@better-auth/core 1.7.0-beta.1 → 1.7.0-beta.2

package/src/utils/host.ts

@@ -0,0 +1,401 @@
+import { isValidIP, normalizeIP } from "./ip";
+
+/**
+ * Host classification per RFC 6890 (Special-Purpose IP Address Registries),
+ * RFC 6761 (Special-Use Domain Names), and RFC 8252 §7.3 (loopback redirect URIs).
+ *
+ * This module is the single source of truth for "is this host public? private?
+ * loopback? link-local?" in the codebase. Consumers MUST prefer these predicates
+ * over bespoke regexes or substring matches; divergent checks are how bypass
+ * vulnerabilities get introduced (e.g. Oligo's "0.0.0.0 Day" 2024).
+ *
+ * Four user-facing primitives:
+ *
+ *   - `classifyHost(host)` — the workhorse. Returns a {@link HostClassification}
+ *     with `kind`, `literal`, and `canonical` fields.
+ *   - `isLoopbackIP(host)` — strict: IPv4 `127.0.0.0/8` or IPv6 `::1` only.
+ *     Use this for RFC 8252 §7.3 loopback redirect URI matching where IP
+ *     literals are REQUIRED.
+ *   - `isLoopbackHost(host)` — permissive: also accepts `localhost` and RFC 6761
+ *     `.localhost` subdomains. Use this for developer ergonomics (CORS, cookie
+ *     secure bypass, dev-mode HTTP allow-list).
+ *   - `isPublicRoutableHost(host)` — SSRF gate. Returns false for every
+ *     non-`public` kind. Use this before server-side fetches to user-controlled
+ *     URLs.
+ */
+
+/**
+ * The semantic kind of a host, derived from RFC 6890 special-purpose registries
+ * plus a few domain-name categories (localhost, cloud metadata FQDNs).
+ */
+export type HostKind =
+	/** IPv4 `127.0.0.0/8` or IPv6 `::1`. */
+	| "loopback"
+	/** DNS name `localhost` or RFC 6761 `.localhost` TLD. */
+	| "localhost"
+	/** IPv4 `0.0.0.0` or IPv6 `::` — "this host on this network", not loopback. */
+	| "unspecified"
+	/** RFC 1918 `10/8`, `172.16/12`, `192.168/16`, or IPv6 ULA `fc00::/7`. */
+	| "private"
+	/** IPv4 `169.254/16` or IPv6 `fe80::/10`. Includes AWS IMDS `169.254.169.254`. */
+	| "linkLocal"
+	/** RFC 6598 carrier-grade NAT `100.64.0.0/10`. */
+	| "sharedAddressSpace"
+	/** RFC 5737 `192.0.2/24`, `198.51.100/24`, `203.0.113/24`, or RFC 3849 `2001:db8::/32`. */
+	| "documentation"
+	/** RFC 2544 `198.18.0.0/15`. */
+	| "benchmarking"
+	/** IPv4 `224.0.0.0/4` or IPv6 `ff00::/8`. */
+	| "multicast"
+	/** IPv4 limited broadcast `255.255.255.255`. */
+	| "broadcast"
+	/** Other RFC 6890 special-purpose ranges (0/8, 192.0.0/24, 240/4, 2001::/32, etc.). */
+	| "reserved"
+	/** Cloud metadata service FQDN (e.g. `metadata.google.internal`). */
+	| "cloudMetadata"
+	/** Any host not matching a special-purpose range above. */
+	| "public";
+
+/**
+ * The syntactic form of the input host: an IPv4 literal, an IPv6 literal, or
+ * a domain name. IPv4-mapped IPv6 (`::ffff:192.0.2.1`) is reported as `ipv4`
+ * because it's unmapped during canonicalization.
+ */
+export type HostLiteral = "ipv4" | "ipv6" | "fqdn";
+
+/**
+ * Result of {@link classifyHost}. All fields are readonly.
+ *
+ * @property kind - Semantic classification per RFC 6890 + RFC 6761.
+ * @property literal - Syntactic form of the input (IPv4, IPv6, or FQDN).
+ * @property canonical - Lowercase, port-stripped, bracket-stripped, zone-id-stripped
+ *   form suitable for equality comparison. IPv6 is expanded to full form.
+ *   IPv4-mapped IPv6 is collapsed to the underlying IPv4.
+ */
+export interface HostClassification {
+	readonly kind: HostKind;
+	readonly literal: HostLiteral;
+	readonly canonical: string;
+}
+
+/**
+ * Cloud provider instance metadata service FQDNs. These resolve to link-local
+ * IPs (usually `169.254.169.254`) inside their respective clouds and are
+ * prime SSRF targets.
+ *
+ * The IPs themselves are already caught by the `linkLocal` kind; this set
+ * only exists for the FQDN form that a naive server-side fetch might resolve
+ * via its own resolver.
+ */
+const CLOUD_METADATA_HOSTS: ReadonlySet<string> = new Set([
+	"metadata.google.internal",
+	"metadata.goog",
+	"metadata",
+	"instance-data",
+	"instance-data.ec2.internal",
+]);
+
+/** Strip `[...]` if the entire input is bracketed (IPv6 literal form). */
+function stripBrackets(host: string): string {
+	if (host.length >= 2 && host.startsWith("[") && host.endsWith("]")) {
+		return host.slice(1, -1);
+	}
+	return host;
+}
+
+/**
+ * Strip trailing `:port` from host-with-port strings.
+ *
+ * - Bracketed IPv6 with port: `[::1]:8080` → `[::1]`
+ * - IPv4/FQDN with port: `127.0.0.1:3000` / `example.com:443` → base form
+ * - Bare IPv6: `::1` / `fe80::1` → unchanged (multiple colons means no port)
+ */
+function stripPort(host: string): string {
+	if (host.startsWith("[")) {
+		const end = host.indexOf("]");
+		if (end === -1) return host;
+		return host.slice(0, end + 1);
+	}
+	const firstColon = host.indexOf(":");
+	if (firstColon === -1) return host;
+	if (host.indexOf(":", firstColon + 1) !== -1) return host;
+	return host.slice(0, firstColon);
+}
+
+/** Strip IPv6 zone identifier: `fe80::1%eth0` → `fe80::1`. */
+function stripZoneId(host: string): string {
+	const zone = host.indexOf("%");
+	if (zone === -1) return host;
+	return host.slice(0, zone);
+}
+
+/**
+ * Strip trailing dots (RFC 1034 absolute DNS form): `localhost.` → `localhost`.
+ * Without this, `metadata.google.internal.` would fall through to `public` and
+ * bypass the cloud-metadata / `.localhost` checks, since WHATWG URL parsing
+ * preserves the trailing dot in `url.hostname`.
+ */
+function stripTrailingDot(host: string): string {
+	return host.replace(/\.+$/, "");
+}
+
+/** Fast dotted-decimal shape check. Does NOT validate octet bounds. */
+function looksLikeIPv4(host: string): boolean {
+	return /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(host);
+}
+
+/** Pack a validated dotted-decimal IPv4 into a 32-bit unsigned integer. */
+function ipv4ToUint32(ip: string): number {
+	const parts = ip.split(".");
+	return (
+		((Number(parts[0]) << 24) |
+			(Number(parts[1]) << 16) |
+			(Number(parts[2]) << 8) |
+			Number(parts[3])) >>>
+		0
+	);
+}
+
+/** Check whether a 32-bit value matches `prefix/length` (both unsigned). */
+function inIPv4Range(value: number, prefix: number, length: number): boolean {
+	if (length === 0) return true;
+	const mask = length === 32 ? 0xffffffff : (~0 << (32 - length)) >>> 0;
+	return (value & mask) === (prefix & mask);
+}
+
+function classifyIPv4(ip: string): HostKind {
+	if (ip === "0.0.0.0") return "unspecified";
+	if (ip === "255.255.255.255") return "broadcast";
+
+	const n = ipv4ToUint32(ip);
+
+	if (inIPv4Range(n, ipv4ToUint32("127.0.0.0"), 8)) return "loopback";
+	if (inIPv4Range(n, ipv4ToUint32("10.0.0.0"), 8)) return "private";
+	if (inIPv4Range(n, ipv4ToUint32("172.16.0.0"), 12)) return "private";
+	if (inIPv4Range(n, ipv4ToUint32("192.168.0.0"), 16)) return "private";
+	if (inIPv4Range(n, ipv4ToUint32("169.254.0.0"), 16)) return "linkLocal";
+	if (inIPv4Range(n, ipv4ToUint32("100.64.0.0"), 10))
+		return "sharedAddressSpace";
+	if (inIPv4Range(n, ipv4ToUint32("192.0.2.0"), 24)) return "documentation";
+	if (inIPv4Range(n, ipv4ToUint32("198.51.100.0"), 24)) return "documentation";
+	if (inIPv4Range(n, ipv4ToUint32("203.0.113.0"), 24)) return "documentation";
+	if (inIPv4Range(n, ipv4ToUint32("198.18.0.0"), 15)) return "benchmarking";
+	if (inIPv4Range(n, ipv4ToUint32("224.0.0.0"), 4)) return "multicast";
+	if (inIPv4Range(n, ipv4ToUint32("0.0.0.0"), 8)) return "reserved";
+	if (inIPv4Range(n, ipv4ToUint32("192.0.0.0"), 24)) return "reserved";
+	if (inIPv4Range(n, ipv4ToUint32("240.0.0.0"), 4)) return "reserved";
+
+	return "public";
+}
+
+/**
+ * Extract an IPv4 address embedded in an expanded IPv6 literal.
+ *
+ * Used to recurse into tunnel/translation forms (6to4, NAT64, Teredo) so a
+ * private destination cannot be smuggled behind a syntactically-public IPv6
+ * literal. `startGroup` is the index of the first of two 16-bit groups in the
+ * expanded form (`0000:0000:...`). With `xor: true`, the 32-bit value is XORed
+ * with `0xffffffff` before decoding (Teredo obfuscates the client IPv4 this
+ * way).
+ */
+function extractEmbeddedIPv4(
+	expanded: string,
+	startGroup: number,
+	options: { xor?: boolean } = {},
+): string | null {
+	const offset = startGroup * 5;
+	const g1 = Number.parseInt(expanded.slice(offset, offset + 4), 16);
+	const g2 = Number.parseInt(expanded.slice(offset + 5, offset + 9), 16);
+	if (!Number.isFinite(g1) || !Number.isFinite(g2)) return null;
+	let combined = ((g1 << 16) | g2) >>> 0;
+	if (options.xor) combined = (combined ^ 0xffffffff) >>> 0;
+	return `${(combined >>> 24) & 0xff}.${(combined >>> 16) & 0xff}.${(combined >>> 8) & 0xff}.${combined & 0xff}`;
+}
+
+/**
+ * Classify an expanded, full-form, lowercase IPv6 address (no IPv4-mapped
+ * input — those are unmapped to IPv4 before reaching here).
+ *
+ * 6to4 (`2002::/16`), NAT64 (`64:ff9b::/96`) and Teredo (`2001:0000::/32`)
+ * embed an IPv4 that can route to private/loopback space. If the embedded
+ * IPv4 classifies as non-`public`, return `reserved` — blocks SSRF without
+ * advertising the address as a loopback literal for RFC 8252 §7.3 matching.
+ */
+function classifyIPv6(expanded: string): HostKind {
+	if (expanded === "0000:0000:0000:0000:0000:0000:0000:0000")
+		return "unspecified";
+	if (expanded === "0000:0000:0000:0000:0000:0000:0000:0001") return "loopback";
+
+	const firstByte = Number.parseInt(expanded.slice(0, 2), 16);
+	const secondByte = Number.parseInt(expanded.slice(2, 4), 16);
+
+	if (firstByte === 0xff) return "multicast";
+	if (firstByte === 0xfe && (secondByte & 0xc0) === 0x80) return "linkLocal";
+	if ((firstByte & 0xfe) === 0xfc) return "private";
+
+	if (expanded.startsWith("2001:0db8:")) return "documentation";
+
+	if (expanded.startsWith("2002:")) {
+		const embedded = extractEmbeddedIPv4(expanded, 1);
+		if (embedded && classifyIPv4(embedded) !== "public") return "reserved";
+		return "public";
+	}
+
+	if (expanded.startsWith("0064:ff9b:0000:0000:0000:0000:")) {
+		const embedded = extractEmbeddedIPv4(expanded, 6);
+		if (embedded && classifyIPv4(embedded) !== "public") return "reserved";
+		return "reserved";
+	}
+
+	if (expanded.startsWith("2001:0000:")) {
+		const embedded = extractEmbeddedIPv4(expanded, 6, { xor: true });
+		if (embedded && classifyIPv4(embedded) !== "public") return "reserved";
+		return "reserved";
+	}
+
+	if (expanded.startsWith("0100:0000:0000:0000:")) return "reserved";
+
+	return "public";
+}
+
+/**
+ * Classify a host string according to RFC 6890 / RFC 6761.
+ *
+ * Accepts inputs in any of these shapes and normalizes before classifying:
+ *
+ *   - Bare IPv4: `127.0.0.1`
+ *   - Bare IPv6: `::1`, `fe80::1%eth0`
+ *   - Bracketed IPv6: `[::1]`
+ *   - Host with port: `localhost:3000`, `127.0.0.1:443`, `[::1]:8080`
+ *   - FQDN: `example.com`, `tenant.localhost`
+ *   - IPv4-mapped IPv6: `::ffff:192.0.2.1` (reported as `literal: "ipv4"`)
+ *
+ * Invalid or non-resolvable FQDNs are returned as `{ kind: "public", literal: "fqdn" }`
+ * — this function never throws. Callers that need structural validation must
+ * combine this with a URL/hostname validator upstream.
+ *
+ * @example
+ * classifyHost("127.0.0.1")
+ * // { kind: "loopback", literal: "ipv4", canonical: "127.0.0.1" }
+ *
+ * @example
+ * classifyHost("[::1]:8080")
+ * // { kind: "loopback", literal: "ipv6", canonical: "0000:0000:...:0001" }
+ *
+ * @example
+ * classifyHost("::ffff:192.0.2.1")
+ * // { kind: "documentation", literal: "ipv4", canonical: "192.0.2.1" }
+ *
+ * @example
+ * classifyHost("tenant-a.localhost")
+ * // { kind: "localhost", literal: "fqdn", canonical: "tenant-a.localhost" }
+ */
+export function classifyHost(host: string): HostClassification {
+	const stripped = stripTrailingDot(
+		stripZoneId(stripBrackets(stripPort(host.trim()))),
+	);
+	const lowered = stripped.toLowerCase();
+
+	if (lowered === "") {
+		return { kind: "reserved", literal: "fqdn", canonical: "" };
+	}
+
+	if (!isValidIP(lowered)) {
+		if (lowered === "localhost" || lowered.endsWith(".localhost")) {
+			return { kind: "localhost", literal: "fqdn", canonical: lowered };
+		}
+		if (CLOUD_METADATA_HOSTS.has(lowered)) {
+			return { kind: "cloudMetadata", literal: "fqdn", canonical: lowered };
+		}
+		return { kind: "public", literal: "fqdn", canonical: lowered };
+	}
+
+	if (looksLikeIPv4(lowered)) {
+		return { kind: classifyIPv4(lowered), literal: "ipv4", canonical: lowered };
+	}
+
+	const canonical = normalizeIP(lowered, { ipv6Subnet: 128 });
+
+	if (looksLikeIPv4(canonical)) {
+		return {
+			kind: classifyIPv4(canonical),
+			literal: "ipv4",
+			canonical,
+		};
+	}
+
+	return { kind: classifyIPv6(canonical), literal: "ipv6", canonical };
+}
+
+/**
+ * Strict loopback-IP-literal check per RFC 8252 §7.3.
+ *
+ * Returns true ONLY for IPv4 `127.0.0.0/8` or IPv6 `::1`. The DNS name
+ * `localhost` returns false — RFC 8252 §8.3 explicitly recommends against
+ * relying on name resolution for loopback redirect URIs.
+ *
+ * Use this for OAuth redirect URI matching.
+ *
+ * @example
+ * isLoopbackIP("127.0.0.1")     // true
+ * isLoopbackIP("::1")           // true
+ * isLoopbackIP("[::1]:8080")    // true
+ * isLoopbackIP("localhost")     // false  (use isLoopbackHost for DNS names)
+ * isLoopbackIP("0.0.0.0")       // false  (unspecified, not loopback)
+ */
+export function isLoopbackIP(host: string): boolean {
+	return classifyHost(host).kind === "loopback";
+}
+
+/**
+ * Permissive loopback check for developer-ergonomics code paths.
+ *
+ * Returns true for IPv4 `127.0.0.0/8`, IPv6 `::1`, the literal name `localhost`,
+ * and any RFC 6761 `.localhost` subdomain (`tenant.localhost`, `app.localhost`).
+ *
+ * Use this for things like: allowing HTTP for dev servers, skipping Secure
+ * cookie requirements, browser-trust heuristics. Do NOT use this for OAuth
+ * redirect URI matching — use {@link isLoopbackIP} there.
+ *
+ * @example
+ * isLoopbackHost("localhost")         // true
+ * isLoopbackHost("tenant.localhost")  // true  (RFC 6761)
+ * isLoopbackHost("127.0.0.1")         // true
+ * isLoopbackHost("0.0.0.0")           // false (unspecified, NOT loopback)
+ */
+export function isLoopbackHost(host: string): boolean {
+	const kind = classifyHost(host).kind;
+	return kind === "loopback" || kind === "localhost";
+}
+
+/**
+ * First-line SSRF gate: returns true ONLY for hosts that classify as `public`.
+ *
+ * Every RFC 6890 special-purpose range (loopback, private, link-local,
+ * unspecified, documentation, multicast, broadcast, reserved, shared address
+ * space, benchmarking) and cloud-metadata FQDN returns false.
+ *
+ * Use this BEFORE issuing a server-side fetch to a user-supplied URL, e.g.
+ * OAuth introspection endpoints, webhook targets, or metadata-document
+ * fetches (CIMD).
+ *
+ * Limitations (this is a syntactic check, not a complete SSRF mitigation):
+ * - No DNS resolution: a public-looking FQDN that resolves to a private IP
+ *   passes this check. Re-verify the resolved address before connecting, or
+ *   pin the socket to the resolved IP.
+ * - No DNS-rebinding defense: attackers can return a public IP on the first
+ *   lookup and a private IP on the second. Resolve once and reuse the IP.
+ * - No redirect following: HTTP 3xx responses can redirect to private hosts.
+ *   Re-run this check on every redirect target, or disable auto-follow.
+ *
+ * @example
+ * isPublicRoutableHost("example.com")            // true
+ * isPublicRoutableHost("127.0.0.1")              // false (loopback)
+ * isPublicRoutableHost("169.254.169.254")        // false (linkLocal / AWS IMDS)
+ * isPublicRoutableHost("metadata.google.internal") // false (cloudMetadata)
+ * isPublicRoutableHost("10.0.0.1")               // false (private)
+ * isPublicRoutableHost("::ffff:127.0.0.1")       // false (mapped loopback)
+ */
+export function isPublicRoutableHost(host: string): boolean {
+	return classifyHost(host).kind === "public";
+}

package/src/utils/is-api-error.ts

@@ -0,0 +1,10 @@
+import { APIError as BaseAPIError } from "better-call";
+import { APIError } from "../error";
+
+export function isAPIError(error: unknown): error is APIError {
+	return (
+		error instanceof BaseAPIError ||
+		error instanceof APIError ||
+		(error as { name?: string })?.name === "APIError"
+	);
+}