@better-auth/core 1.5.4 → 1.5.6

package/src/social-providers/wechat.ts

@@ -0,0 +1,213 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuth2Tokens, OAuthProvider, ProviderOptions } from "../oauth2";
+
+/**
+ * WeChat user profile information
+ * @see https://developers.weixin.qq.com/doc/oplatform/en/Website_App/WeChat_Login/Wechat_Login.html
+ */
+export interface WeChatProfile extends Record<string, any> {
+	/**
+	 * User's unique OpenID
+	 */
+	openid: string;
+	/**
+	 * User's nickname
+	 */
+	nickname: string;
+	/**
+	 * User's avatar image URL
+	 */
+	headimgurl: string;
+	/**
+	 * User's privileges
+	 */
+	privilege: string[];
+	/**
+	 * User's UnionID (unique across the developer's various applications)
+	 */
+	unionid?: string;
+	/** @note Email is currently unsupported by WeChat */
+	email?: string;
+}
+
+export interface WeChatOptions extends ProviderOptions<WeChatProfile> {
+	/**
+	 * WeChat App ID
+	 */
+	clientId: string;
+	/**
+	 * WeChat App Secret
+	 */
+	clientSecret: string;
+	/**
+	 * Platform type for WeChat login
+	 * - Currently only supports "WebsiteApp" for WeChat Website Application (网站应用)
+	 * @default "WebsiteApp"
+	 */
+	platformType?: "WebsiteApp";
+
+	/**
+	 * UI language for the WeChat login page
+	 * cn for Simplified Chinese, en for English
+	 * @default "cn" if left undefined
+	 */
+	lang?: "cn" | "en";
+}
+
+export const wechat = (options: WeChatOptions) => {
+	return {
+		id: "wechat",
+		name: "WeChat",
+		createAuthorizationURL({ state, scopes, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : ["snsapi_login"];
+			options.scope && _scopes.push(...options.scope);
+			scopes && _scopes.push(...scopes);
+
+			// WeChat uses non-standard OAuth2 parameters (appid instead of client_id)
+			// and requires a fragment (#wechat_redirect), so we construct the URL manually.
+			const url = new URL("https://open.weixin.qq.com/connect/qrconnect");
+			url.searchParams.set("scope", _scopes.join(","));
+			url.searchParams.set("response_type", "code");
+			url.searchParams.set("appid", options.clientId);
+			url.searchParams.set("redirect_uri", options.redirectURI || redirectURI);
+			url.searchParams.set("state", state);
+			url.searchParams.set("lang", options.lang || "cn");
+			url.hash = "wechat_redirect";
+
+			return url;
+		},
+
+		// WeChat uses non-standard token exchange (appid/secret instead of
+		// client_id/client_secret, GET instead of POST), so shared helpers
+		// like validateAuthorizationCode/getOAuth2Tokens cannot be used directly.
+		validateAuthorizationCode: async ({ code }) => {
+			const params = new URLSearchParams({
+				appid: options.clientId,
+				secret: options.clientSecret,
+				code: code,
+				grant_type: "authorization_code",
+			});
+
+			const { data: tokenData, error } = await betterFetch<{
+				access_token: string;
+				expires_in: number;
+				refresh_token: string;
+				openid: string;
+				scope: string;
+				unionid?: string;
+				errcode?: number;
+				errmsg?: string;
+			}>(
+				"https://api.weixin.qq.com/sns/oauth2/access_token?" +
+					params.toString(),
+				{
+					method: "GET",
+				},
+			);
+
+			if (error || !tokenData || tokenData.errcode) {
+				throw new Error(
+					`Failed to validate authorization code: ${tokenData?.errmsg || error?.message || "Unknown error"}`,
+				);
+			}
+
+			return {
+				tokenType: "Bearer" as const,
+				accessToken: tokenData.access_token,
+				refreshToken: tokenData.refresh_token,
+				accessTokenExpiresAt: new Date(
+					Date.now() + tokenData.expires_in * 1000,
+				),
+				scopes: tokenData.scope.split(","),
+				// WeChat requires openid for the userinfo endpoint, which is
+				// returned alongside the access token.
+				openid: tokenData.openid,
+				unionid: tokenData.unionid,
+			};
+		},
+
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					const params = new URLSearchParams({
+						appid: options.clientId,
+						grant_type: "refresh_token",
+						refresh_token: refreshToken,
+					});
+
+					const { data: tokenData, error } = await betterFetch<{
+						access_token: string;
+						expires_in: number;
+						refresh_token: string;
+						openid: string;
+						scope: string;
+						errcode?: number;
+						errmsg?: string;
+					}>(
+						"https://api.weixin.qq.com/sns/oauth2/refresh_token?" +
+							params.toString(),
+						{
+							method: "GET",
+						},
+					);
+
+					if (error || !tokenData || tokenData.errcode) {
+						throw new Error(
+							`Failed to refresh access token: ${tokenData?.errmsg || error?.message || "Unknown error"}`,
+						);
+					}
+
+					return {
+						tokenType: "Bearer" as const,
+						accessToken: tokenData.access_token,
+						refreshToken: tokenData.refresh_token,
+						accessTokenExpiresAt: new Date(
+							Date.now() + tokenData.expires_in * 1000,
+						),
+						scopes: tokenData.scope.split(","),
+					};
+				},
+
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+
+			const openid = (token as OAuth2Tokens & { openid?: string }).openid;
+
+			if (!openid) {
+				return null;
+			}
+
+			const params = new URLSearchParams({
+				access_token: token.accessToken || "",
+				openid: openid,
+				lang: "zh_CN",
+			});
+
+			const { data: profile, error } = await betterFetch<
+				WeChatProfile & { errcode?: number; errmsg?: string }
+			>("https://api.weixin.qq.com/sns/userinfo?" + params.toString(), {
+				method: "GET",
+			});
+
+			if (error || !profile || profile.errcode) {
+				return null;
+			}
+
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.unionid || profile.openid || openid,
+					name: profile.nickname,
+					email: profile.email || null,
+					image: profile.headimgurl,
+					emailVerified: false,
+					...userMap,
+				},
+				data: profile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<WeChatProfile, WeChatOptions>;
+};

package/src/utils/fetch-metadata.test.ts

@@ -0,0 +1,28 @@
+import { describe, expect, it } from "vitest";
+import { isBrowserFetchRequest } from "./fetch-metadata";
+
+describe("isBrowserFetchRequest", () => {
+	it("returns true for browser fetch requests", () => {
+		expect(
+			isBrowserFetchRequest(
+				new Headers({
+					"Sec-Fetch-Mode": "cors",
+				}),
+			),
+		).toBe(true);
+	});
+
+	it("returns false for navigation requests", () => {
+		expect(
+			isBrowserFetchRequest(
+				new Headers({
+					"Sec-Fetch-Mode": "navigate",
+				}),
+			),
+		).toBe(false);
+	});
+
+	it("returns false without fetch metadata", () => {
+		expect(isBrowserFetchRequest()).toBe(false);
+	});
+});

package/src/utils/fetch-metadata.ts

@@ -0,0 +1,3 @@
+export function isBrowserFetchRequest(headers?: Headers | null): boolean {
+	return headers?.get("sec-fetch-mode") === "cors";
+}