@better-auth/core 1.6.15 → 1.6.17

package/src/oauth2/verify.ts

@@ -4,6 +4,7 @@ import type {
 	JSONWebKeySet,
 	JWTPayload,
 	JWTVerifyOptions,
+	JWTVerifyResult,
 	ProtectedHeaderParameters,
 } from "jose";
 import {
@@ -25,8 +26,102 @@ function isJoseInfrastructureError(error: joseErrors.JOSEError) {
 	return joseInfrastructureErrorCodes.has(error.code);
 }
 
-/** Last fetched jwks used locally in getJwks @internal */
-let jwks: JSONWebKeySet | undefined;
+interface JwksCacheEntry {
+	jwks: JSONWebKeySet;
+	fetchedAt: number;
+	noKidRefetchedAt?: number | undefined;
+}
+
+type JwksFetchOptions = {
+	/** Jwks url or promise of a Jwks */
+	jwksFetch: string | (() => Promise<JSONWebKeySet | undefined>);
+	/**
+	 * Stable object to cache the result of a function `jwksFetch` under,
+	 * with the same TTL and kid-miss refetch rules as string sources.
+	 * Without it, a function source is fetched on every verification.
+	 */
+	jwksCacheKey?: object;
+};
+
+type ResolvedJwks = {
+	jwks: JSONWebKeySet;
+	fromCache: boolean;
+	kid: string | undefined;
+	noKidRefetchedAt?: number | undefined;
+};
+
+/**
+ * @internal
+ */
+export const jwksCache = new Map<string, JwksCacheEntry>();
+
+/**
+ * Cache for function jwks sources, keyed by a caller-provided stable object.
+ * Entries are released with their key, so per-request keys cannot accumulate.
+ */
+const functionJwksCache = new WeakMap<object, JwksCacheEntry>();
+
+/**
+ * How long a cached JWKS is trusted before it is refetched
+ *
+ * @internal
+ */
+const JWKS_CACHE_TTL_MS = 5 * 60 * 1000;
+const JWKS_NO_KID_REFETCH_COOLDOWN_MS = 30 * 1000;
+
+/**
+ * Returns the cached key set when it is within the TTL. When the token carries
+ * `kid`, the cached set must contain that key id; without `kid`, key selection
+ * is deferred to JOSE because RFC 7515 makes the header parameter optional.
+ */
+function getFreshJwksWithKid(
+	cached: JwksCacheEntry | undefined,
+	kid: string | undefined,
+): JSONWebKeySet | undefined {
+	if (!cached) return undefined;
+	if (Date.now() - cached.fetchedAt >= JWKS_CACHE_TTL_MS) return undefined;
+	if (kid && !cached.jwks.keys.some((jwk) => jwk.kid === kid)) {
+		return undefined;
+	}
+	return cached.jwks;
+}
+
+function shouldRefetchCachedJwksWithoutKid(
+	error: unknown,
+	resolved: ResolvedJwks,
+) {
+	const isRetryableNoKidFailure =
+		resolved.fromCache &&
+		!resolved.kid &&
+		(error instanceof joseErrors.JWKSNoMatchingKey ||
+			error instanceof joseErrors.JWSSignatureVerificationFailed);
+	if (!isRetryableNoKidFailure) return false;
+	if (!resolved.noKidRefetchedAt) return true;
+	return (
+		Date.now() - resolved.noKidRefetchedAt >= JWKS_NO_KID_REFETCH_COOLDOWN_MS
+	);
+}
+
+async function fetchJwks(
+	jwksFetch: JwksFetchOptions["jwksFetch"],
+): Promise<JSONWebKeySet> {
+	const jwks =
+		typeof jwksFetch === "string"
+			? await betterFetch<JSONWebKeySet>(jwksFetch, {
+					headers: {
+						Accept: "application/json",
+					},
+				}).then(async (res) => {
+					if (res.error)
+						throw new Error(
+							`Jwks failed: ${res.error.message ?? res.error.statusText}`,
+						);
+					return res.data;
+				})
+			: await jwksFetch();
+	if (!jwks) throw new Error("No jwks found");
+	return jwks;
+}
 
 export interface VerifyAccessTokenRemote {
 	/** Full url of the introspect endpoint. Should end with `/oauth2/introspect` */
@@ -41,6 +136,20 @@ export interface VerifyAccessTokenRemote {
 	 * is also still active.
 	 */
 	force?: boolean;
+	/**
+	 * Accept introspection responses that omit the `aud` claim even when a
+	 * required `audience` is configured in `verifyOptions`.
+	 *
+	 * By default verification fails closed: if you configure an `audience` and
+	 * the introspection response has no `aud` (or a mismatching one), the token
+	 * is rejected. Some authorization servers legitimately omit `aud` from
+	 * introspection responses (it is OPTIONAL per RFC 7662 §2.2); only enable
+	 * this if you trust the issuer to bind the token to this resource through
+	 * another mechanism, as it skips the audience check in that case.
+	 *
+	 * @default false
+	 */
+	allowMissingAudience?: boolean;
 }
 
 /**
@@ -50,21 +159,36 @@ export interface VerifyAccessTokenRemote {
  */
 export async function verifyJwsAccessToken(
 	token: string,
-	opts: {
-		/** Jwks url or promise of a Jwks */
-		jwksFetch: string | (() => Promise<JSONWebKeySet | undefined>);
+	opts: JwksFetchOptions & {
 		/** Verify options */
 		verifyOptions: JWTVerifyOptions &
 			Required<Pick<JWTVerifyOptions, "audience" | "issuer">>;
 	},
 ) {
 	try {
-		const jwks = await getJwks(token, opts);
-		const jwt = await jwtVerify<JWTPayload>(
-			token,
-			createLocalJWKSet(jwks),
-			opts.verifyOptions,
-		);
+		const resolved = await getJwksForVerification(token, opts);
+		let jwt: JWTVerifyResult<JWTPayload>;
+		try {
+			jwt = await jwtVerify<JWTPayload>(
+				token,
+				createLocalJWKSet(resolved.jwks),
+				opts.verifyOptions,
+			);
+		} catch (error) {
+			if (shouldRefetchCachedJwksWithoutKid(error, resolved)) {
+				const refreshed = await getJwksForVerification(token, {
+					...opts,
+					forceRefresh: true,
+				});
+				jwt = await jwtVerify<JWTPayload>(
+					token,
+					createLocalJWKSet(refreshed.jwks),
+					opts.verifyOptions,
+				);
+			} else {
+				throw error;
+			}
+		}
 		// Return the JWT payload in introspection format
 		// https://datatracker.ietf.org/doc/html/rfc7662#section-2.2
 		if (jwt.payload.azp) {
@@ -77,12 +201,13 @@ export async function verifyJwsAccessToken(
 	}
 }
 
-export async function getJwks(
+export async function getJwks(token: string, opts: JwksFetchOptions) {
+	return (await getJwksForVerification(token, opts)).jwks;
+}
+
+async function getJwksForVerification(
 	token: string,
-	opts: {
-		/** Jwks url or promise of a Jwks */
-		jwksFetch: string | (() => Promise<JSONWebKeySet | undefined>);
-	},
+	opts: JwksFetchOptions & { forceRefresh?: boolean },
 ) {
 	// Attempt to decode the token and find a matching kid in jwks
 	let jwtHeaders: ProtectedHeaderParameters | undefined;
@@ -93,30 +218,65 @@ export async function getJwks(
 		throw new Error(error as unknown as string);
 	}
 
-	if (!jwtHeaders.kid) {
-		throw new APIError("UNAUTHORIZED", { message: "invalid access token" });
-	}
+	const kid = jwtHeaders.kid;
 
-	// Fetch jwks if not set or has a different kid than the one stored
-	if (!jwks || !jwks.keys.find((jwk) => jwk.kid === jwtHeaders.kid)) {
-		jwks =
-			typeof opts.jwksFetch === "string"
-				? await betterFetch<JSONWebKeySet>(opts.jwksFetch, {
-						headers: {
-							Accept: "application/json",
-						},
-					}).then(async (res) => {
-						if (res.error)
-							throw new Error(
-								`Jwks failed: ${res.error.message ?? res.error.statusText}`,
-							);
-						return res.data;
-					})
-				: await opts.jwksFetch();
+	// Function sources have no usable identity of their own (callers pass
+	// fresh closures per request), so they are cached only under a stable
+	// caller-provided key object.
+	if (typeof opts.jwksFetch !== "string") {
+		const cacheKey = opts.jwksCacheKey;
+		if (!cacheKey) {
+			const jwks = await opts.jwksFetch();
+			if (!jwks) throw new Error("No jwks found");
+			return { jwks, fromCache: false, kid };
+		}
+		const cached = functionJwksCache.get(cacheKey);
+		const cachedJwks = opts.forceRefresh
+			? undefined
+			: getFreshJwksWithKid(cached, kid);
+		if (cachedJwks) {
+			return {
+				jwks: cachedJwks,
+				fromCache: true,
+				kid,
+				noKidRefetchedAt: cached?.noKidRefetchedAt,
+			};
+		}
+		const jwks = await opts.jwksFetch();
 		if (!jwks) throw new Error("No jwks found");
+		const fetchedAt = Date.now();
+		functionJwksCache.set(cacheKey, {
+			jwks,
+			fetchedAt,
+			...(opts.forceRefresh && !kid ? { noKidRefetchedAt: fetchedAt } : {}),
+		});
+		return { jwks, fromCache: false, kid };
 	}
 
-	return jwks;
+	// The cache is scoped to `cacheKey`, so a token is only ever matched
+	// against the key set published by its own source.
+	const cacheKey = opts.jwksFetch;
+	const cached = jwksCache.get(cacheKey);
+	const cachedJwks = opts.forceRefresh
+		? undefined
+		: getFreshJwksWithKid(cached, kid);
+	if (!cachedJwks) {
+		const jwks = await fetchJwks(opts.jwksFetch);
+		const fetchedAt = Date.now();
+		jwksCache.set(cacheKey, {
+			jwks,
+			fetchedAt,
+			...(opts.forceRefresh && !kid ? { noKidRefetchedAt: fetchedAt } : {}),
+		});
+		return { jwks, fromCache: false, kid };
+	}
+
+	return {
+		jwks: cachedJwks,
+		fromCache: true,
+		kid,
+		noKidRefetchedAt: cached?.noKidRefetchedAt,
+	};
 }
 
 /**
@@ -201,13 +361,23 @@ export async function verifyAccessToken(
 			throw new APIError("UNAUTHORIZED", {
 				message: "token inactive",
 			});
-		// Verifies payload using verify options (token valid through introspect)
+		// Verifies payload using verify options (token valid through introspect).
+		// Audience is enforced by default: when `verifyOptions.audience` is set
+		// but the introspection response omits `aud` (or it mismatches),
+		// `UnsecuredJWT.decode` throws and the token is rejected. Otherwise a
+		// token issued for a different resource/client on the same issuer would
+		// also pass. Only drop the audience check when the caller has explicitly
+		// opted in via `remoteVerify.allowMissingAudience`.
 		try {
 			const unsecuredJwt = new UnsecuredJWT(introspect).encode();
-			const { audience: _audience, ...verifyOptions } = opts.verifyOptions;
-			const verify = introspect.aud
-				? UnsecuredJWT.decode(unsecuredJwt, opts.verifyOptions)
-				: UnsecuredJWT.decode(unsecuredJwt, verifyOptions);
+			const { audience: _audience, ...verifyOptionsNoAudience } =
+				opts.verifyOptions;
+			const skipAudience =
+				!introspect.aud && opts.remoteVerify.allowMissingAudience === true;
+			const verify = UnsecuredJWT.decode(
+				unsecuredJwt,
+				skipAudience ? verifyOptionsNoAudience : opts.verifyOptions,
+			);
 			payload = verify.payload;
 		} catch (error) {
 			throw new Error(error as unknown as string);

package/src/social-providers/facebook.ts

@@ -24,6 +24,58 @@ export interface FacebookProfile {
 	};
 }
 
+interface FacebookDebugTokenData {
+	app_id?: string;
+	is_valid?: boolean;
+	user_id?: string;
+}
+
+/**
+ * Validate an opaque Facebook access token against the configured app.
+ *
+ * Facebook access tokens are not audience-bound at the Graph `/me` endpoint: a
+ * token minted for any Facebook app returns that app's profile. Without this
+ * check, a token issued to an unrelated app could be presented to this
+ * app's direct sign-in path and accepted as proof of identity. We call the
+ * `debug_token` endpoint and require the token to be valid, bound to one of the
+ * configured client ids, and tied to a user.
+ *
+ * @see https://developers.facebook.com/docs/facebook-login/guides/access-tokens/debugging
+ *
+ * @returns the inspected token's `user_id` when the token is valid and bound to
+ * the configured app, otherwise `null`.
+ */
+async function verifyFacebookAccessToken(
+	accessToken: string,
+	options: FacebookOptions,
+): Promise<string | null> {
+	const primaryClientId = getPrimaryClientId(options.clientId);
+	if (!primaryClientId || !options.clientSecret) {
+		return null;
+	}
+	const clientIds = Array.isArray(options.clientId)
+		? options.clientId
+		: [options.clientId];
+	const appAccessToken = `${primaryClientId}|${options.clientSecret}`;
+	const { data, error } = await betterFetch<{ data?: FacebookDebugTokenData }>(
+		"https://graph.facebook.com/debug_token",
+		{
+			query: {
+				input_token: accessToken,
+				access_token: appAccessToken,
+			},
+		},
+	);
+	if (error || !data?.data) {
+		return null;
+	}
+	const { is_valid, app_id, user_id } = data.data;
+	if (is_valid !== true || !app_id || !clientIds.includes(app_id) || !user_id) {
+		return null;
+	}
+	return user_id;
+}
+
 export interface FacebookOptions extends ProviderOptions<FacebookProfile> {
 	clientId: string | string[];
 	/**
@@ -117,7 +169,10 @@ export const facebook = (options: FacebookOptions) => {
 			}
 
 			/* access_token */
-			return true;
+			// An opaque access token carries no app binding of its own, so it
+			// must be validated against the configured app before it can be
+			// trusted as proof of identity.
+			return (await verifyFacebookAccessToken(token, options)) !== null;
 		},
 		refreshAccessToken: options.refreshAccessToken
 			? options.refreshAccessToken
@@ -178,6 +233,20 @@ export const facebook = (options: FacebookOptions) => {
 				};
 			}
 
+			// The profile is fetched with `accessToken`, which is the credential
+			// that actually proves identity here — and a separate request field
+			// from the `idToken`/token validated by `verifyIdToken`. Since an
+			// opaque token is not app-bound at `/me`, validate this exact token
+			// against the configured app before trusting the profile it returns.
+			const accessToken = token.accessToken;
+			if (!accessToken) {
+				return null;
+			}
+			const tokenUserId = await verifyFacebookAccessToken(accessToken, options);
+			if (!tokenUserId) {
+				return null;
+			}
+
 			const fields = [
 				"id",
 				"name",
@@ -190,13 +259,17 @@ export const facebook = (options: FacebookOptions) => {
 				{
 					auth: {
 						type: "Bearer",
-						token: token.accessToken,
+						token: accessToken,
 					},
 				},
 			);
 			if (error) {
 				return null;
 			}
+			// Bind the validated token to the profile it returned.
+			if (profile.id !== tokenUserId) {
+				return null;
+			}
 			const userMap = await options.mapProfileToUser?.(profile);
 			return {
 				user: {

package/src/social-providers/google.ts

@@ -48,7 +48,12 @@ export interface GoogleOptions extends ProviderOptions<GoogleProfile> {
 	 */
 	display?: ("page" | "popup" | "touch" | "wap") | undefined;
 	/**
-	 * The hosted domain of the user
+	 * The hosted domain (Google Workspace) the user must belong to.
+	 *
+	 * This is sent to Google as the `hd` authorization hint and, when set, is
+	 * also enforced against the `hd` claim of the returned id token/profile.
+	 * Sign-in is rejected when the claim is missing or does not match, so this
+	 * can be used to restrict sign-in to a Workspace domain.
 	 */
 	hd?: string | undefined;
 }
@@ -147,6 +152,15 @@ export const google = (options: GoogleOptions) => {
 					return false;
 				}
 
+				// Google's `hd` authorization parameter is only a UI hint and can
+				// be removed or changed by the user. When a hosted domain is
+				// configured, the `hd` claim in the verified id token is the
+				// authoritative value and must match, otherwise accounts outside
+				// the workspace domain would be accepted.
+				if (options.hd && jwtClaims.hd !== options.hd) {
+					return false;
+				}
+
 				return true;
 			} catch {
 				return false;
@@ -160,6 +174,18 @@ export const google = (options: GoogleOptions) => {
 				return null;
 			}
 			const user = decodeJwt(token.idToken) as GoogleProfile;
+			// Enforce the configured hosted domain on the callback profile path
+			// as well. The `hd` claim must be present and match, since the
+			// authorization-time `hd` hint does not restrict which account signs
+			// in.
+			if (options.hd && user.hd !== options.hd) {
+				logger.error(
+					`Google sign-in rejected: id token hosted domain (hd) "${
+						user.hd ?? "<missing>"
+					}" does not match the configured "hd" option "${options.hd}".`,
+				);
+				return null;
+			}
 			const userMap = await options.mapProfileToUser?.(user);
 			return {
 				user: {

package/src/social-providers/microsoft-entra-id.ts

@@ -11,6 +11,14 @@ import {
 	validateAuthorizationCode,
 } from "../oauth2";
 
+/**
+ * Microsoft's fixed tenant id for personal (consumer) Microsoft accounts. Every
+ * personal-account token carries it as the `tid` claim, so it distinguishes the
+ * consumer account class from work/school tenants.
+ * @see https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference
+ */
+const MICROSOFT_CONSUMER_TENANT_ID = "9188040d-6c67-4c5b-b112-36a304b66dad";
+
 /**
  * @see [Microsoft Identity Platform - Optional claims reference](https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims-reference)
  */
@@ -143,7 +151,14 @@ export interface MicrosoftOptions
 
 export const microsoft = (options: MicrosoftOptions) => {
 	const tenant = options.tenantId || "common";
-	const authority = options.authority || "https://login.microsoftonline.com";
+	// Trim any trailing slash so endpoint URLs and the issuer comparison below
+	// never produce a double slash (e.g. a configured `https://host/` would make
+	// the expected issuer `https://host//<tid>/v2.0` and reject every token). A
+	// loop avoids a trailing-slash regex, which is a polynomial-ReDoS shape.
+	let authority = options.authority || "https://login.microsoftonline.com";
+	while (authority.endsWith("/")) {
+		authority = authority.slice(0, -1);
+	}
 	const authorizationEndpoint = `${authority}/${tenant}/oauth2/v2.0/authorize`;
 	const tokenEndpoint = `${authority}/${tenant}/oauth2/v2.0/token`;
 	return {
@@ -229,6 +244,30 @@ export const microsoft = (options: MicrosoftOptions) => {
 					return false;
 				}
 
+				// The multi-tenant endpoints (common/organizations/consumers) skip
+				// jose's issuer check above because the issuer varies per tenant, and
+				// the organizations and consumers JWKS sets overlap. Enforce the tenant
+				// binding explicitly so a token from a disallowed account class cannot
+				// pass: the issuer must name the token's own tenant, and the account
+				// class must match the configured restriction.
+				// @see https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference
+				const tid = jwtClaims.tid;
+				if (
+					typeof tid !== "string" ||
+					jwtClaims.iss !== `${authority}/${tid}/v2.0`
+				) {
+					return false;
+				}
+				if (
+					tenant === "organizations" &&
+					tid === MICROSOFT_CONSUMER_TENANT_ID
+				) {
+					return false;
+				}
+				if (tenant === "consumers" && tid !== MICROSOFT_CONSUMER_TENANT_ID) {
+					return false;
+				}
+
 				return true;
 			} catch (error) {
 				logger.error("Failed to verify ID token:", error);

package/src/social-providers/paypal.ts

@@ -1,11 +1,20 @@
 import { base64 } from "@better-auth/utils/base64";
 import { betterFetch } from "@better-fetch/fetch";
-import { decodeJwt } from "jose";
+import { decodeProtectedHeader, importJWK, jwtVerify } from "jose";
 import { logger } from "../env";
-import { BetterAuthError } from "../error";
+import { APIError, BetterAuthError } from "../error";
 import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import { createAuthorizationURL } from "../oauth2";
 
+/**
+ * ID token signing algorithms advertised by PayPal's OpenID configuration.
+ * Anything outside this allowlist is rejected so each token is only ever
+ * verified with the algorithm it was issued for.
+ *
+ * @see https://www.paypal.com/.well-known/openid-configuration
+ */
+const PAYPAL_ID_TOKEN_ALGORITHMS = ["RS256", "HS256"] as const;
+
 export interface PayPalProfile {
 	user_id: string;
 	name: string;
@@ -75,6 +84,19 @@ export const paypal = (options: PayPalOptions) => {
 		? "https://api-m.sandbox.paypal.com/v1/identity/oauth2/userinfo"
 		: "https://api-m.paypal.com/v1/identity/oauth2/userinfo";
 
+	/**
+	 * Issuer and JWKS endpoints used to cryptographically verify ID tokens.
+	 *
+	 * @see https://www.paypal.com/.well-known/openid-configuration
+	 */
+	const issuer = isSandbox
+		? "https://www.sandbox.paypal.com"
+		: "https://www.paypal.com";
+
+	const jwksEndpoint = isSandbox
+		? "https://api.sandbox.paypal.com/v1/oauth2/certs"
+		: "https://api.paypal.com/v1/oauth2/certs";
+
 	return {
 		id: "paypal",
 		name: "PayPal",
@@ -201,9 +223,48 @@ export const paypal = (options: PayPalOptions) => {
 			if (options.verifyIdToken) {
 				return options.verifyIdToken(token, nonce);
 			}
+
+			// Cryptographically verify the ID token. Decoding alone is not enough:
+			// the signature, issuer, audience and expiration must all be checked
+			// before the token's claims can be relied on as proof of identity.
+			// See https://www.paypal.com/.well-known/openid-configuration
+
 			try {
-				const payload = decodeJwt(token);
-				return !!payload.sub;
+				const { kid, alg: jwtAlg } = decodeProtectedHeader(token);
+				if (!jwtAlg) return false;
+				if (
+					!PAYPAL_ID_TOKEN_ALGORITHMS.includes(
+						jwtAlg as (typeof PAYPAL_ID_TOKEN_ALGORITHMS)[number],
+					)
+				) {
+					return false;
+				}
+
+				// PayPal can sign ID tokens either asymmetrically (RS256, verified
+				// against the published JWKS) or symmetrically (HS256, verified with
+				// the client secret). Selecting the key by algorithm keeps the two
+				// paths separate so each algorithm is only verified with its
+				// corresponding key type.
+				const key =
+					jwtAlg === "HS256"
+						? new TextEncoder().encode(options.clientSecret)
+						: kid
+							? await getPayPalPublicKey(kid, jwksEndpoint)
+							: undefined;
+				if (!key) return false;
+
+				const { payload: jwtClaims } = await jwtVerify(token, key, {
+					algorithms: [jwtAlg],
+					issuer,
+					audience: options.clientId,
+					maxTokenAge: "1h",
+				});
+
+				if (nonce && jwtClaims.nonce !== nonce) {
+					return false;
+				}
+
+				return true;
 			} catch (error) {
 				logger.error("Failed to verify PayPal ID token:", error);
 				return false;
@@ -261,3 +322,29 @@ export const paypal = (options: PayPalOptions) => {
 		options,
 	} satisfies OAuthProvider<PayPalProfile>;
 };
+
+export const getPayPalPublicKey = async (kid: string, jwksUri: string) => {
+	const { data } = await betterFetch<{
+		keys: Array<{
+			kid: string;
+			alg: string;
+			kty: string;
+			use: string;
+			n: string;
+			e: string;
+		}>;
+	}>(jwksUri);
+
+	if (!data?.keys) {
+		throw new APIError("BAD_REQUEST", {
+			message: "Keys not found",
+		});
+	}
+
+	const jwk = data.keys.find((key) => key.kid === kid);
+	if (!jwk) {
+		throw new Error(`JWK with kid ${kid} not found`);
+	}
+
+	return await importJWK(jwk, jwk.alg);
+};

package/src/social-providers/reddit.ts

@@ -104,15 +104,19 @@ export const reddit = (options: RedditOptions) => {
 			}
 
 			const userMap = await options.mapProfileToUser?.(profile);
-
+			// Reddit's identity scope does not return an email. Synthesize a stable,
+			// non-routable placeholder (RFC 2606 `.invalid`) keyed to the user's
+			// Reddit id rather than the routable `reddit.com`, which could collide
+			// with a real address. Left unverified; `mapProfileToUser` can override.
+			const email = userMap?.email || `${profile.id}@reddit.invalid`;
 			return {
 				user: {
 					id: profile.id,
 					name: profile.name,
-					email: profile.oauth_client_id,
-					emailVerified: profile.has_verified_email,
 					image: profile.icon_img?.split("?")[0]!,
 					...userMap,
+					email,
+					emailVerified: userMap?.emailVerified ?? false,
 				},
 				data: profile,
 			};