@better-auth/core 1.5.0-beta.8 → 1.5.0

package/src/oauth2/validate-token.test.ts

@@ -0,0 +1,229 @@
+import type { JWK } from "jose";
+import { exportJWK, generateKeyPair, SignJWT } from "jose";
+import { afterAll, beforeAll, describe, expect, it, vi } from "vitest";
+import { validateToken } from "./validate-authorization-code";
+
+describe("validateToken", () => {
+	const originalFetch = globalThis.fetch;
+	const mockedFetch = vi.fn() as unknown as typeof fetch &
+		ReturnType<typeof vi.fn>;
+
+	beforeAll(() => {
+		globalThis.fetch = mockedFetch;
+	});
+
+	afterAll(() => {
+		globalThis.fetch = originalFetch;
+	});
+
+	async function createTestJWKS(alg: string, crv?: string) {
+		const { publicKey, privateKey } = await generateKeyPair(alg, {
+			crv,
+			extractable: true,
+		});
+		const publicJWK = await exportJWK(publicKey);
+		const privateJWK = await exportJWK(privateKey);
+		const kid = `test-key-${Date.now()}`;
+		publicJWK.kid = kid;
+		publicJWK.alg = alg;
+		privateJWK.kid = kid;
+		privateJWK.alg = alg;
+		return { publicJWK, privateJWK, kid, publicKey, privateKey };
+	}
+
+	async function createSignedToken(
+		privateKey: CryptoKey,
+		alg: string,
+		kid: string,
+		payload: Record<string, unknown> = {},
+	) {
+		return await new SignJWT({
+			sub: "user-123",
+			email: "test@example.com",
+			iss: "https://example.com",
+			aud: "test-client",
+			...payload,
+		})
+			.setProtectedHeader({ alg, kid })
+			.setIssuedAt()
+			.setExpirationTime("1h")
+			.sign(privateKey);
+	}
+
+	function mockJWKSResponse(...publicJWKs: JWK[]) {
+		mockedFetch.mockResolvedValueOnce(
+			new Response(JSON.stringify({ keys: publicJWKs }), {
+				status: 200,
+				headers: { "content-type": "application/json" },
+			}),
+		);
+	}
+
+	it("should verify RS256 signed token", async () => {
+		const { publicJWK, privateKey, kid } = await createTestJWKS("RS256");
+		const token = await createSignedToken(privateKey, "RS256", kid);
+		mockJWKSResponse(publicJWK);
+
+		const result = await validateToken(
+			token,
+			"https://example.com/.well-known/jwks",
+		);
+
+		expect(result).toBeDefined();
+		expect(result.payload.sub).toBe("user-123");
+		expect(result.payload.email).toBe("test@example.com");
+	});
+
+	it("should verify ES256 signed token", async () => {
+		const { publicJWK, privateKey, kid } = await createTestJWKS("ES256");
+		const token = await createSignedToken(privateKey, "ES256", kid);
+		mockJWKSResponse(publicJWK);
+
+		const result = await validateToken(
+			token,
+			"https://example.com/.well-known/jwks",
+		);
+
+		expect(result).toBeDefined();
+		expect(result.payload.sub).toBe("user-123");
+	});
+
+	it("should verify EdDSA (Ed25519) signed token", async () => {
+		const { publicJWK, privateKey, kid } = await createTestJWKS(
+			"EdDSA",
+			"Ed25519",
+		);
+		const token = await createSignedToken(privateKey, "EdDSA", kid);
+		mockJWKSResponse(publicJWK);
+
+		const result = await validateToken(
+			token,
+			"https://example.com/.well-known/jwks",
+		);
+
+		expect(result).toBeDefined();
+		expect(result.payload.sub).toBe("user-123");
+	});
+
+	it("should throw when kid doesn't match any key", async () => {
+		const { publicJWK, privateKey } = await createTestJWKS("RS256");
+		publicJWK.kid = "different-kid";
+		const token = await createSignedToken(privateKey, "RS256", "original-kid");
+		mockJWKSResponse(publicJWK);
+
+		await expect(
+			validateToken(token, "https://example.com/.well-known/jwks"),
+		).rejects.toThrow();
+	});
+
+	it("should find correct key when multiple keys exist", async () => {
+		const key1 = await createTestJWKS("RS256");
+		const key2 = await createTestJWKS("RS256");
+		const key3 = await createTestJWKS("ES256");
+		const token = await createSignedToken(key2.privateKey, "RS256", key2.kid);
+		mockJWKSResponse(key1.publicJWK, key2.publicJWK, key3.publicJWK);
+
+		const result = await validateToken(
+			token,
+			"https://example.com/.well-known/jwks",
+		);
+
+		expect(result).toBeDefined();
+		expect(result.payload.sub).toBe("user-123");
+	});
+
+	it("should throw when JWKS returns empty keys array", async () => {
+		const { privateKey, kid } = await createTestJWKS("RS256");
+		const token = await createSignedToken(privateKey, "RS256", kid);
+		mockJWKSResponse();
+
+		await expect(
+			validateToken(token, "https://example.com/.well-known/jwks"),
+		).rejects.toThrow();
+	});
+
+	it("should throw when JWKS fetch fails", async () => {
+		const { privateKey, kid } = await createTestJWKS("RS256");
+		const token = await createSignedToken(privateKey, "RS256", kid);
+		mockedFetch.mockResolvedValueOnce(
+			new Response("Internal Server Error", { status: 500 }),
+		);
+
+		await expect(
+			validateToken(token, "https://example.com/.well-known/jwks"),
+		).rejects.toBeDefined();
+	});
+
+	it("should verify token with matching audience", async () => {
+		const { publicJWK, privateKey, kid } = await createTestJWKS("RS256");
+		const token = await createSignedToken(privateKey, "RS256", kid);
+		mockJWKSResponse(publicJWK);
+
+		const result = await validateToken(
+			token,
+			"https://example.com/.well-known/jwks",
+			{ audience: "test-client" },
+		);
+
+		expect(result).toBeDefined();
+		expect(result.payload.aud).toBe("test-client");
+	});
+
+	it("should reject token with mismatched audience", async () => {
+		const { publicJWK, privateKey, kid } = await createTestJWKS("RS256");
+		const token = await createSignedToken(privateKey, "RS256", kid);
+		mockJWKSResponse(publicJWK);
+
+		await expect(
+			validateToken(token, "https://example.com/.well-known/jwks", {
+				audience: "wrong-client",
+			}),
+		).rejects.toThrow();
+	});
+
+	it("should verify token with matching issuer", async () => {
+		const { publicJWK, privateKey, kid } = await createTestJWKS("RS256");
+		const token = await createSignedToken(privateKey, "RS256", kid);
+		mockJWKSResponse(publicJWK);
+
+		const result = await validateToken(
+			token,
+			"https://example.com/.well-known/jwks",
+			{ issuer: "https://example.com" },
+		);
+
+		expect(result).toBeDefined();
+		expect(result.payload.iss).toBe("https://example.com");
+	});
+
+	it("should reject token with mismatched issuer", async () => {
+		const { publicJWK, privateKey, kid } = await createTestJWKS("RS256");
+		const token = await createSignedToken(privateKey, "RS256", kid);
+		mockJWKSResponse(publicJWK);
+
+		await expect(
+			validateToken(token, "https://example.com/.well-known/jwks", {
+				issuer: "https://wrong-issuer.com",
+			}),
+		).rejects.toThrow();
+	});
+
+	it("should verify token with both audience and issuer", async () => {
+		const { publicJWK, privateKey, kid } = await createTestJWKS("RS256");
+		const token = await createSignedToken(privateKey, "RS256", kid);
+		mockJWKSResponse(publicJWK);
+
+		const result = await validateToken(
+			token,
+			"https://example.com/.well-known/jwks",
+			{
+				audience: "test-client",
+				issuer: "https://example.com",
+			},
+		);
+
+		expect(result).toBeDefined();
+		expect(result.payload.aud).toBe("test-client");
+		expect(result.payload.iss).toBe("https://example.com");
+	});
+});

package/src/social-providers/apple.ts

@@ -112,41 +112,41 @@ export const apple = (options: AppleOptions) => {
 			if (options.verifyIdToken) {
 				return options.verifyIdToken(token, nonce);
 			}
-			const decodedHeader = decodeProtectedHeader(token);
-			const { kid, alg: jwtAlg } = decodedHeader;
-			if (!kid || !jwtAlg) return false;
-			const publicKey = await getApplePublicKey(kid);
-			const { payload: jwtClaims } = await jwtVerify(token, publicKey, {
-				algorithms: [jwtAlg],
-				issuer: "https://appleid.apple.com",
-				audience:
-					options.audience && options.audience.length
-						? options.audience
-						: options.appBundleIdentifier
-							? options.appBundleIdentifier
-							: options.clientId,
-				maxTokenAge: "1h",
-			});
-			["email_verified", "is_private_email"].forEach((field) => {
-				if (jwtClaims[field] !== undefined) {
-					jwtClaims[field] = Boolean(jwtClaims[field]);
+			try {
+				const decodedHeader = decodeProtectedHeader(token);
+				const { kid, alg: jwtAlg } = decodedHeader;
+				if (!kid || !jwtAlg) return false;
+				const publicKey = await getApplePublicKey(kid);
+				const { payload: jwtClaims } = await jwtVerify(token, publicKey, {
+					algorithms: [jwtAlg],
+					issuer: "https://appleid.apple.com",
+					audience:
+						options.audience && options.audience.length
+							? options.audience
+							: options.appBundleIdentifier
+								? options.appBundleIdentifier
+								: options.clientId,
+					maxTokenAge: "1h",
+				});
+				["email_verified", "is_private_email"].forEach((field) => {
+					if (jwtClaims[field] !== undefined) {
+						jwtClaims[field] = Boolean(jwtClaims[field]);
+					}
+				});
+				if (nonce && jwtClaims.nonce !== nonce) {
+					return false;
 				}
-			});
-			if (nonce && jwtClaims.nonce !== nonce) {
+				return !!jwtClaims;
+			} catch {
 				return false;
 			}
-			return !!jwtClaims;
 		},
 		refreshAccessToken: options.refreshAccessToken
 			? options.refreshAccessToken
 			: async (refreshToken) => {
 					return refreshAccessToken({
 						refreshToken,
-						options: {
-							clientId: options.clientId,
-							clientKey: options.clientKey,
-							clientSecret: options.clientSecret,
-						},
+						options,
 						tokenEndpoint: "https://appleid.apple.com/auth/token",
 					});
 				},
@@ -162,15 +162,15 @@ export const apple = (options: AppleOptions) => {
 				return null;
 			}
 
-			// TODO: " " masking will be removed when the name field is made optional
+			// TODO: "" masking will be removed when the name field is made optional
 			let name: string;
 			if (token.user?.name) {
 				const firstName = token.user.name.firstName || "";
 				const lastName = token.user.name.lastName || "";
 				const fullName = `${firstName} ${lastName}`.trim();
-				name = fullName || " ";
+				name = fullName;
 			} else {
-				name = profile.name || " ";
+				name = profile.name || "";
 			}
 
 			const emailVerified =

package/src/social-providers/cognito.ts

@@ -178,10 +178,7 @@ export const cognito = (options: CognitoOptions) => {
 						return null;
 					}
 					const name =
-						profile.name ||
-						profile.given_name ||
-						profile.username ||
-						profile.email;
+						profile.name || profile.given_name || profile.username || "";
 					const enrichedProfile = {
 						...profile,
 						name,
@@ -220,7 +217,11 @@ export const cognito = (options: CognitoOptions) => {
 						return {
 							user: {
 								id: userInfo.sub,
-								name: userInfo.name || userInfo.given_name || userInfo.username,
+								name:
+									userInfo.name ||
+									userInfo.given_name ||
+									userInfo.username ||
+									"",
 								email: userInfo.email,
 								image: userInfo.picture,
 								emailVerified: userInfo.email_verified,

package/src/social-providers/dropbox.ts

@@ -74,7 +74,7 @@ export const dropbox = (options: DropboxOptions) => {
 							clientKey: options.clientKey,
 							clientSecret: options.clientSecret,
 						},
-						tokenEndpoint: "https://api.dropbox.com/oauth2/token",
+						tokenEndpoint,
 					});
 				},
 		async getUserInfo(token) {

package/src/social-providers/facebook.ts

@@ -49,7 +49,7 @@ export const facebook = (options: FacebookOptions) => {
 			return await createAuthorizationURL({
 				id: "facebook",
 				options,
-				authorizationEndpoint: "https://www.facebook.com/v21.0/dialog/oauth",
+				authorizationEndpoint: "https://www.facebook.com/v24.0/dialog/oauth",
 				scopes: _scopes,
 				state,
 				redirectURI,
@@ -66,7 +66,7 @@ export const facebook = (options: FacebookOptions) => {
 				code,
 				redirectURI,
 				options,
-				tokenEndpoint: "https://graph.facebook.com/oauth/access_token",
+				tokenEndpoint: "https://graph.facebook.com/v24.0/oauth/access_token",
 			});
 		},
 		async verifyIdToken(token, nonce) {
@@ -121,7 +121,7 @@ export const facebook = (options: FacebookOptions) => {
 							clientSecret: options.clientSecret,
 						},
 						tokenEndpoint:
-							"https://graph.facebook.com/v18.0/oauth/access_token",
+							"https://graph.facebook.com/v24.0/oauth/access_token",
 					});
 				},
 		async getUserInfo(token) {

package/src/social-providers/github.ts

@@ -1,10 +1,12 @@
 import { betterFetch } from "@better-fetch/fetch";
+import { logger } from "../env";
 import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
+	getOAuth2Tokens,
 	refreshAccessToken,
-	validateAuthorizationCode,
 } from "../oauth2";
+import { createAuthorizationCodeRequest } from "../oauth2/validate-authorization-code";
 
 export interface GithubProfile {
 	login: string;
@@ -86,13 +88,33 @@ export const github = (options: GithubOptions) => {
 			});
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
-			return validateAuthorizationCode({
+			const { body, headers: requestHeaders } = createAuthorizationCodeRequest({
 				code,
 				codeVerifier,
 				redirectURI,
 				options,
-				tokenEndpoint,
 			});
+
+			const { data, error } = await betterFetch<
+				| { access_token: string; token_type: string; scope: string }
+				| { error: string; error_description?: string; error_uri?: string }
+			>(tokenEndpoint, {
+				method: "POST",
+				body: body,
+				headers: requestHeaders,
+			});
+
+			if (error) {
+				logger.error("GitHub OAuth token exchange failed:", error);
+				return null;
+			}
+
+			if ("error" in data) {
+				logger.error("GitHub OAuth token exchange failed:", data);
+				return null;
+			}
+
+			return getOAuth2Tokens(data);
 		},
 		refreshAccessToken: options.refreshAccessToken
 			? options.refreshAccessToken
@@ -148,7 +170,7 @@ export const github = (options: GithubOptions) => {
 			return {
 				user: {
 					id: profile.id,
-					name: profile.name || profile.login,
+					name: profile.name || profile.login || "",
 					email: profile.email,
 					image: profile.avatar_url,
 					emailVerified,

package/src/social-providers/gitlab.ts

@@ -141,7 +141,7 @@ export const gitlab = (options: GitlabOptions) => {
 			return {
 				user: {
 					id: profile.id,
-					name: profile.name ?? profile.username,
+					name: profile.name ?? profile.username ?? "",
 					email: profile.email,
 					image: profile.avatar_url,
 					emailVerified: profile.email_verified ?? false,

package/src/social-providers/google.ts

@@ -81,7 +81,7 @@ export const google = (options: GoogleOptions) => {
 			const url = await createAuthorizationURL({
 				id: "google",
 				options,
-				authorizationEndpoint: "https://accounts.google.com/o/oauth2/auth",
+				authorizationEndpoint: "https://accounts.google.com/o/oauth2/v2/auth",
 				scopes: _scopes,
 				state,
 				codeVerifier,
@@ -116,7 +116,7 @@ export const google = (options: GoogleOptions) => {
 							clientKey: options.clientKey,
 							clientSecret: options.clientSecret,
 						},
-						tokenEndpoint: "https://www.googleapis.com/oauth2/v4/token",
+						tokenEndpoint: "https://oauth2.googleapis.com/token",
 					});
 				},
 		async verifyIdToken(token, nonce) {
@@ -130,22 +130,26 @@ export const google = (options: GoogleOptions) => {
 			// Verify JWT integrity
 			// See https://developers.google.com/identity/sign-in/web/backend-auth#verify-the-integrity-of-the-id-token
 
-			const { kid, alg: jwtAlg } = decodeProtectedHeader(token);
-			if (!kid || !jwtAlg) return false;
+			try {
+				const { kid, alg: jwtAlg } = decodeProtectedHeader(token);
+				if (!kid || !jwtAlg) return false;
 
-			const publicKey = await getGooglePublicKey(kid);
-			const { payload: jwtClaims } = await jwtVerify(token, publicKey, {
-				algorithms: [jwtAlg],
-				issuer: ["https://accounts.google.com", "accounts.google.com"],
-				audience: options.clientId,
-				maxTokenAge: "1h",
-			});
+				const publicKey = await getGooglePublicKey(kid);
+				const { payload: jwtClaims } = await jwtVerify(token, publicKey, {
+					algorithms: [jwtAlg],
+					issuer: ["https://accounts.google.com", "accounts.google.com"],
+					audience: options.clientId,
+					maxTokenAge: "1h",
+				});
+
+				if (nonce && jwtClaims.nonce !== nonce) {
+					return false;
+				}
 
-			if (nonce && jwtClaims.nonce !== nonce) {
+				return true;
+			} catch {
 				return false;
 			}
-
-			return true;
 		},
 		async getUserInfo(token) {
 			if (options.getUserInfo) {

package/src/social-providers/huggingface.ts

@@ -104,7 +104,7 @@ export const huggingface = (options: HuggingFaceOptions) => {
 			return {
 				user: {
 					id: profile.sub,
-					name: profile.name || profile.preferred_username,
+					name: profile.name || profile.preferred_username || "",
 					email: profile.email,
 					image: profile.picture,
 					emailVerified: profile.email_verified ?? false,

package/src/social-providers/index.ts

@@ -1,4 +1,5 @@
 import * as z from "zod";
+import type { AwaitableFunction } from "../types";
 import { apple } from "./apple";
 import { atlassian } from "./atlassian";
 import { cognito } from "./cognito";
@@ -21,6 +22,7 @@ import { notion } from "./notion";
 import { paybin } from "./paybin";
 import { paypal } from "./paypal";
 import { polar } from "./polar";
+import { railway } from "./railway";
 import { reddit } from "./reddit";
 import { roblox } from "./roblox";
 import { salesforce } from "./salesforce";
@@ -66,6 +68,7 @@ export const socialProviders = {
 	paybin,
 	paypal,
 	polar,
+	railway,
 	vercel,
 };
 
@@ -81,11 +84,11 @@ export const SocialProviderListEnum = z
 export type SocialProvider = z.infer<typeof SocialProviderListEnum>;
 
 export type SocialProviders = {
-	[K in SocialProviderList[number]]?: Parameters<
-		(typeof socialProviders)[K]
-	>[0] & {
-		enabled?: boolean | undefined;
-	};
+	[K in SocialProviderList[number]]?: AwaitableFunction<
+		Parameters<(typeof socialProviders)[K]>[0] & {
+			enabled?: boolean | undefined;
+		}
+	>;
 };
 
 export * from "./apple";
@@ -112,6 +115,7 @@ export * from "./notion";
 export * from "./paybin";
 export * from "./paypal";
 export * from "./polar";
+export * from "./railway";
 export * from "./reddit";
 export * from "./roblox";
 export * from "./salesforce";

package/src/social-providers/kakao.ts

@@ -161,7 +161,7 @@ export const kakao = (options: KakaoOptions) => {
 			const kakaoProfile = account.profile || {};
 			const user = {
 				id: String(profile.id),
-				name: kakaoProfile.nickname || account.name || undefined,
+				name: kakaoProfile.nickname || account.name || "",
 				email: account.email,
 				image:
 					kakaoProfile.profile_image_url || kakaoProfile.thumbnail_image_url,

package/src/social-providers/line.ts

@@ -147,7 +147,7 @@ export const line = (options: LineOptions) => {
 			const userMap = await options.mapProfileToUser?.(profile as any);
 			// ID preference order
 			const id = (profile as any).sub || (profile as any).userId;
-			const name = (profile as any).name || (profile as any).displayName;
+			const name = (profile as any).name || (profile as any).displayName || "";
 			const image =
 				(profile as any).picture || (profile as any).pictureUrl || undefined;
 			const email = (profile as any).email;

package/src/social-providers/microsoft-entra-id.ts

@@ -1,7 +1,8 @@
 import { base64 } from "@better-auth/utils/base64";
 import { betterFetch } from "@better-fetch/fetch";
-import { decodeJwt } from "jose";
+import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
 import { logger } from "../env";
+import { APIError } from "../error";
 import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
@@ -174,6 +175,56 @@ export const microsoft = (options: MicrosoftOptions) => {
 				tokenEndpoint,
 			});
 		},
+		async verifyIdToken(token, nonce) {
+			if (options.disableIdTokenSignIn) {
+				return false;
+			}
+			if (options.verifyIdToken) {
+				return options.verifyIdToken(token, nonce);
+			}
+
+			try {
+				const { kid, alg: jwtAlg } = decodeProtectedHeader(token);
+				if (!kid || !jwtAlg) return false;
+
+				const publicKey = await getMicrosoftPublicKey(kid, tenant, authority);
+				const verifyOptions: {
+					algorithms: [string];
+					audience: string;
+					maxTokenAge: string;
+					issuer?: string;
+				} = {
+					algorithms: [jwtAlg],
+					audience: options.clientId,
+					maxTokenAge: "1h",
+				};
+				/**
+				 * Issuer varies per user's tenant for multi-tenant endpoints, so only validate for specific tenants.
+				 * @see https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols#endpoints
+				 */
+				if (
+					tenant !== "common" &&
+					tenant !== "organizations" &&
+					tenant !== "consumers"
+				) {
+					verifyOptions.issuer = `${authority}/${tenant}/v2.0`;
+				}
+				const { payload: jwtClaims } = await jwtVerify(
+					token,
+					publicKey,
+					verifyOptions,
+				);
+
+				if (nonce && jwtClaims.nonce !== nonce) {
+					return false;
+				}
+
+				return true;
+			} catch (error) {
+				logger.error("Failed to verify ID token:", error);
+				return false;
+			}
+		},
 		async getUserInfo(token) {
 			if (options.getUserInfo) {
 				return options.getUserInfo(token);
@@ -257,3 +308,35 @@ export const microsoft = (options: MicrosoftOptions) => {
 		options,
 	} satisfies OAuthProvider;
 };
+
+export const getMicrosoftPublicKey = async (
+	kid: string,
+	tenant: string,
+	authority: string,
+) => {
+	const { data } = await betterFetch<{
+		keys: Array<{
+			kid: string;
+			alg: string;
+			kty: string;
+			use: string;
+			n: string;
+			e: string;
+			x5c?: string[];
+			x5t?: string;
+		}>;
+	}>(`${authority}/${tenant}/discovery/v2.0/keys`);
+
+	if (!data?.keys) {
+		throw new APIError("BAD_REQUEST", {
+			message: "Keys not found",
+		});
+	}
+
+	const jwk = data.keys.find((key) => key.kid === kid);
+	if (!jwk) {
+		throw new Error(`JWK with kid ${kid} not found`);
+	}
+
+	return await importJWK(jwk, jwk.alg);
+};