@better-auth/core 1.5.0-beta.8 → 1.5.0

package/src/db/test/get-tables.test.ts

@@ -80,4 +80,37 @@ describe("getAuthTables", () => {
 		expect(newField.fieldName).toBe("new_field");
 		expect(newField.type).toBe("string");
 	});
+
+	it("should exclude verification table when secondaryStorage is configured", () => {
+		const tables = getAuthTables({
+			secondaryStorage: {
+				get: async () => null,
+				set: async () => {},
+				delete: async () => {},
+			},
+		});
+
+		expect(tables.verification).toBeUndefined();
+	});
+
+	it("should include verification table when storeInDatabase is true", () => {
+		const tables = getAuthTables({
+			secondaryStorage: {
+				get: async () => null,
+				set: async () => {},
+				delete: async () => {},
+			},
+			verification: {
+				storeInDatabase: true,
+			},
+		});
+
+		expect(tables.verification).toBeDefined();
+	});
+
+	it("should include verification table when no secondaryStorage", () => {
+		const tables = getAuthTables({});
+
+		expect(tables.verification).toBeDefined();
+	});
 });

package/src/db/type.ts

@@ -1,5 +1,10 @@
 import type { StandardSchemaV1 } from "@standard-schema/spec";
-import type { Awaitable, LiteralString } from "../types";
+import type {
+	Awaitable,
+	BetterAuthOptions,
+	LiteralString,
+	UnionToIntersection,
+} from "../types";
 
 export type BaseModelNames = "user" | "account" | "session" | "verification";
 
@@ -8,6 +13,154 @@ export type ModelNames<T extends string = LiteralString> =
 	| T
 	| "rate-limit";
 
+export type InferDBValueType<T extends DBFieldType> = T extends "string"
+	? string
+	: T extends "number"
+		? number
+		: T extends "boolean"
+			? boolean
+			: T extends "date"
+				? Date
+				: T extends "json"
+					? Record<string, any>
+					: T extends `${infer U}[]`
+						? U extends "string"
+							? string[]
+							: number[]
+						: T extends Array<any>
+							? T[number]
+							: never;
+
+export type InferDBFieldOutput<T extends DBFieldAttribute> =
+	T["returned"] extends false
+		? never
+		: T["required"] extends false
+			? InferDBValueType<T["type"]> | undefined | null
+			: InferDBValueType<T["type"]>;
+
+export type InferDBFieldInput<T extends DBFieldAttribute> = InferDBValueType<
+	T["type"]
+>;
+
+export type InferDBFieldsInput<Field> =
+	Field extends Record<infer Key, DBFieldAttribute>
+		? {
+				[key in Key as Field[key]["required"] extends false
+					? never
+					: Field[key]["defaultValue"] extends string | number | boolean | Date
+						? never
+						: Field[key]["input"] extends false
+							? never
+							: key]: InferDBFieldInput<Field[key]>;
+			} & {
+				[key in Key as Field[key]["input"] extends false ? never : key]?:
+					| InferDBFieldInput<Field[key]>
+					| undefined
+					| null;
+			}
+		: {};
+
+export type InferDBFieldsOutput<
+	Fields extends Record<string, DBFieldAttribute>,
+> =
+	Fields extends Record<infer Key, DBFieldAttribute>
+		? {
+				[key in Key as Fields[key]["returned"] extends false
+					? never
+					: Fields[key]["required"] extends false
+						? Fields[key]["defaultValue"] extends
+								| boolean
+								| string
+								| number
+								| Date
+							? key
+							: never
+						: key]: InferDBFieldOutput<Fields[key]>;
+			} & {
+				[key in Key as Fields[key]["returned"] extends false
+					? never
+					: Fields[key]["required"] extends false
+						? Fields[key]["defaultValue"] extends
+								| boolean
+								| string
+								| number
+								| Date
+							? never
+							: key
+						: never]?: InferDBFieldOutput<Fields[key]> | null;
+			}
+		: never;
+
+export type InferDBFieldsFromOptionsInput<
+	DBOptions extends
+		| BetterAuthOptions["session"]
+		| BetterAuthOptions["user"]
+		| BetterAuthOptions["verification"]
+		| BetterAuthOptions["account"]
+		| BetterAuthOptions["rateLimit"],
+> = DBOptions extends {
+	additionalFields: Record<string, DBFieldAttribute>;
+}
+	? InferDBFieldsInput<DBOptions["additionalFields"]>
+	: {};
+
+export type InferDBFieldsFromOptions<
+	DBOptions extends
+		| BetterAuthOptions["session"]
+		| BetterAuthOptions["user"]
+		| BetterAuthOptions["verification"]
+		| BetterAuthOptions["account"]
+		| BetterAuthOptions["rateLimit"],
+> = DBOptions extends {
+	additionalFields: Record<string, DBFieldAttribute>;
+}
+	? InferDBFieldsOutput<DBOptions["additionalFields"]>
+	: {};
+
+export type InferDBFieldsFromPluginsInput<
+	ModelName extends string,
+	Plugins extends unknown[] | undefined,
+> = Plugins extends []
+	? {}
+	: Plugins extends [infer P, ...infer Rest]
+		? P extends {
+				schema: {
+					[key in ModelName]: {
+						fields: infer Fields;
+					};
+				};
+			}
+			? Fields extends Record<string, DBFieldAttribute>
+				? UnionToIntersection<
+						InferDBFieldsInput<Fields> &
+							InferDBFieldsFromPluginsInput<ModelName, Rest>
+					>
+				: InferDBFieldsFromPluginsInput<ModelName, Rest>
+			: InferDBFieldsFromPluginsInput<ModelName, Rest>
+		: {};
+
+export type InferDBFieldsFromPlugins<
+	ModelName extends string,
+	Plugins extends unknown[] | undefined,
+> = Plugins extends []
+	? {}
+	: Plugins extends [infer P, ...infer Rest]
+		? P extends {
+				schema: {
+					[key in ModelName]: {
+						fields: infer Fields;
+					};
+				};
+			}
+			? Fields extends Record<string, DBFieldAttribute>
+				? UnionToIntersection<
+						InferDBFieldsOutput<Fields> &
+							InferDBFieldsFromPlugins<ModelName, Rest>
+					>
+				: InferDBFieldsFromPlugins<ModelName, Rest>
+			: InferDBFieldsFromPlugins<ModelName, Rest>
+		: {};
+
 export type DBFieldType =
 	| "string"
 	| "number"

package/src/env/env-impl.ts

@@ -115,10 +115,10 @@ export const ENV = Object.freeze({
 	get PACKAGE_VERSION() {
 		return getEnvVar("PACKAGE_VERSION", "0.0.0");
 	},
-	get BETTER_AUTH_TELEMETRY_ENDPOINT() {
+	get BETTER_AUTH_TELEMETRY_ENDPOINT(): string | undefined {
 		return getEnvVar(
 			"BETTER_AUTH_TELEMETRY_ENDPOINT",
-			"https://telemetry.better-auth.com/v1/track",
+			import.meta.env.BETTER_AUTH_TELEMETRY_ENDPOINT,
 		);
 	},
 });

package/src/env/logger.ts

@@ -94,7 +94,7 @@ export type InternalLogger = {
 
 export const createLogger = (options?: Logger | undefined): InternalLogger => {
 	const enabled = options?.disabled !== true;
-	const logLevel = options?.level ?? "error";
+	const logLevel = options?.level ?? "warn";
 
 	const isDisableColorsSpecified = options?.disableColors !== undefined;
 	const colorsEnabled = isDisableColorsSpecified

package/src/error/codes.ts

@@ -1,5 +1,18 @@
 import { defineErrorCodes } from "../utils/error-codes";
 
+declare module "@better-auth/core" {
+	interface BetterAuthPluginRegistry<AuthOptions, Options> {
+		/**
+		 * This plugin does not exist, do not use it in runtime.
+		 */
+		"$internal:base": {
+			creator: () => {
+				$ERROR_CODES: typeof BASE_ERROR_CODES;
+			};
+		};
+	}
+}
+
 export const BASE_ERROR_CODES = defineErrorCodes({
 	USER_NOT_FOUND: "User not found",
 	FAILED_TO_CREATE_USER: "Failed to create user",
@@ -49,6 +62,10 @@ export const BASE_ERROR_CODES = defineErrorCodes({
 	ASYNC_VALIDATION_NOT_SUPPORTED: "Async validation is not supported",
 	VALIDATION_ERROR: "Validation Error",
 	MISSING_FIELD: "Field is required",
+	METHOD_NOT_ALLOWED_DEFER_SESSION_REQUIRED:
+		"POST method requires deferSessionRefresh to be enabled in session config",
+	BODY_MUST_BE_AN_OBJECT: "Body must be an object",
+	PASSWORD_ALREADY_SET: "User already has a password set",
 });
 
 export type APIErrorCode = keyof typeof BASE_ERROR_CODES;

package/src/oauth2/client-credentials-token.ts

@@ -1,7 +1,31 @@
 import { base64Url } from "@better-auth/utils/base64";
 import { betterFetch } from "@better-fetch/fetch";
+import type { AwaitableFunction } from "../types";
 import type { OAuth2Tokens, ProviderOptions } from "./oauth-provider";
 
+export async function clientCredentialsTokenRequest({
+	options,
+	scope,
+	authentication,
+	resource,
+}: {
+	options: AwaitableFunction<ProviderOptions & { clientSecret: string }>;
+	scope?: string | undefined;
+	authentication?: ("basic" | "post") | undefined;
+	resource?: (string | string[]) | undefined;
+}) {
+	options = typeof options === "function" ? await options() : options;
+	return createClientCredentialsTokenRequest({
+		options,
+		scope,
+		authentication,
+		resource,
+	});
+}
+
+/**
+ * @deprecated use async'd clientCredentialsTokenRequest instead
+ */
 export function createClientCredentialsTokenRequest({
 	options,
 	scope,
@@ -59,13 +83,13 @@ export async function clientCredentialsToken({
 	authentication,
 	resource,
 }: {
-	options: ProviderOptions & { clientSecret: string };
+	options: AwaitableFunction<ProviderOptions & { clientSecret: string }>;
 	tokenEndpoint: string;
 	scope: string;
 	authentication?: ("basic" | "post") | undefined;
 	resource?: (string | string[]) | undefined;
 }): Promise<OAuth2Tokens> {
-	const { body, headers } = createClientCredentialsTokenRequest({
+	const { body, headers } = await clientCredentialsTokenRequest({
 		options,
 		scope,
 		authentication,

package/src/oauth2/create-authorization-url.ts

@@ -1,3 +1,4 @@
+import type { AwaitableFunction } from "../types";
 import type { ProviderOptions } from "./index";
 import { generateCodeChallenge } from "./utils";
 
@@ -22,7 +23,7 @@ export async function createAuthorizationURL({
 	scopeJoiner,
 }: {
 	id: string;
-	options: ProviderOptions;
+	options: AwaitableFunction<ProviderOptions>;
 	redirectURI: string;
 	authorizationEndpoint: string;
 	state: string;
@@ -40,6 +41,7 @@ export async function createAuthorizationURL({
 	additionalParams?: Record<string, string> | undefined;
 	scopeJoiner?: string | undefined;
 }) {
+	options = typeof options === "function" ? await options() : options;
 	const url = new URL(options.authorizationEndpoint || authorizationEndpoint);
 	url.searchParams.set("response_type", responseType || "code");
 	const primaryClientId = Array.isArray(options.clientId)

package/src/oauth2/index.ts

@@ -1,5 +1,6 @@
 export {
 	clientCredentialsToken,
+	clientCredentialsTokenRequest,
 	createClientCredentialsTokenRequest,
 } from "./client-credentials-token";
 export { createAuthorizationURL } from "./create-authorization-url";
@@ -12,9 +13,11 @@ export type {
 export {
 	createRefreshAccessTokenRequest,
 	refreshAccessToken,
+	refreshAccessTokenRequest,
 } from "./refresh-access-token";
 export { generateCodeChallenge, getOAuth2Tokens } from "./utils";
 export {
+	authorizationCodeRequest,
 	createAuthorizationCodeRequest,
 	validateAuthorizationCode,
 	validateToken,

package/src/oauth2/oauth-provider.ts

@@ -42,7 +42,7 @@ export interface OAuthProvider<
 		redirectURI: string;
 		codeVerifier?: string | undefined;
 		deviceId?: string | undefined;
-	}) => Promise<OAuth2Tokens>;
+	}) => Promise<OAuth2Tokens | null>;
 	getUserInfo: (
 		token: OAuth2Tokens & {
 			/**

package/src/oauth2/refresh-access-token.test.ts

@@ -0,0 +1,90 @@
+import { describe, expect, it, vi } from "vitest";
+
+vi.mock("@better-fetch/fetch", () => ({
+	betterFetch: vi.fn(),
+}));
+
+import { betterFetch } from "@better-fetch/fetch";
+import { refreshAccessToken } from "./refresh-access-token";
+
+const mockedBetterFetch = vi.mocked(betterFetch);
+
+describe("refreshAccessToken", () => {
+	it("should set accessTokenExpiresAt when expires_in is returned", async () => {
+		const now = Date.now();
+		mockedBetterFetch.mockResolvedValueOnce({
+			data: {
+				access_token: "new-access-token",
+				refresh_token: "new-refresh-token",
+				expires_in: 3600,
+				token_type: "Bearer",
+			},
+			error: null,
+		});
+
+		const tokens = await refreshAccessToken({
+			refreshToken: "old-refresh-token",
+			options: { clientId: "test-client", clientSecret: "test-secret" },
+			tokenEndpoint: "https://example.com/token",
+		});
+
+		expect(tokens.accessToken).toBe("new-access-token");
+		expect(tokens.refreshToken).toBe("new-refresh-token");
+		expect(tokens.accessTokenExpiresAt).toBeInstanceOf(Date);
+		expect(tokens.accessTokenExpiresAt!.getTime()).toBeGreaterThanOrEqual(
+			now + 3600 * 1000 - 1000,
+		);
+		expect(tokens.refreshTokenExpiresAt).toBeUndefined();
+	});
+
+	/**
+	 * @see https://github.com/better-auth/better-auth/issues/7682
+	 */
+	it("should set refreshTokenExpiresAt when refresh_token_expires_in is returned", async () => {
+		const now = Date.now();
+		mockedBetterFetch.mockResolvedValueOnce({
+			data: {
+				access_token: "new-access-token",
+				refresh_token: "new-refresh-token",
+				expires_in: 3600,
+				refresh_token_expires_in: 86400,
+				token_type: "Bearer",
+			},
+			error: null,
+		});
+
+		const tokens = await refreshAccessToken({
+			refreshToken: "old-refresh-token",
+			options: { clientId: "test-client", clientSecret: "test-secret" },
+			tokenEndpoint: "https://example.com/token",
+		});
+
+		expect(tokens.accessToken).toBe("new-access-token");
+		expect(tokens.refreshToken).toBe("new-refresh-token");
+		expect(tokens.accessTokenExpiresAt).toBeInstanceOf(Date);
+		expect(tokens.refreshTokenExpiresAt).toBeInstanceOf(Date);
+		expect(tokens.refreshTokenExpiresAt!.getTime()).toBeGreaterThanOrEqual(
+			now + 86400 * 1000 - 1000,
+		);
+	});
+
+	it("should not set refreshTokenExpiresAt when refresh_token_expires_in is not returned", async () => {
+		mockedBetterFetch.mockResolvedValueOnce({
+			data: {
+				access_token: "new-access-token",
+				refresh_token: "new-refresh-token",
+				expires_in: 3600,
+				token_type: "Bearer",
+			},
+			error: null,
+		});
+
+		const tokens = await refreshAccessToken({
+			refreshToken: "old-refresh-token",
+			options: { clientId: "test-client", clientSecret: "test-secret" },
+			tokenEndpoint: "https://example.com/token",
+		});
+
+		expect(tokens.refreshTokenExpiresAt).toBeUndefined();
+	});
+});

package/src/oauth2/refresh-access-token.ts

@@ -1,7 +1,34 @@
 import { base64 } from "@better-auth/utils/base64";
 import { betterFetch } from "@better-fetch/fetch";
+import type { AwaitableFunction } from "../types";
 import type { OAuth2Tokens, ProviderOptions } from "./oauth-provider";
 
+export async function refreshAccessTokenRequest({
+	refreshToken,
+	options,
+	authentication,
+	extraParams,
+	resource,
+}: {
+	refreshToken: string;
+	options: AwaitableFunction<Partial<ProviderOptions>>;
+	authentication?: ("basic" | "post") | undefined;
+	extraParams?: Record<string, string> | undefined;
+	resource?: (string | string[]) | undefined;
+}) {
+	options = typeof options === "function" ? await options() : options;
+	return createRefreshAccessTokenRequest({
+		refreshToken,
+		options,
+		authentication,
+		extraParams,
+		resource,
+	});
+}
+
+/**
+ * @deprecated use async'd refreshAccessTokenRequest instead
+ */
 export function createRefreshAccessTokenRequest({
 	refreshToken,
 	options,
@@ -10,7 +37,7 @@ export function createRefreshAccessTokenRequest({
 	resource,
 }: {
 	refreshToken: string;
-	options: Partial<ProviderOptions>;
+	options: ProviderOptions;
 	authentication?: ("basic" | "post") | undefined;
 	extraParams?: Record<string, string> | undefined;
 	resource?: (string | string[]) | undefined;
@@ -80,10 +107,8 @@ export async function refreshAccessToken({
 	tokenEndpoint: string;
 	authentication?: ("basic" | "post") | undefined;
 	extraParams?: Record<string, string> | undefined;
-	/** @deprecated always "refresh_token" */
-	grantType?: string | undefined;
 }): Promise<OAuth2Tokens> {
-	const { body, headers } = createRefreshAccessTokenRequest({
+	const { body, headers } = await createRefreshAccessTokenRequest({
 		refreshToken,
 		options,
 		authentication,
@@ -94,6 +119,7 @@ export async function refreshAccessToken({
 		access_token: string;
 		refresh_token?: string | undefined;
 		expires_in?: number | undefined;
+		refresh_token_expires_in?: number | undefined;
 		token_type?: string | undefined;
 		scope?: string | undefined;
 		id_token?: string | undefined;
@@ -120,5 +146,12 @@ export async function refreshAccessToken({
 		);
 	}
 
+	if (data.refresh_token_expires_in) {
+		const now = new Date();
+		tokens.refreshTokenExpiresAt = new Date(
+			now.getTime() + data.refresh_token_expires_in * 1000,
+		);
+	}
+
 	return tokens;
 }

package/src/oauth2/validate-authorization-code.ts

@@ -1,9 +1,48 @@
 import { base64 } from "@better-auth/utils/base64";
 import { betterFetch } from "@better-fetch/fetch";
-import { jwtVerify } from "jose";
+import { createRemoteJWKSet, jwtVerify } from "jose";
+import type { AwaitableFunction } from "../types";
 import type { ProviderOptions } from "./index";
 import { getOAuth2Tokens } from "./index";
 
+export async function authorizationCodeRequest({
+	code,
+	codeVerifier,
+	redirectURI,
+	options,
+	authentication,
+	deviceId,
+	headers,
+	additionalParams = {},
+	resource,
+}: {
+	code: string;
+	redirectURI: string;
+	options: AwaitableFunction<Partial<ProviderOptions>>;
+	codeVerifier?: string | undefined;
+	deviceId?: string | undefined;
+	authentication?: ("basic" | "post") | undefined;
+	headers?: Record<string, string> | undefined;
+	additionalParams?: Record<string, string> | undefined;
+	resource?: (string | string[]) | undefined;
+}) {
+	options = typeof options === "function" ? await options() : options;
+	return createAuthorizationCodeRequest({
+		code,
+		codeVerifier,
+		redirectURI,
+		options,
+		authentication,
+		deviceId,
+		headers,
+		additionalParams,
+		resource,
+	});
+}
+
+/**
+ * @deprecated use async'd authorizationCodeRequest instead
+ */
 export function createAuthorizationCodeRequest({
 	code,
 	codeVerifier,
@@ -31,6 +70,7 @@ export function createAuthorizationCodeRequest({
 		accept: "application/json",
 		...headers,
 	};
+
 	body.set("grant_type", "authorization_code");
 	body.set("code", code);
 	codeVerifier && body.set("code_verifier", codeVerifier);
@@ -90,7 +130,7 @@ export async function validateAuthorizationCode({
 }: {
 	code: string;
 	redirectURI: string;
-	options: Partial<ProviderOptions>;
+	options: AwaitableFunction<Partial<ProviderOptions>>;
 	codeVerifier?: string | undefined;
 	deviceId?: string | undefined;
 	tokenEndpoint: string;
@@ -99,7 +139,7 @@ export async function validateAuthorizationCode({
 	additionalParams?: Record<string, string> | undefined;
 	resource?: (string | string[]) | undefined;
 }) {
-	const { body, headers: requestHeaders } = createAuthorizationCodeRequest({
+	const { body, headers: requestHeaders } = await authorizationCodeRequest({
 		code,
 		codeVerifier,
 		redirectURI,
@@ -116,7 +156,6 @@ export async function validateAuthorizationCode({
 		body: body,
 		headers: requestHeaders,
 	});
-
 	if (error) {
 		throw error;
 	}
@@ -124,31 +163,18 @@ export async function validateAuthorizationCode({
 	return tokens;
 }
 
-export async function validateToken(token: string, jwksEndpoint: string) {
-	const { data, error } = await betterFetch<{
-		keys: {
-			kid: string;
-			kty: string;
-			use: string;
-			n: string;
-			e: string;
-			x5c: string[];
-		}[];
-	}>(jwksEndpoint, {
-		method: "GET",
-		headers: {
-			accept: "application/json",
-		},
+export async function validateToken(
+	token: string,
+	jwksEndpoint: string,
+	options?: {
+		audience?: string | string[];
+		issuer?: string | string[];
+	},
+) {
+	const jwks = createRemoteJWKSet(new URL(jwksEndpoint));
+	const verified = await jwtVerify(token, jwks, {
+		audience: options?.audience,
+		issuer: options?.issuer,
 	});
-	if (error) {
-		throw error;
-	}
-	const keys = data["keys"];
-	const header = JSON.parse(atob(token.split(".")[0]!));
-	const key = keys.find((key) => key.kid === header.kid);
-	if (!key) {
-		throw new Error("Key not found");
-	}
-	const verified = await jwtVerify(token, key);
 	return verified;
 }