@better-auth/core 1.5.5 → 1.5.7-beta.1

package/src/instrumentation/tracer.ts

@@ -0,0 +1,62 @@
+import { SpanStatusCode, trace } from "@opentelemetry/api";
+
+const INSTRUMENTATION_SCOPE = "better-auth";
+const INSTRUMENTATION_VERSION = import.meta.env?.BETTER_AUTH_VERSION ?? "1.0.0";
+
+const tracer = trace.getTracer(INSTRUMENTATION_SCOPE, INSTRUMENTATION_VERSION);
+
+/**
+ * Creates a child span whose lifetime is bound to the execution of the given function
+ *
+ * @param name - The name of the span.
+ * @param attributes - The attributes of the span.
+ * @param fn - The function to execute within the span.
+ * @returns The result of the function.
+ */
+export function withSpan<T>(
+	name: string,
+	attributes: Record<string, string | number | boolean>,
+	fn: () => T,
+): T;
+export function withSpan<T>(
+	name: string,
+	attributes: Record<string, string | number | boolean>,
+	fn: () => Promise<T>,
+): Promise<T>;
+export function withSpan<T>(
+	name: string,
+	attributes: Record<string, string | number | boolean>,
+	fn: () => T | Promise<T>,
+): T | Promise<T> {
+	return tracer.startActiveSpan(name, { attributes }, (span) => {
+		try {
+			const result = fn();
+			if (result instanceof Promise) {
+				return result
+					.then((value) => {
+						span.end();
+						return value;
+					})
+					.catch((err) => {
+						span.recordException(err);
+						span.setStatus({
+							code: SpanStatusCode.ERROR,
+							message: String(err.message ?? err),
+						});
+						span.end();
+						throw err;
+					}) as Promise<T>;
+			}
+			span.end();
+			return result;
+		} catch (err) {
+			span.recordException(err as Error);
+			span.setStatus({
+				code: SpanStatusCode.ERROR,
+				message: String((err as Error)?.message ?? err),
+			});
+			span.end();
+			throw err;
+		}
+	});
+}

package/src/social-providers/apple.ts

@@ -147,7 +147,7 @@ export const apple = (options: AppleOptions) => {
 					return refreshAccessToken({
 						refreshToken,
 						options,
-						tokenEndpoint: "https://appleid.apple.com/auth/token",
+						tokenEndpoint,
 					});
 				},
 		async getUserInfo(token) {

package/src/social-providers/atlassian.ts

@@ -30,6 +30,7 @@ export interface AtlassianOptions extends ProviderOptions<AtlassianProfile> {
 }
 
 export const atlassian = (options: AtlassianOptions) => {
+	const tokenEndpoint = "https://auth.atlassian.com/oauth/token";
 	return {
 		id: "atlassian",
 		name: "Atlassian",
@@ -70,7 +71,7 @@ export const atlassian = (options: AtlassianOptions) => {
 				codeVerifier,
 				redirectURI,
 				options,
-				tokenEndpoint: "https://auth.atlassian.com/oauth/token",
+				tokenEndpoint,
 			});
 		},
 
@@ -83,7 +84,7 @@ export const atlassian = (options: AtlassianOptions) => {
 							clientId: options.clientId,
 							clientSecret: options.clientSecret,
 						},
-						tokenEndpoint: "https://auth.atlassian.com/oauth/token",
+						tokenEndpoint,
 					});
 				},
 

package/src/social-providers/discord.ts

@@ -80,6 +80,7 @@ export interface DiscordOptions extends ProviderOptions<DiscordProfile> {
 }
 
 export const discord = (options: DiscordOptions) => {
+	const tokenEndpoint = "https://discord.com/api/oauth2/token";
 	return {
 		id: "discord",
 		name: "Discord",
@@ -109,7 +110,7 @@ export const discord = (options: DiscordOptions) => {
 				code,
 				redirectURI,
 				options,
-				tokenEndpoint: "https://discord.com/api/oauth2/token",
+				tokenEndpoint,
 			});
 		},
 		refreshAccessToken: options.refreshAccessToken
@@ -122,7 +123,7 @@ export const discord = (options: DiscordOptions) => {
 							clientKey: options.clientKey,
 							clientSecret: options.clientSecret,
 						},
-						tokenEndpoint: "https://discord.com/api/oauth2/token",
+						tokenEndpoint,
 					});
 				},
 		async getUserInfo(token) {

package/src/social-providers/figma.ts

@@ -20,6 +20,7 @@ export interface FigmaOptions extends ProviderOptions<FigmaProfile> {
 }
 
 export const figma = (options: FigmaOptions) => {
+	const tokenEndpoint = "https://api.figma.com/v1/oauth/token";
 	return {
 		id: "figma",
 		name: "Figma",
@@ -56,7 +57,7 @@ export const figma = (options: FigmaOptions) => {
 				codeVerifier,
 				redirectURI,
 				options,
-				tokenEndpoint: "https://api.figma.com/v1/oauth/token",
+				tokenEndpoint,
 				authentication: "basic",
 			});
 		},
@@ -70,7 +71,7 @@ export const figma = (options: FigmaOptions) => {
 							clientKey: options.clientKey,
 							clientSecret: options.clientSecret,
 						},
-						tokenEndpoint: "https://api.figma.com/v1/oauth/token",
+						tokenEndpoint,
 						authentication: "basic",
 					});
 				},

package/src/social-providers/github.ts

@@ -126,7 +126,7 @@ export const github = (options: GithubOptions) => {
 							clientKey: options.clientKey,
 							clientSecret: options.clientSecret,
 						},
-						tokenEndpoint: "https://github.com/login/oauth/access_token",
+						tokenEndpoint,
 					});
 				},
 		async getUserInfo(token) {

package/src/social-providers/huggingface.ts

@@ -43,6 +43,7 @@ export interface HuggingFaceOptions
 }
 
 export const huggingface = (options: HuggingFaceOptions) => {
+	const tokenEndpoint = "https://huggingface.co/oauth/token";
 	return {
 		id: "huggingface",
 		name: "Hugging Face",
@@ -68,7 +69,7 @@ export const huggingface = (options: HuggingFaceOptions) => {
 				codeVerifier,
 				redirectURI,
 				options,
-				tokenEndpoint: "https://huggingface.co/oauth/token",
+				tokenEndpoint,
 			});
 		},
 		refreshAccessToken: options.refreshAccessToken
@@ -81,7 +82,7 @@ export const huggingface = (options: HuggingFaceOptions) => {
 							clientKey: options.clientKey,
 							clientSecret: options.clientSecret,
 						},
-						tokenEndpoint: "https://huggingface.co/oauth/token",
+						tokenEndpoint,
 					});
 				},
 		async getUserInfo(token) {

package/src/social-providers/index.ts

@@ -33,6 +33,7 @@ import { twitch } from "./twitch";
 import { twitter } from "./twitter";
 import { vercel } from "./vercel";
 import { vk } from "./vk";
+import { wechat } from "./wechat";
 import { zoom } from "./zoom";
 
 export const socialProviders = {
@@ -70,6 +71,7 @@ export const socialProviders = {
 	polar,
 	railway,
 	vercel,
+	wechat,
 };
 
 export const socialProviderList = Object.keys(socialProviders) as [
@@ -126,6 +128,7 @@ export * from "./twitch";
 export * from "./twitter";
 export * from "./vercel";
 export * from "./vk";
+export * from "./wechat";
 export * from "./zoom";
 
 export type SocialProviderList = typeof socialProviderList;

package/src/social-providers/kakao.ts

@@ -102,6 +102,7 @@ export interface KakaoOptions extends ProviderOptions<KakaoProfile> {
 }
 
 export const kakao = (options: KakaoOptions) => {
+	const tokenEndpoint = "https://kauth.kakao.com/oauth/token";
 	return {
 		id: "kakao",
 		name: "Kakao",
@@ -125,7 +126,7 @@ export const kakao = (options: KakaoOptions) => {
 				code,
 				redirectURI,
 				options,
-				tokenEndpoint: "https://kauth.kakao.com/oauth/token",
+				tokenEndpoint,
 			});
 		},
 		refreshAccessToken: options.refreshAccessToken
@@ -138,7 +139,7 @@ export const kakao = (options: KakaoOptions) => {
 							clientKey: options.clientKey,
 							clientSecret: options.clientSecret,
 						},
-						tokenEndpoint: "https://kauth.kakao.com/oauth/token",
+						tokenEndpoint,
 					});
 				},
 		async getUserInfo(token) {

package/src/social-providers/naver.ts

@@ -40,6 +40,7 @@ export interface NaverOptions extends ProviderOptions<NaverProfile> {
 }
 
 export const naver = (options: NaverOptions) => {
+	const tokenEndpoint = "https://nid.naver.com/oauth2.0/token";
 	return {
 		id: "naver",
 		name: "Naver",
@@ -61,7 +62,7 @@ export const naver = (options: NaverOptions) => {
 				code,
 				redirectURI,
 				options,
-				tokenEndpoint: "https://nid.naver.com/oauth2.0/token",
+				tokenEndpoint,
 			});
 		},
 		refreshAccessToken: options.refreshAccessToken
@@ -74,7 +75,7 @@ export const naver = (options: NaverOptions) => {
 							clientKey: options.clientKey,
 							clientSecret: options.clientSecret,
 						},
-						tokenEndpoint: "https://nid.naver.com/oauth2.0/token",
+						tokenEndpoint,
 					});
 				},
 		async getUserInfo(token) {

package/src/social-providers/polar.ts

@@ -33,6 +33,7 @@ export interface PolarProfile {
 export interface PolarOptions extends ProviderOptions<PolarProfile> {}
 
 export const polar = (options: PolarOptions) => {
+	const tokenEndpoint = "https://api.polar.sh/v1/oauth2/token";
 	return {
 		id: "polar",
 		name: "Polar",
@@ -59,7 +60,7 @@ export const polar = (options: PolarOptions) => {
 				codeVerifier,
 				redirectURI,
 				options,
-				tokenEndpoint: "https://api.polar.sh/v1/oauth2/token",
+				tokenEndpoint,
 			});
 		},
 		refreshAccessToken: options.refreshAccessToken
@@ -72,7 +73,7 @@ export const polar = (options: PolarOptions) => {
 							clientKey: options.clientKey,
 							clientSecret: options.clientSecret,
 						},
-						tokenEndpoint: "https://api.polar.sh/v1/oauth2/token",
+						tokenEndpoint,
 					});
 				},
 		async getUserInfo(token) {

package/src/social-providers/roblox.ts

@@ -33,6 +33,7 @@ export interface RobloxOptions extends ProviderOptions<RobloxProfile> {
 }
 
 export const roblox = (options: RobloxOptions) => {
+	const tokenEndpoint = "https://apis.roblox.com/oauth/v1/token";
 	return {
 		id: "roblox",
 		name: "Roblox",
@@ -55,7 +56,7 @@ export const roblox = (options: RobloxOptions) => {
 				code,
 				redirectURI: options.redirectURI || redirectURI,
 				options,
-				tokenEndpoint: "https://apis.roblox.com/oauth/v1/token",
+				tokenEndpoint,
 				authentication: "post",
 			});
 		},
@@ -69,7 +70,7 @@ export const roblox = (options: RobloxOptions) => {
 							clientKey: options.clientKey,
 							clientSecret: options.clientSecret,
 						},
-						tokenEndpoint: "https://apis.roblox.com/oauth/v1/token",
+						tokenEndpoint,
 					});
 				},
 		async getUserInfo(token) {

package/src/social-providers/slack.ts

@@ -38,6 +38,7 @@ export interface SlackOptions extends ProviderOptions<SlackProfile> {
 }
 
 export const slack = (options: SlackOptions) => {
+	const tokenEndpoint = "https://slack.com/api/openid.connect.token";
 	return {
 		id: "slack",
 		name: "Slack",
@@ -60,7 +61,7 @@ export const slack = (options: SlackOptions) => {
 				code,
 				redirectURI,
 				options,
-				tokenEndpoint: "https://slack.com/api/openid.connect.token",
+				tokenEndpoint,
 			});
 		},
 		refreshAccessToken: options.refreshAccessToken
@@ -73,7 +74,7 @@ export const slack = (options: SlackOptions) => {
 							clientKey: options.clientKey,
 							clientSecret: options.clientSecret,
 						},
-						tokenEndpoint: "https://slack.com/api/openid.connect.token",
+						tokenEndpoint,
 					});
 				},
 		async getUserInfo(token) {

package/src/social-providers/spotify.ts

@@ -20,6 +20,7 @@ export interface SpotifyOptions extends ProviderOptions<SpotifyProfile> {
 }
 
 export const spotify = (options: SpotifyOptions) => {
+	const tokenEndpoint = "https://accounts.spotify.com/api/token";
 	return {
 		id: "spotify",
 		name: "Spotify",
@@ -43,7 +44,7 @@ export const spotify = (options: SpotifyOptions) => {
 				codeVerifier,
 				redirectURI,
 				options,
-				tokenEndpoint: "https://accounts.spotify.com/api/token",
+				tokenEndpoint,
 			});
 		},
 		refreshAccessToken: options.refreshAccessToken
@@ -56,7 +57,7 @@ export const spotify = (options: SpotifyOptions) => {
 							clientKey: options.clientKey,
 							clientSecret: options.clientSecret,
 						},
-						tokenEndpoint: "https://accounts.spotify.com/api/token",
+						tokenEndpoint,
 					});
 				},
 		async getUserInfo(token) {

package/src/social-providers/tiktok.ts

@@ -127,6 +127,7 @@ export interface TiktokOptions extends ProviderOptions {
 }
 
 export const tiktok = (options: TiktokOptions) => {
+	const tokenEndpoint = "https://open.tiktokapis.com/v2/oauth/token/";
 	return {
 		id: "tiktok",
 		name: "TikTok",
@@ -151,7 +152,7 @@ export const tiktok = (options: TiktokOptions) => {
 					clientKey: options.clientKey,
 					clientSecret: options.clientSecret,
 				},
-				tokenEndpoint: "https://open.tiktokapis.com/v2/oauth/token/",
+				tokenEndpoint,
 			});
 		},
 		refreshAccessToken: options.refreshAccessToken
@@ -162,7 +163,7 @@ export const tiktok = (options: TiktokOptions) => {
 						options: {
 							clientSecret: options.clientSecret,
 						},
-						tokenEndpoint: "https://open.tiktokapis.com/v2/oauth/token/",
+						tokenEndpoint,
 						authentication: "post",
 						extraParams: {
 							client_key: options.clientKey,

package/src/social-providers/twitch.ts

@@ -38,6 +38,7 @@ export interface TwitchOptions extends ProviderOptions<TwitchProfile> {
 	claims?: string[] | undefined;
 }
 export const twitch = (options: TwitchOptions) => {
+	const tokenEndpoint = "https://id.twitch.tv/oauth2/token";
 	return {
 		id: "twitch",
 		name: "Twitch",
@@ -67,7 +68,7 @@ export const twitch = (options: TwitchOptions) => {
 				code,
 				redirectURI,
 				options,
-				tokenEndpoint: "https://id.twitch.tv/oauth2/token",
+				tokenEndpoint,
 			});
 		},
 		refreshAccessToken: options.refreshAccessToken
@@ -80,7 +81,7 @@ export const twitch = (options: TwitchOptions) => {
 							clientKey: options.clientKey,
 							clientSecret: options.clientSecret,
 						},
-						tokenEndpoint: "https://id.twitch.tv/oauth2/token",
+						tokenEndpoint,
 					});
 				},
 		async getUserInfo(token) {

package/src/social-providers/twitter.ts

@@ -104,6 +104,7 @@ export interface TwitterOption extends ProviderOptions<TwitterProfile> {
 }
 
 export const twitter = (options: TwitterOption) => {
+	const tokenEndpoint = "https://api.x.com/2/oauth2/token";
 	return {
 		id: "twitter",
 		name: "Twitter",
@@ -130,7 +131,7 @@ export const twitter = (options: TwitterOption) => {
 				authentication: "basic",
 				redirectURI,
 				options,
-				tokenEndpoint: "https://api.x.com/2/oauth2/token",
+				tokenEndpoint,
 			});
 		},
 
@@ -145,7 +146,7 @@ export const twitter = (options: TwitterOption) => {
 							clientSecret: options.clientSecret,
 						},
 						authentication: "basic",
-						tokenEndpoint: "https://api.x.com/2/oauth2/token",
+						tokenEndpoint,
 					});
 				},
 		async getUserInfo(token) {

package/src/social-providers/vk.ts

@@ -26,6 +26,7 @@ export interface VkOption extends ProviderOptions {
 }
 
 export const vk = (options: VkOption) => {
+	const tokenEndpoint = "https://id.vk.com/oauth2/auth";
 	return {
 		id: "vk",
 		name: "VK",
@@ -57,7 +58,7 @@ export const vk = (options: VkOption) => {
 				redirectURI: options.redirectURI || redirectURI,
 				options,
 				deviceId,
-				tokenEndpoint: "https://id.vk.com/oauth2/auth",
+				tokenEndpoint,
 			});
 		},
 		refreshAccessToken: options.refreshAccessToken
@@ -70,7 +71,7 @@ export const vk = (options: VkOption) => {
 							clientKey: options.clientKey,
 							clientSecret: options.clientSecret,
 						},
-						tokenEndpoint: "https://id.vk.com/oauth2/auth",
+						tokenEndpoint,
 					});
 				},
 		async getUserInfo(data) {

package/src/social-providers/wechat.ts

@@ -0,0 +1,213 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuth2Tokens, OAuthProvider, ProviderOptions } from "../oauth2";
+
+/**
+ * WeChat user profile information
+ * @see https://developers.weixin.qq.com/doc/oplatform/en/Website_App/WeChat_Login/Wechat_Login.html
+ */
+export interface WeChatProfile extends Record<string, any> {
+	/**
+	 * User's unique OpenID
+	 */
+	openid: string;
+	/**
+	 * User's nickname
+	 */
+	nickname: string;
+	/**
+	 * User's avatar image URL
+	 */
+	headimgurl: string;
+	/**
+	 * User's privileges
+	 */
+	privilege: string[];
+	/**
+	 * User's UnionID (unique across the developer's various applications)
+	 */
+	unionid?: string;
+	/** @note Email is currently unsupported by WeChat */
+	email?: string;
+}
+
+export interface WeChatOptions extends ProviderOptions<WeChatProfile> {
+	/**
+	 * WeChat App ID
+	 */
+	clientId: string;
+	/**
+	 * WeChat App Secret
+	 */
+	clientSecret: string;
+	/**
+	 * Platform type for WeChat login
+	 * - Currently only supports "WebsiteApp" for WeChat Website Application (网站应用)
+	 * @default "WebsiteApp"
+	 */
+	platformType?: "WebsiteApp";
+
+	/**
+	 * UI language for the WeChat login page
+	 * cn for Simplified Chinese, en for English
+	 * @default "cn" if left undefined
+	 */
+	lang?: "cn" | "en";
+}
+
+export const wechat = (options: WeChatOptions) => {
+	return {
+		id: "wechat",
+		name: "WeChat",
+		createAuthorizationURL({ state, scopes, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : ["snsapi_login"];
+			options.scope && _scopes.push(...options.scope);
+			scopes && _scopes.push(...scopes);
+
+			// WeChat uses non-standard OAuth2 parameters (appid instead of client_id)
+			// and requires a fragment (#wechat_redirect), so we construct the URL manually.
+			const url = new URL("https://open.weixin.qq.com/connect/qrconnect");
+			url.searchParams.set("scope", _scopes.join(","));
+			url.searchParams.set("response_type", "code");
+			url.searchParams.set("appid", options.clientId);
+			url.searchParams.set("redirect_uri", options.redirectURI || redirectURI);
+			url.searchParams.set("state", state);
+			url.searchParams.set("lang", options.lang || "cn");
+			url.hash = "wechat_redirect";
+
+			return url;
+		},
+
+		// WeChat uses non-standard token exchange (appid/secret instead of
+		// client_id/client_secret, GET instead of POST), so shared helpers
+		// like validateAuthorizationCode/getOAuth2Tokens cannot be used directly.
+		validateAuthorizationCode: async ({ code }) => {
+			const params = new URLSearchParams({
+				appid: options.clientId,
+				secret: options.clientSecret,
+				code: code,
+				grant_type: "authorization_code",
+			});
+
+			const { data: tokenData, error } = await betterFetch<{
+				access_token: string;
+				expires_in: number;
+				refresh_token: string;
+				openid: string;
+				scope: string;
+				unionid?: string;
+				errcode?: number;
+				errmsg?: string;
+			}>(
+				"https://api.weixin.qq.com/sns/oauth2/access_token?" +
+					params.toString(),
+				{
+					method: "GET",
+				},
+			);
+
+			if (error || !tokenData || tokenData.errcode) {
+				throw new Error(
+					`Failed to validate authorization code: ${tokenData?.errmsg || error?.message || "Unknown error"}`,
+				);
+			}
+
+			return {
+				tokenType: "Bearer" as const,
+				accessToken: tokenData.access_token,
+				refreshToken: tokenData.refresh_token,
+				accessTokenExpiresAt: new Date(
+					Date.now() + tokenData.expires_in * 1000,
+				),
+				scopes: tokenData.scope.split(","),
+				// WeChat requires openid for the userinfo endpoint, which is
+				// returned alongside the access token.
+				openid: tokenData.openid,
+				unionid: tokenData.unionid,
+			};
+		},
+
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					const params = new URLSearchParams({
+						appid: options.clientId,
+						grant_type: "refresh_token",
+						refresh_token: refreshToken,
+					});
+
+					const { data: tokenData, error } = await betterFetch<{
+						access_token: string;
+						expires_in: number;
+						refresh_token: string;
+						openid: string;
+						scope: string;
+						errcode?: number;
+						errmsg?: string;
+					}>(
+						"https://api.weixin.qq.com/sns/oauth2/refresh_token?" +
+							params.toString(),
+						{
+							method: "GET",
+						},
+					);
+
+					if (error || !tokenData || tokenData.errcode) {
+						throw new Error(
+							`Failed to refresh access token: ${tokenData?.errmsg || error?.message || "Unknown error"}`,
+						);
+					}
+
+					return {
+						tokenType: "Bearer" as const,
+						accessToken: tokenData.access_token,
+						refreshToken: tokenData.refresh_token,
+						accessTokenExpiresAt: new Date(
+							Date.now() + tokenData.expires_in * 1000,
+						),
+						scopes: tokenData.scope.split(","),
+					};
+				},
+
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+
+			const openid = (token as OAuth2Tokens & { openid?: string }).openid;
+
+			if (!openid) {
+				return null;
+			}
+
+			const params = new URLSearchParams({
+				access_token: token.accessToken || "",
+				openid: openid,
+				lang: "zh_CN",
+			});
+
+			const { data: profile, error } = await betterFetch<
+				WeChatProfile & { errcode?: number; errmsg?: string }
+			>("https://api.weixin.qq.com/sns/userinfo?" + params.toString(), {
+				method: "GET",
+			});
+
+			if (error || !profile || profile.errcode) {
+				return null;
+			}
+
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.unionid || profile.openid || openid,
+					name: profile.nickname,
+					email: profile.email || null,
+					image: profile.headimgurl,
+					emailVerified: false,
+					...userMap,
+				},
+				data: profile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<WeChatProfile, WeChatOptions>;
+};