    location?: string;
+  } | undefined;
+}
+interface AtlassianOptions extends ProviderOptions<AtlassianProfile> {
+  clientId: string;
+}
+declare const atlassian: (options: AtlassianOptions) => {
+  id: "atlassian";
+  name: string;
+  createAuthorizationURL({
+    state,
+    scopes,
+    codeVerifier,
+    redirectURI
+  }: {
+    state: string;
+    codeVerifier: string;
+    scopes?: string[] | undefined;
+    redirectURI: string;
+    display?: string | undefined;
+    loginHint?: string | undefined;
+  }): Promise<URL>;
+  validateAuthorizationCode: ({
+    code,
+    codeVerifier,
+    redirectURI
+  }: {
+    code: string;
+    redirectURI: string;
+    codeVerifier?: string | undefined;
+    deviceId?: string | undefined;
+  }) => Promise<OAuth2Tokens>;
+  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
+  getUserInfo(token: OAuth2Tokens & {
+    user?: {
+      name?: {
+        firstName?: string;
+        lastName?: string;
+      };
+      email?: string;
+    } | undefined;
+  }): Promise<{
+    user: {
+      id: string;
+      name?: string;
+      email?: string | null;
+      image?: string;
+      emailVerified: boolean;
+      [key: string]: any;
+    };
+    data: any;
+  } | null>;
+  options: AtlassianOptions;
+};
+//#endregion
+export { AtlassianOptions, AtlassianProfile, atlassian };