@better-auth/core 1.5.7-beta.1 → 1.6.0-beta.0

package/src/oauth2/validate-token.test.ts

@@ -1,229 +0,0 @@
-import type { JWK } from "jose";
-import { exportJWK, generateKeyPair, SignJWT } from "jose";
-import { afterAll, beforeAll, describe, expect, it, vi } from "vitest";
-import { validateToken } from "./validate-authorization-code";
-
-describe("validateToken", () => {
-	const originalFetch = globalThis.fetch;
-	const mockedFetch = vi.fn() as unknown as typeof fetch &
-		ReturnType<typeof vi.fn>;
-
-	beforeAll(() => {
-		globalThis.fetch = mockedFetch;
-	});
-
-	afterAll(() => {
-		globalThis.fetch = originalFetch;
-	});
-
-	async function createTestJWKS(alg: string, crv?: string) {
-		const { publicKey, privateKey } = await generateKeyPair(alg, {
-			crv,
-			extractable: true,
-		});
-		const publicJWK = await exportJWK(publicKey);
-		const privateJWK = await exportJWK(privateKey);
-		const kid = `test-key-${Date.now()}`;
-		publicJWK.kid = kid;
-		publicJWK.alg = alg;
-		privateJWK.kid = kid;
-		privateJWK.alg = alg;
-		return { publicJWK, privateJWK, kid, publicKey, privateKey };
-	}
-
-	async function createSignedToken(
-		privateKey: CryptoKey,
-		alg: string,
-		kid: string,
-		payload: Record<string, unknown> = {},
-	) {
-		return await new SignJWT({
-			sub: "user-123",
-			email: "test@example.com",
-			iss: "https://example.com",
-			aud: "test-client",
-			...payload,
-		})
-			.setProtectedHeader({ alg, kid })
-			.setIssuedAt()
-			.setExpirationTime("1h")
-			.sign(privateKey);
-	}
-
-	function mockJWKSResponse(...publicJWKs: JWK[]) {
-		mockedFetch.mockResolvedValueOnce(
-			new Response(JSON.stringify({ keys: publicJWKs }), {
-				status: 200,
-				headers: { "content-type": "application/json" },
-			}),
-		);
-	}
-
-	it("should verify RS256 signed token", async () => {
-		const { publicJWK, privateKey, kid } = await createTestJWKS("RS256");
-		const token = await createSignedToken(privateKey, "RS256", kid);
-		mockJWKSResponse(publicJWK);
-
-		const result = await validateToken(
-			token,
-			"https://example.com/.well-known/jwks",
-		);
-
-		expect(result).toBeDefined();
-		expect(result.payload.sub).toBe("user-123");
-		expect(result.payload.email).toBe("test@example.com");
-	});
-
-	it("should verify ES256 signed token", async () => {
-		const { publicJWK, privateKey, kid } = await createTestJWKS("ES256");
-		const token = await createSignedToken(privateKey, "ES256", kid);
-		mockJWKSResponse(publicJWK);
-
-		const result = await validateToken(
-			token,
-			"https://example.com/.well-known/jwks",
-		);
-
-		expect(result).toBeDefined();
-		expect(result.payload.sub).toBe("user-123");
-	});
-
-	it("should verify EdDSA (Ed25519) signed token", async () => {
-		const { publicJWK, privateKey, kid } = await createTestJWKS(
-			"EdDSA",
-			"Ed25519",
-		);
-		const token = await createSignedToken(privateKey, "EdDSA", kid);
-		mockJWKSResponse(publicJWK);
-
-		const result = await validateToken(
-			token,
-			"https://example.com/.well-known/jwks",
-		);
-
-		expect(result).toBeDefined();
-		expect(result.payload.sub).toBe("user-123");
-	});
-
-	it("should throw when kid doesn't match any key", async () => {
-		const { publicJWK, privateKey } = await createTestJWKS("RS256");
-		publicJWK.kid = "different-kid";
-		const token = await createSignedToken(privateKey, "RS256", "original-kid");
-		mockJWKSResponse(publicJWK);
-
-		await expect(
-			validateToken(token, "https://example.com/.well-known/jwks"),
-		).rejects.toThrow();
-	});
-
-	it("should find correct key when multiple keys exist", async () => {
-		const key1 = await createTestJWKS("RS256");
-		const key2 = await createTestJWKS("RS256");
-		const key3 = await createTestJWKS("ES256");
-		const token = await createSignedToken(key2.privateKey, "RS256", key2.kid);
-		mockJWKSResponse(key1.publicJWK, key2.publicJWK, key3.publicJWK);
-
-		const result = await validateToken(
-			token,
-			"https://example.com/.well-known/jwks",
-		);
-
-		expect(result).toBeDefined();
-		expect(result.payload.sub).toBe("user-123");
-	});
-
-	it("should throw when JWKS returns empty keys array", async () => {
-		const { privateKey, kid } = await createTestJWKS("RS256");
-		const token = await createSignedToken(privateKey, "RS256", kid);
-		mockJWKSResponse();
-
-		await expect(
-			validateToken(token, "https://example.com/.well-known/jwks"),
-		).rejects.toThrow();
-	});
-
-	it("should throw when JWKS fetch fails", async () => {
-		const { privateKey, kid } = await createTestJWKS("RS256");
-		const token = await createSignedToken(privateKey, "RS256", kid);
-		mockedFetch.mockResolvedValueOnce(
-			new Response("Internal Server Error", { status: 500 }),
-		);
-
-		await expect(
-			validateToken(token, "https://example.com/.well-known/jwks"),
-		).rejects.toBeDefined();
-	});
-
-	it("should verify token with matching audience", async () => {
-		const { publicJWK, privateKey, kid } = await createTestJWKS("RS256");
-		const token = await createSignedToken(privateKey, "RS256", kid);
-		mockJWKSResponse(publicJWK);
-
-		const result = await validateToken(
-			token,
-			"https://example.com/.well-known/jwks",
-			{ audience: "test-client" },
-		);
-
-		expect(result).toBeDefined();
-		expect(result.payload.aud).toBe("test-client");
-	});
-
-	it("should reject token with mismatched audience", async () => {
-		const { publicJWK, privateKey, kid } = await createTestJWKS("RS256");
-		const token = await createSignedToken(privateKey, "RS256", kid);
-		mockJWKSResponse(publicJWK);
-
-		await expect(
-			validateToken(token, "https://example.com/.well-known/jwks", {
-				audience: "wrong-client",
-			}),
-		).rejects.toThrow();
-	});
-
-	it("should verify token with matching issuer", async () => {
-		const { publicJWK, privateKey, kid } = await createTestJWKS("RS256");
-		const token = await createSignedToken(privateKey, "RS256", kid);
-		mockJWKSResponse(publicJWK);
-
-		const result = await validateToken(
-			token,
-			"https://example.com/.well-known/jwks",
-			{ issuer: "https://example.com" },
-		);
-
-		expect(result).toBeDefined();
-		expect(result.payload.iss).toBe("https://example.com");
-	});
-
-	it("should reject token with mismatched issuer", async () => {
-		const { publicJWK, privateKey, kid } = await createTestJWKS("RS256");
-		const token = await createSignedToken(privateKey, "RS256", kid);
-		mockJWKSResponse(publicJWK);
-
-		await expect(
-			validateToken(token, "https://example.com/.well-known/jwks", {
-				issuer: "https://wrong-issuer.com",
-			}),
-		).rejects.toThrow();
-	});
-
-	it("should verify token with both audience and issuer", async () => {
-		const { publicJWK, privateKey, kid } = await createTestJWKS("RS256");
-		const token = await createSignedToken(privateKey, "RS256", kid);
-		mockJWKSResponse(publicJWK);
-
-		const result = await validateToken(
-			token,
-			"https://example.com/.well-known/jwks",
-			{
-				audience: "test-client",
-				issuer: "https://example.com",
-			},
-		);
-
-		expect(result).toBeDefined();
-		expect(result.payload.aud).toBe("test-client");
-		expect(result.payload.iss).toBe("https://example.com");
-	});
-});

package/src/utils/deprecate.test.ts

@@ -1,71 +0,0 @@
-import { describe, expect, it, vi } from "vitest";
-import { deprecate } from "./deprecate";
-
-describe("deprecate", () => {
-	it("should warn once when called multiple times", () => {
-		const warn = vi.fn();
-		const logger = { warn } as any;
-		const fn = vi.fn();
-		const deprecatedFn = deprecate(fn, "test message", logger);
-
-		deprecatedFn();
-		deprecatedFn();
-		deprecatedFn();
-
-		expect(warn).toHaveBeenCalledTimes(1);
-		expect(warn).toHaveBeenCalledWith("[Deprecation] test message");
-		expect(fn).toHaveBeenCalledTimes(3);
-	});
-
-	it("should use provided logger if available", () => {
-		const warn = vi.fn();
-		const logger = { warn } as any;
-		const fn = vi.fn();
-		const deprecatedFn = deprecate(fn, "test message", logger);
-
-		deprecatedFn();
-
-		expect(warn).toHaveBeenCalledWith("[Deprecation] test message");
-	});
-
-	it("should fall back to console.warn if no logger provided", () => {
-		const consoleWarn = vi.spyOn(console, "warn").mockImplementation(() => {});
-		const fn = vi.fn();
-		const deprecatedFn = deprecate(fn, "test message");
-
-		deprecatedFn();
-
-		expect(consoleWarn).toHaveBeenCalledWith("[Deprecation] test message");
-	});
-
-	it("should pass arguments and return value correctly", () => {
-		const fn = vi.fn((a: number, b: number) => a + b);
-		const deprecatedFn = deprecate(fn, "test message", {
-			warn: vi.fn(),
-		} as any);
-
-		const result = deprecatedFn(1, 2);
-
-		expect(result).toBe(3);
-		expect(fn).toHaveBeenCalledWith(1, 2);
-	});
-
-	it("should preserve this context", () => {
-		class TestClass {
-			value = 10;
-			method(a: number) {
-				return this.value + a;
-			}
-		}
-
-		const instance = new TestClass();
-		const originalMethod = instance.method;
-		instance.method = deprecate(originalMethod, "test message", {
-			warn: vi.fn(),
-		} as any);
-
-		const result = instance.method(5);
-
-		expect(result).toBe(15);
-	});
-});

package/src/utils/fetch-metadata.test.ts

@@ -1,28 +0,0 @@
-import { describe, expect, it } from "vitest";
-import { isBrowserFetchRequest } from "./fetch-metadata";
-
-describe("isBrowserFetchRequest", () => {
-	it("returns true for browser fetch requests", () => {
-		expect(
-			isBrowserFetchRequest(
-				new Headers({
-					"Sec-Fetch-Mode": "cors",
-				}),
-			),
-		).toBe(true);
-	});
-
-	it("returns false for navigation requests", () => {
-		expect(
-			isBrowserFetchRequest(
-				new Headers({
-					"Sec-Fetch-Mode": "navigate",
-				}),
-			),
-		).toBe(false);
-	});
-
-	it("returns false without fetch metadata", () => {
-		expect(isBrowserFetchRequest()).toBe(false);
-	});
-});

package/src/utils/ip.test.ts

@@ -1,255 +0,0 @@
-import { describe, expect, it } from "vitest";
-import { createRateLimitKey, isValidIP, normalizeIP } from "./ip";
-
-describe("IP Normalization", () => {
-	describe("isValidIP", () => {
-		it("should validate IPv4 addresses", () => {
-			expect(isValidIP("192.168.1.1")).toBe(true);
-			expect(isValidIP("127.0.0.1")).toBe(true);
-			expect(isValidIP("0.0.0.0")).toBe(true);
-			expect(isValidIP("255.255.255.255")).toBe(true);
-		});
-
-		it("should validate IPv6 addresses", () => {
-			expect(isValidIP("2001:db8::1")).toBe(true);
-			expect(isValidIP("::1")).toBe(true);
-			expect(isValidIP("::")).toBe(true);
-			expect(isValidIP("2001:0db8:0000:0000:0000:0000:0000:0001")).toBe(true);
-		});
-
-		it("should reject invalid IPs", () => {
-			expect(isValidIP("not-an-ip")).toBe(false);
-			expect(isValidIP("999.999.999.999")).toBe(false);
-			expect(isValidIP("gggg::1")).toBe(false);
-		});
-	});
-
-	describe("IPv4 Normalization", () => {
-		it("should return IPv4 addresses unchanged", () => {
-			expect(normalizeIP("192.168.1.1")).toBe("192.168.1.1");
-			expect(normalizeIP("127.0.0.1")).toBe("127.0.0.1");
-			expect(normalizeIP("10.0.0.1")).toBe("10.0.0.1");
-		});
-	});
-
-	describe("IPv6 Normalization", () => {
-		it("should normalize compressed IPv6 to full form", () => {
-			expect(normalizeIP("2001:db8::1", { ipv6Subnet: 128 })).toBe(
-				"2001:0db8:0000:0000:0000:0000:0000:0001",
-			);
-			expect(normalizeIP("::1", { ipv6Subnet: 128 })).toBe(
-				"0000:0000:0000:0000:0000:0000:0000:0001",
-			);
-			expect(normalizeIP("::", { ipv6Subnet: 128 })).toBe(
-				"0000:0000:0000:0000:0000:0000:0000:0000",
-			);
-		});
-
-		it("should normalize uppercase to lowercase", () => {
-			expect(normalizeIP("2001:DB8::1", { ipv6Subnet: 128 })).toBe(
-				"2001:0db8:0000:0000:0000:0000:0000:0001",
-			);
-			expect(normalizeIP("2001:0DB8:ABCD:EF00::1", { ipv6Subnet: 128 })).toBe(
-				"2001:0db8:abcd:ef00:0000:0000:0000:0001",
-			);
-		});
-
-		it("should handle various IPv6 formats consistently", () => {
-			// All these represent the same address
-			const normalized = "2001:0db8:0000:0000:0000:0000:0000:0001";
-			expect(normalizeIP("2001:db8::1", { ipv6Subnet: 128 })).toBe(normalized);
-			expect(normalizeIP("2001:0db8:0:0:0:0:0:1", { ipv6Subnet: 128 })).toBe(
-				normalized,
-			);
-			expect(normalizeIP("2001:db8:0::1", { ipv6Subnet: 128 })).toBe(
-				normalized,
-			);
-			expect(normalizeIP("2001:0db8::0:0:0:1", { ipv6Subnet: 128 })).toBe(
-				normalized,
-			);
-		});
-
-		it("should handle IPv6 with :: at different positions", () => {
-			expect(
-				normalizeIP("2001:db8:85a3::8a2e:370:7334", { ipv6Subnet: 128 }),
-			).toBe("2001:0db8:85a3:0000:0000:8a2e:0370:7334");
-			expect(normalizeIP("::ffff:192.0.2.1")).not.toContain("::");
-		});
-	});
-
-	describe("IPv4-mapped IPv6 Conversion", () => {
-		it("should convert IPv4-mapped IPv6 to IPv4", () => {
-			expect(normalizeIP("::ffff:192.0.2.1")).toBe("192.0.2.1");
-			expect(normalizeIP("::ffff:127.0.0.1")).toBe("127.0.0.1");
-			expect(normalizeIP("::FFFF:10.0.0.1")).toBe("10.0.0.1");
-		});
-
-		it("should handle hex-encoded IPv4 in mapped addresses", () => {
-			// ::ffff:c000:0201 = ::ffff:192.0.2.1 = 192.0.2.1
-			expect(normalizeIP("::ffff:c000:0201")).toBe("192.0.2.1");
-			// ::ffff:7f00:0001 = ::ffff:127.0.0.1 = 127.0.0.1
-			expect(normalizeIP("::ffff:7f00:0001")).toBe("127.0.0.1");
-		});
-
-		it("should handle full form IPv4-mapped IPv6", () => {
-			expect(normalizeIP("0:0:0:0:0:ffff:192.0.2.1")).toBe("192.0.2.1");
-		});
-	});
-
-	describe("IPv6 Subnet Support", () => {
-		it("should extract /64 subnet", () => {
-			/* cspell:disable-next-line */
-			const ip1 = normalizeIP("2001:db8:0:0:1234:5678:90ab:cdef", {
-				ipv6Subnet: 64,
-			});
-			const ip2 = normalizeIP("2001:db8:0:0:ffff:ffff:ffff:ffff", {
-				ipv6Subnet: 64,
-			});
-			// Both should have same /64 prefix
-			expect(ip1).toBe("2001:0db8:0000:0000:0000:0000:0000:0000");
-			expect(ip2).toBe("2001:0db8:0000:0000:0000:0000:0000:0000");
-			expect(ip1).toBe(ip2);
-		});
-
-		it("should extract /48 subnet", () => {
-			/* cspell:disable-next-line */
-			const ip1 = normalizeIP("2001:db8:1234:5678:90ab:cdef:1234:5678", {
-				ipv6Subnet: 48,
-			});
-			const ip2 = normalizeIP("2001:db8:1234:ffff:ffff:ffff:ffff:ffff", {
-				ipv6Subnet: 48,
-			});
-			// Both should have same /48 prefix
-			expect(ip1).toBe("2001:0db8:1234:0000:0000:0000:0000:0000");
-			expect(ip2).toBe("2001:0db8:1234:0000:0000:0000:0000:0000");
-			expect(ip1).toBe(ip2);
-		});
-
-		it("should extract /32 subnet", () => {
-			/* cspell:disable-next-line */
-			const ip1 = normalizeIP("2001:db8:1234:5678:90ab:cdef:1234:5678", {
-				ipv6Subnet: 32,
-			});
-			const ip2 = normalizeIP("2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", {
-				ipv6Subnet: 32,
-			});
-			// Both should have same /32 prefix
-			expect(ip1).toBe("2001:0db8:0000:0000:0000:0000:0000:0000");
-			expect(ip2).toBe("2001:0db8:0000:0000:0000:0000:0000:0000");
-			expect(ip1).toBe(ip2);
-		});
-
-		it("should handle /64 subnet by default", () => {
-			const ip1 = normalizeIP("2001:db8::1");
-			const ip2 = normalizeIP("2001:db8::1", { ipv6Subnet: 64 });
-			expect(ip1).toBe(ip2);
-			expect(ip1).toBe("2001:0db8:0000:0000:0000:0000:0000:0000");
-		});
-
-		it("should not affect IPv4 addresses when ipv6Subnet is set", () => {
-			expect(normalizeIP("192.168.1.1", { ipv6Subnet: 64 })).toBe(
-				"192.168.1.1",
-			);
-		});
-	});
-
-	describe("Rate Limit Key Creation", () => {
-		it("should create keys with separator", () => {
-			expect(createRateLimitKey("192.168.1.1", "/sign-in")).toBe(
-				"192.168.1.1|/sign-in",
-			);
-			expect(createRateLimitKey("2001:db8::1", "/api/auth")).toBe(
-				"2001:db8::1|/api/auth",
-			);
-		});
-
-		it("should prevent collision attacks", () => {
-			// Without separator: "192.0.2.1" + "/sign-in" = "192.0.2.1/sign-in"
-			//                    "192.0.2" + ".1/sign-in" = "192.0.2.1/sign-in"
-			// With separator: they're different
-			const key1 = createRateLimitKey("192.0.2.1", "/sign-in");
-			const key2 = createRateLimitKey("192.0.2", ".1/sign-in");
-			expect(key1).not.toBe(key2);
-			expect(key1).toBe("192.0.2.1|/sign-in");
-			expect(key2).toBe("192.0.2|.1/sign-in");
-		});
-	});
-
-	describe("Security: Bypass Prevention", () => {
-		it("should prevent IPv6 representation bypass", () => {
-			// Attacker tries different representations of same address
-			const representations = [
-				"2001:db8::1",
-				"2001:DB8::1",
-				"2001:0db8::1",
-				"2001:db8:0::1",
-				"2001:0db8:0:0:0:0:0:1",
-				"2001:db8::0:1",
-			];
-
-			const normalized = representations.map((ip) =>
-				normalizeIP(ip, { ipv6Subnet: 128 }),
-			);
-			// All should normalize to the same value
-			const uniqueValues = new Set(normalized);
-			expect(uniqueValues.size).toBe(1);
-			expect(normalized[0]).toBe("2001:0db8:0000:0000:0000:0000:0000:0001");
-		});
-
-		it("should prevent IPv4-mapped bypass", () => {
-			// Attacker switches between IPv4 and IPv4-mapped IPv6
-			const ip1 = normalizeIP("192.0.2.1");
-			const ip2 = normalizeIP("::ffff:192.0.2.1");
-			const ip3 = normalizeIP("::FFFF:192.0.2.1");
-			const ip4 = normalizeIP("::ffff:c000:0201");
-
-			// All should normalize to the same IPv4
-			expect(ip1).toBe("192.0.2.1");
-			expect(ip2).toBe("192.0.2.1");
-			expect(ip3).toBe("192.0.2.1");
-			expect(ip4).toBe("192.0.2.1");
-		});
-
-		it("should group IPv6 subnet attacks", () => {
-			// Attacker rotates through addresses in their /64 allocation
-			const attackIPs = [
-				"2001:db8:abcd:1234:0000:0000:0000:0001",
-				"2001:db8:abcd:1234:1111:2222:3333:4444",
-				"2001:db8:abcd:1234:ffff:ffff:ffff:ffff",
-				"2001:db8:abcd:1234:aaaa:bbbb:cccc:dddd",
-			];
-
-			const normalized = attackIPs.map((ip) =>
-				normalizeIP(ip, { ipv6Subnet: 64 }),
-			);
-
-			// All should map to same /64 subnet
-			const uniqueValues = new Set(normalized);
-			expect(uniqueValues.size).toBe(1);
-			expect(normalized[0]).toBe("2001:0db8:abcd:1234:0000:0000:0000:0000");
-		});
-	});
-
-	describe("Edge Cases", () => {
-		it("should handle localhost addresses", () => {
-			expect(normalizeIP("127.0.0.1")).toBe("127.0.0.1");
-			expect(normalizeIP("::1", { ipv6Subnet: 128 })).toBe(
-				"0000:0000:0000:0000:0000:0000:0000:0001",
-			);
-		});
-
-		it("should handle all-zeros address", () => {
-			expect(normalizeIP("0.0.0.0")).toBe("0.0.0.0");
-			expect(normalizeIP("::", { ipv6Subnet: 128 })).toBe(
-				"0000:0000:0000:0000:0000:0000:0000:0000",
-			);
-		});
-
-		it("should handle link-local addresses", () => {
-			expect(normalizeIP("169.254.0.1")).toBe("169.254.0.1");
-			expect(normalizeIP("fe80::1", { ipv6Subnet: 128 })).toBe(
-				"fe80:0000:0000:0000:0000:0000:0000:0001",
-			);
-		});
-	});
-});