@better-auth/core 1.5.0-beta.9 → 1.5.0

package/src/social-providers/github.ts

@@ -1,10 +1,12 @@
 import { betterFetch } from "@better-fetch/fetch";
+import { logger } from "../env";
 import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
+	getOAuth2Tokens,
 	refreshAccessToken,
-	validateAuthorizationCode,
 } from "../oauth2";
+import { createAuthorizationCodeRequest } from "../oauth2/validate-authorization-code";
 
 export interface GithubProfile {
 	login: string;
@@ -86,13 +88,33 @@ export const github = (options: GithubOptions) => {
 			});
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
-			return validateAuthorizationCode({
+			const { body, headers: requestHeaders } = createAuthorizationCodeRequest({
 				code,
 				codeVerifier,
 				redirectURI,
 				options,
-				tokenEndpoint,
 			});
+
+			const { data, error } = await betterFetch<
+				| { access_token: string; token_type: string; scope: string }
+				| { error: string; error_description?: string; error_uri?: string }
+			>(tokenEndpoint, {
+				method: "POST",
+				body: body,
+				headers: requestHeaders,
+			});
+
+			if (error) {
+				logger.error("GitHub OAuth token exchange failed:", error);
+				return null;
+			}
+
+			if ("error" in data) {
+				logger.error("GitHub OAuth token exchange failed:", data);
+				return null;
+			}
+
+			return getOAuth2Tokens(data);
 		},
 		refreshAccessToken: options.refreshAccessToken
 			? options.refreshAccessToken
@@ -148,7 +170,7 @@ export const github = (options: GithubOptions) => {
 			return {
 				user: {
 					id: profile.id,
-					name: profile.name || profile.login,
+					name: profile.name || profile.login || "",
 					email: profile.email,
 					image: profile.avatar_url,
 					emailVerified,

package/src/social-providers/gitlab.ts

@@ -141,7 +141,7 @@ export const gitlab = (options: GitlabOptions) => {
 			return {
 				user: {
 					id: profile.id,
-					name: profile.name ?? profile.username,
+					name: profile.name ?? profile.username ?? "",
 					email: profile.email,
 					image: profile.avatar_url,
 					emailVerified: profile.email_verified ?? false,

package/src/social-providers/google.ts

@@ -81,7 +81,7 @@ export const google = (options: GoogleOptions) => {
 			const url = await createAuthorizationURL({
 				id: "google",
 				options,
-				authorizationEndpoint: "https://accounts.google.com/o/oauth2/auth",
+				authorizationEndpoint: "https://accounts.google.com/o/oauth2/v2/auth",
 				scopes: _scopes,
 				state,
 				codeVerifier,
@@ -116,7 +116,7 @@ export const google = (options: GoogleOptions) => {
 							clientKey: options.clientKey,
 							clientSecret: options.clientSecret,
 						},
-						tokenEndpoint: "https://www.googleapis.com/oauth2/v4/token",
+						tokenEndpoint: "https://oauth2.googleapis.com/token",
 					});
 				},
 		async verifyIdToken(token, nonce) {
@@ -130,22 +130,26 @@ export const google = (options: GoogleOptions) => {
 			// Verify JWT integrity
 			// See https://developers.google.com/identity/sign-in/web/backend-auth#verify-the-integrity-of-the-id-token
 
-			const { kid, alg: jwtAlg } = decodeProtectedHeader(token);
-			if (!kid || !jwtAlg) return false;
+			try {
+				const { kid, alg: jwtAlg } = decodeProtectedHeader(token);
+				if (!kid || !jwtAlg) return false;
 
-			const publicKey = await getGooglePublicKey(kid);
-			const { payload: jwtClaims } = await jwtVerify(token, publicKey, {
-				algorithms: [jwtAlg],
-				issuer: ["https://accounts.google.com", "accounts.google.com"],
-				audience: options.clientId,
-				maxTokenAge: "1h",
-			});
+				const publicKey = await getGooglePublicKey(kid);
+				const { payload: jwtClaims } = await jwtVerify(token, publicKey, {
+					algorithms: [jwtAlg],
+					issuer: ["https://accounts.google.com", "accounts.google.com"],
+					audience: options.clientId,
+					maxTokenAge: "1h",
+				});
+
+				if (nonce && jwtClaims.nonce !== nonce) {
+					return false;
+				}
 
-			if (nonce && jwtClaims.nonce !== nonce) {
+				return true;
+			} catch {
 				return false;
 			}
-
-			return true;
 		},
 		async getUserInfo(token) {
 			if (options.getUserInfo) {

package/src/social-providers/huggingface.ts

@@ -104,7 +104,7 @@ export const huggingface = (options: HuggingFaceOptions) => {
 			return {
 				user: {
 					id: profile.sub,
-					name: profile.name || profile.preferred_username,
+					name: profile.name || profile.preferred_username || "",
 					email: profile.email,
 					image: profile.picture,
 					emailVerified: profile.email_verified ?? false,

package/src/social-providers/index.ts

@@ -1,4 +1,5 @@
 import * as z from "zod";
+import type { AwaitableFunction } from "../types";
 import { apple } from "./apple";
 import { atlassian } from "./atlassian";
 import { cognito } from "./cognito";
@@ -21,6 +22,7 @@ import { notion } from "./notion";
 import { paybin } from "./paybin";
 import { paypal } from "./paypal";
 import { polar } from "./polar";
+import { railway } from "./railway";
 import { reddit } from "./reddit";
 import { roblox } from "./roblox";
 import { salesforce } from "./salesforce";
@@ -66,6 +68,7 @@ export const socialProviders = {
 	paybin,
 	paypal,
 	polar,
+	railway,
 	vercel,
 };
 
@@ -81,11 +84,11 @@ export const SocialProviderListEnum = z
 export type SocialProvider = z.infer<typeof SocialProviderListEnum>;
 
 export type SocialProviders = {
-	[K in SocialProviderList[number]]?: Parameters<
-		(typeof socialProviders)[K]
-	>[0] & {
-		enabled?: boolean | undefined;
-	};
+	[K in SocialProviderList[number]]?: AwaitableFunction<
+		Parameters<(typeof socialProviders)[K]>[0] & {
+			enabled?: boolean | undefined;
+		}
+	>;
 };
 
 export * from "./apple";
@@ -112,6 +115,7 @@ export * from "./notion";
 export * from "./paybin";
 export * from "./paypal";
 export * from "./polar";
+export * from "./railway";
 export * from "./reddit";
 export * from "./roblox";
 export * from "./salesforce";

package/src/social-providers/kakao.ts

@@ -161,7 +161,7 @@ export const kakao = (options: KakaoOptions) => {
 			const kakaoProfile = account.profile || {};
 			const user = {
 				id: String(profile.id),
-				name: kakaoProfile.nickname || account.name || undefined,
+				name: kakaoProfile.nickname || account.name || "",
 				email: account.email,
 				image:
 					kakaoProfile.profile_image_url || kakaoProfile.thumbnail_image_url,

package/src/social-providers/line.ts

@@ -147,7 +147,7 @@ export const line = (options: LineOptions) => {
 			const userMap = await options.mapProfileToUser?.(profile as any);
 			// ID preference order
 			const id = (profile as any).sub || (profile as any).userId;
-			const name = (profile as any).name || (profile as any).displayName;
+			const name = (profile as any).name || (profile as any).displayName || "";
 			const image =
 				(profile as any).picture || (profile as any).pictureUrl || undefined;
 			const email = (profile as any).email;

package/src/social-providers/microsoft-entra-id.ts

@@ -1,7 +1,8 @@
 import { base64 } from "@better-auth/utils/base64";
 import { betterFetch } from "@better-fetch/fetch";
-import { decodeJwt } from "jose";
+import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
 import { logger } from "../env";
+import { APIError } from "../error";
 import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
@@ -174,6 +175,56 @@ export const microsoft = (options: MicrosoftOptions) => {
 				tokenEndpoint,
 			});
 		},
+		async verifyIdToken(token, nonce) {
+			if (options.disableIdTokenSignIn) {
+				return false;
+			}
+			if (options.verifyIdToken) {
+				return options.verifyIdToken(token, nonce);
+			}
+
+			try {
+				const { kid, alg: jwtAlg } = decodeProtectedHeader(token);
+				if (!kid || !jwtAlg) return false;
+
+				const publicKey = await getMicrosoftPublicKey(kid, tenant, authority);
+				const verifyOptions: {
+					algorithms: [string];
+					audience: string;
+					maxTokenAge: string;
+					issuer?: string;
+				} = {
+					algorithms: [jwtAlg],
+					audience: options.clientId,
+					maxTokenAge: "1h",
+				};
+				/**
+				 * Issuer varies per user's tenant for multi-tenant endpoints, so only validate for specific tenants.
+				 * @see https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols#endpoints
+				 */
+				if (
+					tenant !== "common" &&
+					tenant !== "organizations" &&
+					tenant !== "consumers"
+				) {
+					verifyOptions.issuer = `${authority}/${tenant}/v2.0`;
+				}
+				const { payload: jwtClaims } = await jwtVerify(
+					token,
+					publicKey,
+					verifyOptions,
+				);
+
+				if (nonce && jwtClaims.nonce !== nonce) {
+					return false;
+				}
+
+				return true;
+			} catch (error) {
+				logger.error("Failed to verify ID token:", error);
+				return false;
+			}
+		},
 		async getUserInfo(token) {
 			if (options.getUserInfo) {
 				return options.getUserInfo(token);
@@ -257,3 +308,35 @@ export const microsoft = (options: MicrosoftOptions) => {
 		options,
 	} satisfies OAuthProvider;
 };
+
+export const getMicrosoftPublicKey = async (
+	kid: string,
+	tenant: string,
+	authority: string,
+) => {
+	const { data } = await betterFetch<{
+		keys: Array<{
+			kid: string;
+			alg: string;
+			kty: string;
+			use: string;
+			n: string;
+			e: string;
+			x5c?: string[];
+			x5t?: string;
+		}>;
+	}>(`${authority}/${tenant}/discovery/v2.0/keys`);
+
+	if (!data?.keys) {
+		throw new APIError("BAD_REQUEST", {
+			message: "Keys not found",
+		});
+	}
+
+	const jwk = data.keys.find((key) => key.kid === kid);
+	if (!jwk) {
+		throw new Error(`JWK with kid ${kid} not found`);
+	}
+
+	return await importJWK(jwk, jwk.alg);
+};

package/src/social-providers/naver.ts

@@ -96,7 +96,7 @@ export const naver = (options: NaverOptions) => {
 			const res = profile.response || {};
 			const user = {
 				id: res.id,
-				name: res.name || res.nickname,
+				name: res.name || res.nickname || "",
 				email: res.email,
 				image: res.profile_image,
 				emailVerified: false,

package/src/social-providers/notion.ts

@@ -94,7 +94,7 @@ export const notion = (options: NotionOptions) => {
 			return {
 				user: {
 					id: userProfile.id,
-					name: userProfile.name || "Notion User",
+					name: userProfile.name || "",
 					email: userProfile.person?.email || null,
 					image: userProfile.avatar_url,
 					emailVerified: false,

package/src/social-providers/paybin.ts

@@ -104,11 +104,7 @@ export const paybin = (options: PaybinOptions) => {
 			return {
 				user: {
 					id: user.sub,
-					name:
-						user.name ||
-						user.preferred_username ||
-						(user.email ? user.email.split("@")[0] : "User") ||
-						"User",
+					name: user.name || user.preferred_username || "",
 					email: user.email,
 					image: user.picture,
 					emailVerified: user.email_verified || false,

package/src/social-providers/polar.ts

@@ -96,7 +96,7 @@ export const polar = (options: PolarOptions) => {
 			return {
 				user: {
 					id: profile.id,
-					name: profile.public_name || profile.username,
+					name: profile.public_name || profile.username || "",
 					email: profile.email,
 					image: profile.avatar_url,
 					emailVerified: profile.email_verified ?? false,

package/src/social-providers/railway.ts

@@ -0,0 +1,100 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import {
+	createAuthorizationURL,
+	refreshAccessToken,
+	validateAuthorizationCode,
+} from "../oauth2";
+
+const authorizationEndpoint = "https://backboard.railway.com/oauth/auth";
+const tokenEndpoint = "https://backboard.railway.com/oauth/token";
+const userinfoEndpoint = "https://backboard.railway.com/oauth/me";
+
+export interface RailwayProfile {
+	/** The user's unique ID (OAuth `sub` claim). */
+	sub: string;
+	/** The user's email address. */
+	email: string;
+	/** The user's display name. */
+	name: string;
+	/** URL of the user's profile picture. */
+	picture: string;
+}
+
+export interface RailwayOptions extends ProviderOptions<RailwayProfile> {
+	clientId: string;
+}
+
+export const railway = (options: RailwayOptions) => {
+	return {
+		id: "railway",
+		name: "Railway",
+		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["openid", "email", "profile"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "railway",
+				options,
+				authorizationEndpoint,
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint,
+				authentication: "basic",
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint,
+						authentication: "basic",
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			const { data: profile, error } = await betterFetch<RailwayProfile>(
+				userinfoEndpoint,
+				{ headers: { authorization: `Bearer ${token.accessToken}` } },
+			);
+			if (error || !profile) {
+				return null;
+			}
+			const userMap = await options.mapProfileToUser?.(profile);
+			// Railway does not provide an email_verified claim.
+			// We default to false for security consistency.
+			return {
+				user: {
+					id: profile.sub,
+					name: profile.name,
+					email: profile.email,
+					image: profile.picture,
+					emailVerified: false,
+					...userMap,
+				},
+				data: profile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<RailwayProfile>;
+};

package/src/social-providers/tiktok.ts

@@ -197,7 +197,8 @@ export const tiktok = (options: TiktokOptions) => {
 				user: {
 					email: profile.data.user.email || profile.data.user.username,
 					id: profile.data.user.open_id,
-					name: profile.data.user.display_name || profile.data.user.username,
+					name:
+						profile.data.user.display_name || profile.data.user.username || "",
 					image: profile.data.user.avatar_large_url,
 					emailVerified: false,
 				},

package/src/social-providers/vercel.ts

@@ -73,7 +73,7 @@ export const vercel = (options: VercelOptions) => {
 			return {
 				user: {
 					id: profile.sub,
-					name: profile.name ?? profile.preferred_username,
+					name: profile.name ?? profile.preferred_username ?? "",
 					email: profile.email,
 					image: profile.picture,
 					emailVerified: profile.email_verified ?? false,

package/src/social-providers/zoom.ts

@@ -96,11 +96,6 @@ export interface ZoomProfile extends Record<string, any> {
 	login_types: LoginType[];
 	/** User's personal meeting URL (Example: "example.com") */
 	personal_meeting_url: string;
-	/** This field has been deprecated and will not be supported in the future.
-	 * Use the phone_numbers field instead of this field.
-	 * The user's phone number (Example: "+1 800000000") */
-	// @deprecated true
-	phone_number?: string | undefined;
 	/** The URL for user's profile picture (Example: "example.com") */
 	pic_url: string;
 	/** Personal Meeting ID (PMI) (Example: 3542471135) */
@@ -131,9 +126,6 @@ export interface ZoomProfile extends Record<string, any> {
 	employee_unique_id?: string | undefined;
 	/** The manager for the user (Example: "thill@example.com") */
 	manager?: string | undefined;
-	/** The user's country for the company phone number (Example: "US")
-	 * @deprecated true */
-	phone_country?: string | undefined;
 	/** The phone number's ISO country code (Example: "+1") */
 	phone_numbers?: PhoneNumber[] | undefined;
 	/** The user's plan type (Example: "1") */

package/src/types/context.ts

@@ -12,29 +12,66 @@ import type { DBAdapter, Where } from "../db/adapter";
 import type { createLogger } from "../env";
 import type { OAuthProvider } from "../oauth2";
 import type { BetterAuthCookie, BetterAuthCookies } from "./cookie";
-import type { LiteralString } from "./helper";
+import type { Awaitable, LiteralString } from "./helper";
 import type {
 	BetterAuthOptions,
 	BetterAuthRateLimitOptions,
 } from "./init-options";
 import type { BetterAuthPlugin } from "./plugin";
+import type { SecretConfig } from "./secret";
+
+/**
+ * @internal
+ */
+type InferPluginID<O extends BetterAuthOptions> =
+	O["plugins"] extends Array<infer P>
+		? P extends BetterAuthPlugin
+			? P["id"]
+			: never
+		: never;
+
+/**
+ * @internal
+ */
+type InferPluginOptions<
+	O extends BetterAuthOptions,
+	ID extends BetterAuthPluginRegistryIdentifier | LiteralString,
+> =
+	O["plugins"] extends Array<infer P>
+		? P extends BetterAuthPlugin
+			? P["id"] extends ID
+				? P extends { options: infer O }
+					? O
+					: never
+				: never
+			: never
+		: never;
 
 /**
  * Mutators are defined in each plugin
  *
  * @example
  * ```ts
+ * interface MyPluginOptions {
+ *   useFeature: boolean
+ * }
+ *
+ * const createMyPlugin = <Options extends MyPluginOptions>(options?: Options) => ({
+ *   id: 'my-plugin',
+ *   options,
+ * } satisfies BetterAuthPlugin);
+ *
  * declare module "@better-auth/core" {
- *  interface BetterAuthPluginRegistry<Auth, Context> {
- *    'jwt': {
- *      creator: typeof jwt
+ *  interface BetterAuthPluginRegistry<AuthOptions, Options> {
+ *    'my-plugin': {
+ *      creator: Options extends MyPluginOptions ? typeof createMyPlugin<Options>: typeof createMyPlugin
  *    }
  *  }
  * }
  * ```
  */
 // biome-ignore lint/correctness/noUnusedVariables: Auth and Context is used in the declaration merging
-export interface BetterAuthPluginRegistry<Auth, Context> {}
+export interface BetterAuthPluginRegistry<AuthOptions, Options> {}
 export type BetterAuthPluginRegistryIdentifier = keyof BetterAuthPluginRegistry<
 	unknown,
 	unknown
@@ -67,7 +104,10 @@ export interface InternalAdapter<
 			T,
 	): Promise<T & Account>;
 
-	listSessions(userId: string): Promise<Session[]>;
+	listSessions(
+		userId: string,
+		options?: { onlyActiveSessions?: boolean | undefined } | undefined,
+	): Promise<Session[]>;
 
 	listUsers(
 		limit?: number | undefined,
@@ -94,6 +134,11 @@ export interface InternalAdapter<
 
 	findSessions(
 		sessionTokens: string[],
+		options?:
+			| {
+					onlyActiveSessions?: boolean | undefined;
+			  }
+			| undefined,
 	): Promise<{ session: Session; user: User }[]>;
 
 	updateSession(
@@ -183,12 +228,21 @@ type CheckPasswordFn<Options extends BetterAuthOptions = BetterAuthOptions> = (
 	ctx: GenericEndpointContext<Options>,
 ) => Promise<boolean>;
 
-export type PluginContext = {
-	getPlugin: <ID extends BetterAuthPluginRegistryIdentifier | LiteralString>(
+export type PluginContext<Options extends BetterAuthOptions> = {
+	getPlugin: <
+		ID extends BetterAuthPluginRegistryIdentifier | LiteralString,
+		PluginOptions extends InferPluginOptions<Options, ID>,
+	>(
 		pluginId: ID,
 	) =>
 		| (ID extends BetterAuthPluginRegistryIdentifier
-				? ReturnType<BetterAuthPluginRegistry<unknown, unknown>[ID]["creator"]>
+				? BetterAuthPluginRegistry<Options, PluginOptions>[ID] extends {
+						creator: infer C;
+					}
+					? C extends (...args: any[]) => infer R
+						? R
+						: never
+					: never
 				: BetterAuthPlugin)
 		| null;
 	/**
@@ -206,7 +260,7 @@ export type PluginContext = {
 	 */
 	hasPlugin: <ID extends BetterAuthPluginRegistryIdentifier | LiteralString>(
 		pluginId: ID,
-	) => boolean;
+	) => ID extends InferPluginID<Options> ? true : boolean;
 };
 
 export type InfoContext = {
@@ -216,10 +270,15 @@ export type InfoContext = {
 };
 
 export type AuthContext<Options extends BetterAuthOptions = BetterAuthOptions> =
-	PluginContext &
+	PluginContext<Options> &
 		InfoContext & {
 			options: Options;
 			trustedOrigins: string[];
+			/**
+			 * Resolved list of trusted providers for account linking.
+			 * Populated from "account.accountLinking.trustedProviders" (supports static array or async function).
+			 */
+			trustedProviders: string[];
 			/**
 			 * Verifies whether url is a trusted origin according to the "trustedOrigins" configuration
 			 * @param url The url to verify against the "trustedOrigins" configuration
@@ -281,6 +340,7 @@ export type AuthContext<Options extends BetterAuthOptions = BetterAuthOptions> =
 			internalAdapter: InternalAdapter<Options>;
 			createAuthCookie: CreateCookieGetterFn;
 			secret: string;
+			secretConfig: string | SecretConfig;
 			sessionConfig: {
 				updateAge: number;
 				expiresIn: number;
@@ -341,7 +401,7 @@ export type AuthContext<Options extends BetterAuthOptions = BetterAuthOptions> =
 			 * This is inferred from the `options.advanced?.backgroundTasks?.handler` option.
 			 * Defaults to a no-op that just runs the promise.
 			 */
-			runInBackground: (promise: Promise<void>) => void;
+			runInBackground: (promise: Promise<unknown>) => void;
 			/**
 			 * Runs a task in the background if `runInBackground` is configured,
 			 * otherwise awaits the task directly.
@@ -351,6 +411,6 @@ export type AuthContext<Options extends BetterAuthOptions = BetterAuthOptions> =
 			 * mitigation), but still ensure the operation completes.
 			 */
 			runInBackgroundOrAwait: (
-				promise: Promise<unknown> | Promise<void> | void | unknown,
-			) => Promise<unknown>;
+				promise: Promise<unknown> | void,
+			) => Awaitable<unknown>;
 		};

package/src/types/helper.ts

@@ -8,6 +8,7 @@ export type Primitive =
 	| undefined;
 
 export type Awaitable<T> = T | Promise<T>;
+export type AwaitableFunction<T> = T | (() => Awaitable<T>);
 export type LiteralString = "" | (string & Record<never, never>);
 export type LiteralUnion<LiteralType, BaseType extends Primitive> =
 	| LiteralType
@@ -16,3 +17,11 @@ export type LiteralUnion<LiteralType, BaseType extends Primitive> =
 export type Prettify<T> = {
 	[K in keyof T]: T[K];
 } & {};
+
+export type UnionToIntersection<U> = (
+	U extends any
+		? (k: U) => void
+		: never
+) extends (k: infer I) => void
+	? I
+	: never;