@better-auth/core 1.5.6 → 1.6.0-beta.0

package/src/instrumentation/instrumentation.test.ts

@@ -1,139 +0,0 @@
-import { trace } from "@opentelemetry/api";
-import {
-	InMemorySpanExporter,
-	SimpleSpanProcessor,
-} from "@opentelemetry/sdk-trace-base";
-import { NodeTracerProvider } from "@opentelemetry/sdk-trace-node";
-import { afterAll, beforeAll, beforeEach, describe, expect, it } from "vitest";
-import { withSpan } from ".";
-import { ATTR_DB_COLLECTION_NAME, ATTR_DB_OPERATION_NAME } from "./attributes";
-
-describe("instrumentation", () => {
-	let provider: NodeTracerProvider;
-	let exporter: InMemorySpanExporter;
-
-	beforeAll(async () => {
-		exporter = new InMemorySpanExporter();
-		provider = new NodeTracerProvider({
-			spanProcessors: [new SimpleSpanProcessor(exporter)],
-		});
-		trace.setGlobalTracerProvider(provider);
-	});
-
-	afterAll(async () => {
-		await provider.shutdown();
-	});
-
-	beforeEach(() => {
-		exporter.reset();
-	});
-
-	it("creates a span with name and attributes for sync function", () => {
-		const result = withSpan(
-			"test.sync",
-			{
-				[ATTR_DB_OPERATION_NAME]: "findOne",
-				[ATTR_DB_COLLECTION_NAME]: "user",
-			},
-			() => 42,
-		);
-
-		expect(result).toBe(42);
-
-		const spans = exporter.getFinishedSpans();
-		expect(spans).toHaveLength(1);
-		expect(spans[0]?.name).toBe("test.sync");
-		expect(spans[0]?.attributes).toMatchObject({
-			[ATTR_DB_OPERATION_NAME]: "findOne",
-			[ATTR_DB_COLLECTION_NAME]: "user",
-		});
-	});
-
-	it("creates a span for async function", async () => {
-		const result = await withSpan(
-			"test.async",
-			{ endpoint: "getSession" },
-			async () => {
-				await new Promise((r) => setTimeout(r, 5));
-				return "session-id";
-			},
-		);
-
-		expect(result).toBe("session-id");
-
-		const spans = exporter.getFinishedSpans();
-		expect(spans).toHaveLength(1);
-		expect(spans[0]?.name).toBe("test.async");
-		expect(spans[0]?.attributes).toMatchObject({ endpoint: "getSession" });
-	});
-
-	it("records error status and exception when sync function throws", () => {
-		const err = new Error("sync failure");
-
-		expect(() =>
-			withSpan("test.sync.error", { foo: "bar" }, () => {
-				throw err;
-			}),
-		).toThrow("sync failure");
-
-		const spans = exporter.getFinishedSpans();
-		expect(spans).toHaveLength(1);
-		expect(spans[0]?.name).toBe("test.sync.error");
-		expect(spans[0]?.status).toMatchObject({
-			code: 2,
-			message: "sync failure",
-		});
-	});
-
-	it("records error status and exception when async function rejects", async () => {
-		const err = new Error("async failure");
-
-		await expect(
-			withSpan("test.async.error", { baz: 1 }, async () => {
-				await Promise.resolve();
-				throw err;
-			}),
-		).rejects.toThrow("async failure");
-
-		const spans = exporter.getFinishedSpans();
-		expect(spans).toHaveLength(1);
-		expect(spans[0]?.name).toBe("test.async.error");
-		expect(spans[0]?.status).toMatchObject({
-			code: 2,
-			message: "async failure",
-		});
-	});
-
-	it("creates multiple sequential spans", () => {
-		void withSpan("first", { order: 1 }, () => 1);
-		void withSpan("second", { order: 2 }, () => 2);
-
-		const spans = exporter.getFinishedSpans();
-		expect(spans).toHaveLength(2);
-		expect(spans.map((s) => s.name)).toEqual(
-			expect.arrayContaining(["first", "second"]),
-		);
-	});
-
-	it("creates nested spans when withSpan is composed", () => {
-		const result = withSpan("outer", { depth: 0 }, () => {
-			return withSpan("inner", { depth: 1 }, () => "ok");
-		});
-
-		expect(result).toBe("ok");
-
-		const spans = exporter.getFinishedSpans();
-		expect(spans).toHaveLength(2);
-		expect(spans.map((s) => s.name).sort()).toEqual(["inner", "outer"]);
-	});
-
-	it("uses better-auth instrumentation scope", () => {
-		void withSpan("scope.check", {}, () => undefined);
-
-		const spans = exporter.getFinishedSpans();
-		expect(spans).toHaveLength(1);
-
-		const span = spans[0];
-		expect(span?.instrumentationLibrary?.name).toBe("better-auth");
-	});
-});

package/src/oauth2/refresh-access-token.test.ts

@@ -1,90 +0,0 @@
-import { describe, expect, it, vi } from "vitest";
-
-vi.mock("@better-fetch/fetch", () => ({
-	betterFetch: vi.fn(),
-}));
-
-import { betterFetch } from "@better-fetch/fetch";
-import { refreshAccessToken } from "./refresh-access-token";
-
-const mockedBetterFetch = vi.mocked(betterFetch);
-
-describe("refreshAccessToken", () => {
-	it("should set accessTokenExpiresAt when expires_in is returned", async () => {
-		const now = Date.now();
-		mockedBetterFetch.mockResolvedValueOnce({
-			data: {
-				access_token: "new-access-token",
-				refresh_token: "new-refresh-token",
-				expires_in: 3600,
-				token_type: "Bearer",
-			},
-			error: null,
-		});
-
-		const tokens = await refreshAccessToken({
-			refreshToken: "old-refresh-token",
-			options: { clientId: "test-client", clientSecret: "test-secret" },
-			tokenEndpoint: "https://example.com/token",
-		});
-
-		expect(tokens.accessToken).toBe("new-access-token");
-		expect(tokens.refreshToken).toBe("new-refresh-token");
-		expect(tokens.accessTokenExpiresAt).toBeInstanceOf(Date);
-		expect(tokens.accessTokenExpiresAt!.getTime()).toBeGreaterThanOrEqual(
-			now + 3600 * 1000 - 1000,
-		);
-		expect(tokens.refreshTokenExpiresAt).toBeUndefined();
-	});
-
-	/**
-	 * @see https://github.com/better-auth/better-auth/issues/7682
-	 */
-	it("should set refreshTokenExpiresAt when refresh_token_expires_in is returned", async () => {
-		const now = Date.now();
-		mockedBetterFetch.mockResolvedValueOnce({
-			data: {
-				access_token: "new-access-token",
-				refresh_token: "new-refresh-token",
-				expires_in: 3600,
-				refresh_token_expires_in: 86400,
-				token_type: "Bearer",
-			},
-			error: null,
-		});
-
-		const tokens = await refreshAccessToken({
-			refreshToken: "old-refresh-token",
-			options: { clientId: "test-client", clientSecret: "test-secret" },
-			tokenEndpoint: "https://example.com/token",
-		});
-
-		expect(tokens.accessToken).toBe("new-access-token");
-		expect(tokens.refreshToken).toBe("new-refresh-token");
-		expect(tokens.accessTokenExpiresAt).toBeInstanceOf(Date);
-		expect(tokens.refreshTokenExpiresAt).toBeInstanceOf(Date);
-		expect(tokens.refreshTokenExpiresAt!.getTime()).toBeGreaterThanOrEqual(
-			now + 86400 * 1000 - 1000,
-		);
-	});
-
-	it("should not set refreshTokenExpiresAt when refresh_token_expires_in is not returned", async () => {
-		mockedBetterFetch.mockResolvedValueOnce({
-			data: {
-				access_token: "new-access-token",
-				refresh_token: "new-refresh-token",
-				expires_in: 3600,
-				token_type: "Bearer",
-			},
-			error: null,
-		});
-
-		const tokens = await refreshAccessToken({
-			refreshToken: "old-refresh-token",
-			options: { clientId: "test-client", clientSecret: "test-secret" },
-			tokenEndpoint: "https://example.com/token",
-		});
-
-		expect(tokens.refreshTokenExpiresAt).toBeUndefined();
-	});
-});

package/src/oauth2/validate-token.test.ts

@@ -1,229 +0,0 @@
-import type { JWK } from "jose";
-import { exportJWK, generateKeyPair, SignJWT } from "jose";
-import { afterAll, beforeAll, describe, expect, it, vi } from "vitest";
-import { validateToken } from "./validate-authorization-code";
-
-describe("validateToken", () => {
-	const originalFetch = globalThis.fetch;
-	const mockedFetch = vi.fn() as unknown as typeof fetch &
-		ReturnType<typeof vi.fn>;
-
-	beforeAll(() => {
-		globalThis.fetch = mockedFetch;
-	});
-
-	afterAll(() => {
-		globalThis.fetch = originalFetch;
-	});
-
-	async function createTestJWKS(alg: string, crv?: string) {
-		const { publicKey, privateKey } = await generateKeyPair(alg, {
-			crv,
-			extractable: true,
-		});
-		const publicJWK = await exportJWK(publicKey);
-		const privateJWK = await exportJWK(privateKey);
-		const kid = `test-key-${Date.now()}`;
-		publicJWK.kid = kid;
-		publicJWK.alg = alg;
-		privateJWK.kid = kid;
-		privateJWK.alg = alg;
-		return { publicJWK, privateJWK, kid, publicKey, privateKey };
-	}
-
-	async function createSignedToken(
-		privateKey: CryptoKey,
-		alg: string,
-		kid: string,
-		payload: Record<string, unknown> = {},
-	) {
-		return await new SignJWT({
-			sub: "user-123",
-			email: "test@example.com",
-			iss: "https://example.com",
-			aud: "test-client",
-			...payload,
-		})
-			.setProtectedHeader({ alg, kid })
-			.setIssuedAt()
-			.setExpirationTime("1h")
-			.sign(privateKey);
-	}
-
-	function mockJWKSResponse(...publicJWKs: JWK[]) {
-		mockedFetch.mockResolvedValueOnce(
-			new Response(JSON.stringify({ keys: publicJWKs }), {
-				status: 200,
-				headers: { "content-type": "application/json" },
-			}),
-		);
-	}
-
-	it("should verify RS256 signed token", async () => {
-		const { publicJWK, privateKey, kid } = await createTestJWKS("RS256");
-		const token = await createSignedToken(privateKey, "RS256", kid);
-		mockJWKSResponse(publicJWK);
-
-		const result = await validateToken(
-			token,
-			"https://example.com/.well-known/jwks",
-		);
-
-		expect(result).toBeDefined();
-		expect(result.payload.sub).toBe("user-123");
-		expect(result.payload.email).toBe("test@example.com");
-	});
-
-	it("should verify ES256 signed token", async () => {
-		const { publicJWK, privateKey, kid } = await createTestJWKS("ES256");
-		const token = await createSignedToken(privateKey, "ES256", kid);
-		mockJWKSResponse(publicJWK);
-
-		const result = await validateToken(
-			token,
-			"https://example.com/.well-known/jwks",
-		);
-
-		expect(result).toBeDefined();
-		expect(result.payload.sub).toBe("user-123");
-	});
-
-	it("should verify EdDSA (Ed25519) signed token", async () => {
-		const { publicJWK, privateKey, kid } = await createTestJWKS(
-			"EdDSA",
-			"Ed25519",
-		);
-		const token = await createSignedToken(privateKey, "EdDSA", kid);
-		mockJWKSResponse(publicJWK);
-
-		const result = await validateToken(
-			token,
-			"https://example.com/.well-known/jwks",
-		);
-
-		expect(result).toBeDefined();
-		expect(result.payload.sub).toBe("user-123");
-	});
-
-	it("should throw when kid doesn't match any key", async () => {
-		const { publicJWK, privateKey } = await createTestJWKS("RS256");
-		publicJWK.kid = "different-kid";
-		const token = await createSignedToken(privateKey, "RS256", "original-kid");
-		mockJWKSResponse(publicJWK);
-
-		await expect(
-			validateToken(token, "https://example.com/.well-known/jwks"),
-		).rejects.toThrow();
-	});
-
-	it("should find correct key when multiple keys exist", async () => {
-		const key1 = await createTestJWKS("RS256");
-		const key2 = await createTestJWKS("RS256");
-		const key3 = await createTestJWKS("ES256");
-		const token = await createSignedToken(key2.privateKey, "RS256", key2.kid);
-		mockJWKSResponse(key1.publicJWK, key2.publicJWK, key3.publicJWK);
-
-		const result = await validateToken(
-			token,
-			"https://example.com/.well-known/jwks",
-		);
-
-		expect(result).toBeDefined();
-		expect(result.payload.sub).toBe("user-123");
-	});
-
-	it("should throw when JWKS returns empty keys array", async () => {
-		const { privateKey, kid } = await createTestJWKS("RS256");
-		const token = await createSignedToken(privateKey, "RS256", kid);
-		mockJWKSResponse();
-
-		await expect(
-			validateToken(token, "https://example.com/.well-known/jwks"),
-		).rejects.toThrow();
-	});
-
-	it("should throw when JWKS fetch fails", async () => {
-		const { privateKey, kid } = await createTestJWKS("RS256");
-		const token = await createSignedToken(privateKey, "RS256", kid);
-		mockedFetch.mockResolvedValueOnce(
-			new Response("Internal Server Error", { status: 500 }),
-		);
-
-		await expect(
-			validateToken(token, "https://example.com/.well-known/jwks"),
-		).rejects.toBeDefined();
-	});
-
-	it("should verify token with matching audience", async () => {
-		const { publicJWK, privateKey, kid } = await createTestJWKS("RS256");
-		const token = await createSignedToken(privateKey, "RS256", kid);
-		mockJWKSResponse(publicJWK);
-
-		const result = await validateToken(
-			token,
-			"https://example.com/.well-known/jwks",
-			{ audience: "test-client" },
-		);
-
-		expect(result).toBeDefined();
-		expect(result.payload.aud).toBe("test-client");
-	});
-
-	it("should reject token with mismatched audience", async () => {
-		const { publicJWK, privateKey, kid } = await createTestJWKS("RS256");
-		const token = await createSignedToken(privateKey, "RS256", kid);
-		mockJWKSResponse(publicJWK);
-
-		await expect(
-			validateToken(token, "https://example.com/.well-known/jwks", {
-				audience: "wrong-client",
-			}),
-		).rejects.toThrow();
-	});
-
-	it("should verify token with matching issuer", async () => {
-		const { publicJWK, privateKey, kid } = await createTestJWKS("RS256");
-		const token = await createSignedToken(privateKey, "RS256", kid);
-		mockJWKSResponse(publicJWK);
-
-		const result = await validateToken(
-			token,
-			"https://example.com/.well-known/jwks",
-			{ issuer: "https://example.com" },
-		);
-
-		expect(result).toBeDefined();
-		expect(result.payload.iss).toBe("https://example.com");
-	});
-
-	it("should reject token with mismatched issuer", async () => {
-		const { publicJWK, privateKey, kid } = await createTestJWKS("RS256");
-		const token = await createSignedToken(privateKey, "RS256", kid);
-		mockJWKSResponse(publicJWK);
-
-		await expect(
-			validateToken(token, "https://example.com/.well-known/jwks", {
-				issuer: "https://wrong-issuer.com",
-			}),
-		).rejects.toThrow();
-	});
-
-	it("should verify token with both audience and issuer", async () => {
-		const { publicJWK, privateKey, kid } = await createTestJWKS("RS256");
-		const token = await createSignedToken(privateKey, "RS256", kid);
-		mockJWKSResponse(publicJWK);
-
-		const result = await validateToken(
-			token,
-			"https://example.com/.well-known/jwks",
-			{
-				audience: "test-client",
-				issuer: "https://example.com",
-			},
-		);
-
-		expect(result).toBeDefined();
-		expect(result.payload.aud).toBe("test-client");
-		expect(result.payload.iss).toBe("https://example.com");
-	});
-});

package/src/utils/deprecate.test.ts

@@ -1,71 +0,0 @@
-import { describe, expect, it, vi } from "vitest";
-import { deprecate } from "./deprecate";
-
-describe("deprecate", () => {
-	it("should warn once when called multiple times", () => {
-		const warn = vi.fn();
-		const logger = { warn } as any;
-		const fn = vi.fn();
-		const deprecatedFn = deprecate(fn, "test message", logger);
-
-		deprecatedFn();
-		deprecatedFn();
-		deprecatedFn();
-
-		expect(warn).toHaveBeenCalledTimes(1);
-		expect(warn).toHaveBeenCalledWith("[Deprecation] test message");
-		expect(fn).toHaveBeenCalledTimes(3);
-	});
-
-	it("should use provided logger if available", () => {
-		const warn = vi.fn();
-		const logger = { warn } as any;
-		const fn = vi.fn();
-		const deprecatedFn = deprecate(fn, "test message", logger);
-
-		deprecatedFn();
-
-		expect(warn).toHaveBeenCalledWith("[Deprecation] test message");
-	});
-
-	it("should fall back to console.warn if no logger provided", () => {
-		const consoleWarn = vi.spyOn(console, "warn").mockImplementation(() => {});
-		const fn = vi.fn();
-		const deprecatedFn = deprecate(fn, "test message");
-
-		deprecatedFn();
-
-		expect(consoleWarn).toHaveBeenCalledWith("[Deprecation] test message");
-	});
-
-	it("should pass arguments and return value correctly", () => {
-		const fn = vi.fn((a: number, b: number) => a + b);
-		const deprecatedFn = deprecate(fn, "test message", {
-			warn: vi.fn(),
-		} as any);
-
-		const result = deprecatedFn(1, 2);
-
-		expect(result).toBe(3);
-		expect(fn).toHaveBeenCalledWith(1, 2);
-	});
-
-	it("should preserve this context", () => {
-		class TestClass {
-			value = 10;
-			method(a: number) {
-				return this.value + a;
-			}
-		}
-
-		const instance = new TestClass();
-		const originalMethod = instance.method;
-		instance.method = deprecate(originalMethod, "test message", {
-			warn: vi.fn(),
-		} as any);
-
-		const result = instance.method(5);
-
-		expect(result).toBe(15);
-	});
-});

package/src/utils/fetch-metadata.test.ts

@@ -1,28 +0,0 @@
-import { describe, expect, it } from "vitest";
-import { isBrowserFetchRequest } from "./fetch-metadata";
-
-describe("isBrowserFetchRequest", () => {
-	it("returns true for browser fetch requests", () => {
-		expect(
-			isBrowserFetchRequest(
-				new Headers({
-					"Sec-Fetch-Mode": "cors",
-				}),
-			),
-		).toBe(true);
-	});
-
-	it("returns false for navigation requests", () => {
-		expect(
-			isBrowserFetchRequest(
-				new Headers({
-					"Sec-Fetch-Mode": "navigate",
-				}),
-			),
-		).toBe(false);
-	});
-
-	it("returns false without fetch metadata", () => {
-		expect(isBrowserFetchRequest()).toBe(false);
-	});
-});