@better-auth/core 1.7.0-beta.2 → 1.7.0-beta.4

package/src/social-providers/dropbox.ts

@@ -36,14 +36,11 @@ export const dropbox = (options: DropboxOptions) => {
 			scopes,
 			codeVerifier,
 			redirectURI,
+			additionalParams,
 		}) => {
 			const _scopes = options.disableDefaultScope ? [] : ["account_info.read"];
 			if (options.scope) _scopes.push(...options.scope);
 			if (scopes) _scopes.push(...scopes);
-			const additionalParams: Record<string, string> = {};
-			if (options.accessType) {
-				additionalParams.token_access_type = options.accessType;
-			}
 			return await createAuthorizationURL({
 				id: "dropbox",
 				options,
@@ -52,7 +49,12 @@ export const dropbox = (options: DropboxOptions) => {
 				state,
 				redirectURI,
 				codeVerifier,
-				additionalParams,
+				additionalParams: {
+					...(options.accessType
+						? { token_access_type: options.accessType }
+						: {}),
+					...(additionalParams ?? {}),
+				},
 			});
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {

package/src/social-providers/facebook.ts

@@ -12,8 +12,8 @@ import {
 export interface FacebookProfile {
 	id: string;
 	name: string;
-	email: string;
-	email_verified: boolean;
+	email?: string;
+	email_verified?: boolean;
 	picture: {
 		data: {
 			height: number;
@@ -43,7 +43,13 @@ export const facebook = (options: FacebookOptions) => {
 	return {
 		id: "facebook",
 		name: "Facebook",
-		async createAuthorizationURL({ state, scopes, redirectURI, loginHint }) {
+		async createAuthorizationURL({
+			state,
+			scopes,
+			redirectURI,
+			loginHint,
+			additionalParams,
+		}) {
 			if (!getPrimaryClientId(options.clientId) || !options.clientSecret) {
 				logger.error(
 					"Client ID and client secret are required for Facebook. Make sure to provide them in the options.",
@@ -63,11 +69,10 @@ export const facebook = (options: FacebookOptions) => {
 				state,
 				redirectURI,
 				loginHint,
-				additionalParams: options.configId
-					? {
-							config_id: options.configId,
-						}
-					: {},
+				additionalParams: {
+					...(options.configId ? { config_id: options.configId } : {}),
+					...(additionalParams ?? {}),
+				},
 			});
 		},
 		validateAuthorizationCode: async ({ code, redirectURI }) => {
@@ -204,7 +209,7 @@ export const facebook = (options: FacebookOptions) => {
 					name: profile.name,
 					email: profile.email,
 					image: profile.picture.data.url,
-					emailVerified: profile.email_verified,
+					emailVerified: profile.email_verified ?? false,
 					...userMap,
 				},
 				data: profile,

package/src/social-providers/figma.ts

@@ -24,7 +24,13 @@ export const figma = (options: FigmaOptions) => {
 	return {
 		id: "figma",
 		name: "Figma",
-		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+		async createAuthorizationURL({
+			state,
+			scopes,
+			codeVerifier,
+			redirectURI,
+			additionalParams,
+		}) {
 			if (!options.clientId || !options.clientSecret) {
 				logger.error(
 					"Client Id and Client Secret are required for Figma. Make sure to provide them in the options.",
@@ -47,6 +53,7 @@ export const figma = (options: FigmaOptions) => {
 				state,
 				codeVerifier,
 				redirectURI,
+				additionalParams,
 			});
 
 			return url;

package/src/social-providers/github.ts

@@ -6,7 +6,7 @@ import {
 	getOAuth2Tokens,
 	refreshAccessToken,
 } from "../oauth2";
-import { createAuthorizationCodeRequest } from "../oauth2/validate-authorization-code";
+import { authorizationCodeRequest } from "../oauth2/validate-authorization-code";
 
 export interface GithubProfile {
 	login: string;
@@ -31,7 +31,7 @@ export interface GithubProfile {
 	company: string;
 	blog: string;
 	location: string;
-	email: string;
+	email: string | null;
 	hireable: boolean;
 	bio: string;
 	twitter_username: string;
@@ -69,6 +69,7 @@ export const github = (options: GithubOptions) => {
 			loginHint,
 			codeVerifier,
 			redirectURI,
+			additionalParams,
 		}) {
 			const _scopes = options.disableDefaultScope
 				? []
@@ -85,10 +86,11 @@ export const github = (options: GithubOptions) => {
 				redirectURI,
 				loginHint,
 				prompt: options.prompt,
+				additionalParams,
 			});
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
-			const { body, headers: requestHeaders } = createAuthorizationCodeRequest({
+			const { body, headers: requestHeaders } = await authorizationCodeRequest({
 				code,
 				codeVerifier,
 				redirectURI,

package/src/social-providers/gitlab.ts

@@ -87,6 +87,7 @@ export const gitlab = (options: GitlabOptions) => {
 			codeVerifier,
 			loginHint,
 			redirectURI,
+			additionalParams,
 		}) => {
 			const _scopes = options.disableDefaultScope ? [] : ["read_user"];
 			if (options.scope) _scopes.push(...options.scope);
@@ -100,6 +101,7 @@ export const gitlab = (options: GitlabOptions) => {
 				redirectURI,
 				codeVerifier,
 				loginHint,
+				additionalParams,
 			});
 		},
 		validateAuthorizationCode: async ({ code, redirectURI, codeVerifier }) => {

package/src/social-providers/google.ts

@@ -64,6 +64,7 @@ export const google = (options: GoogleOptions) => {
 			redirectURI,
 			loginHint,
 			display,
+			additionalParams,
 		}) {
 			if (!getPrimaryClientId(options.clientId) || !options.clientSecret) {
 				logger.error(
@@ -94,6 +95,7 @@ export const google = (options: GoogleOptions) => {
 				hd: options.hd,
 				additionalParams: {
 					include_granted_scopes: "true",
+					...(additionalParams ?? {}),
 				},
 			});
 			return url;

package/src/social-providers/huggingface.ts

@@ -47,7 +47,13 @@ export const huggingface = (options: HuggingFaceOptions) => {
 	return {
 		id: "huggingface",
 		name: "Hugging Face",
-		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+		createAuthorizationURL({
+			state,
+			scopes,
+			codeVerifier,
+			redirectURI,
+			additionalParams,
+		}) {
 			const _scopes = options.disableDefaultScope
 				? []
 				: ["openid", "profile", "email"];
@@ -61,6 +67,7 @@ export const huggingface = (options: HuggingFaceOptions) => {
 				state,
 				codeVerifier,
 				redirectURI,
+				additionalParams,
 			});
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {

package/src/social-providers/kakao.ts

@@ -106,7 +106,7 @@ export const kakao = (options: KakaoOptions) => {
 	return {
 		id: "kakao",
 		name: "Kakao",
-		createAuthorizationURL({ state, scopes, redirectURI }) {
+		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
 			const _scopes = options.disableDefaultScope
 				? []
 				: ["account_email", "profile_image", "profile_nickname"];
@@ -119,6 +119,7 @@ export const kakao = (options: KakaoOptions) => {
 				scopes: _scopes,
 				state,
 				redirectURI,
+				additionalParams,
 			});
 		},
 		validateAuthorizationCode: async ({ code, redirectURI }) => {

package/src/social-providers/kick.ts

@@ -33,7 +33,13 @@ export const kick = (options: KickOptions) => {
 	return {
 		id: "kick",
 		name: "Kick",
-		createAuthorizationURL({ state, scopes, redirectURI, codeVerifier }) {
+		createAuthorizationURL({
+			state,
+			scopes,
+			redirectURI,
+			codeVerifier,
+			additionalParams,
+		}) {
 			const _scopes = options.disableDefaultScope ? [] : ["user:read"];
 			if (options.scope) _scopes.push(...options.scope);
 			if (scopes) _scopes.push(...scopes);
@@ -46,6 +52,7 @@ export const kick = (options: KickOptions) => {
 				scopes: _scopes,
 				codeVerifier,
 				state,
+				additionalParams,
 			});
 		},
 		async validateAuthorizationCode({ code, redirectURI, codeVerifier }) {

package/src/social-providers/line.ts

@@ -56,6 +56,7 @@ export const line = (options: LineOptions) => {
 			codeVerifier,
 			redirectURI,
 			loginHint,
+			additionalParams,
 		}) {
 			const _scopes = options.disableDefaultScope
 				? []
@@ -71,6 +72,7 @@ export const line = (options: LineOptions) => {
 				codeVerifier,
 				redirectURI,
 				loginHint,
+				additionalParams,
 			});
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {

package/src/social-providers/linear.ts

@@ -31,7 +31,13 @@ export const linear = (options: LinearOptions) => {
 	return {
 		id: "linear",
 		name: "Linear",
-		createAuthorizationURL({ state, scopes, loginHint, redirectURI }) {
+		createAuthorizationURL({
+			state,
+			scopes,
+			loginHint,
+			redirectURI,
+			additionalParams,
+		}) {
 			const _scopes = options.disableDefaultScope ? [] : ["read"];
 			if (options.scope) _scopes.push(...options.scope);
 			if (scopes) _scopes.push(...scopes);
@@ -43,6 +49,7 @@ export const linear = (options: LinearOptions) => {
 				state,
 				redirectURI,
 				loginHint,
+				additionalParams,
 			});
 		},
 		validateAuthorizationCode: async ({ code, redirectURI }) => {

package/src/social-providers/linkedin.ts

@@ -16,8 +16,8 @@ export interface LinkedInProfile {
 		country: string;
 		language: string;
 	};
-	email: string;
-	email_verified: boolean;
+	email?: string;
+	email_verified?: boolean;
 }
 
 export interface LinkedInOptions extends ProviderOptions<LinkedInProfile> {
@@ -37,6 +37,7 @@ export const linkedin = (options: LinkedInOptions) => {
 			scopes,
 			redirectURI,
 			loginHint,
+			additionalParams,
 		}) => {
 			const _scopes = options.disableDefaultScope
 				? []
@@ -51,6 +52,7 @@ export const linkedin = (options: LinkedInOptions) => {
 				state,
 				loginHint,
 				redirectURI,
+				additionalParams,
 			});
 		},
 		validateAuthorizationCode: async ({ code, redirectURI }) => {
@@ -98,7 +100,7 @@ export const linkedin = (options: LinkedInOptions) => {
 					id: profile.sub,
 					name: profile.name,
 					email: profile.email,
-					emailVerified: profile.email_verified || false,
+					emailVerified: profile.email_verified ?? false,
 					image: profile.picture,
 					...userMap,
 				},

package/src/social-providers/microsoft-entra-id.ts

@@ -36,7 +36,7 @@ export interface MicrosoftEntraIDProfile extends Record<string, any> {
 	/** The primary username that represents the user */
 	preferred_username: string;
 	/** User's email address */
-	email: string;
+	email?: string;
 	/** Human-readable value that identifies the subject of the token */
 	name: string;
 	/** Matches the parameter included in the original authorize request */
@@ -174,6 +174,7 @@ export const microsoft = (options: MicrosoftOptions) => {
 				redirectURI: data.redirectURI,
 				prompt: options.prompt,
 				loginHint: data.loginHint,
+				additionalParams: data.additionalParams,
 			});
 		},
 		validateAuthorizationCode({ code, codeVerifier, redirectURI }) {

package/src/social-providers/naver.ts

@@ -44,7 +44,7 @@ export const naver = (options: NaverOptions) => {
 	return {
 		id: "naver",
 		name: "Naver",
-		createAuthorizationURL({ state, scopes, redirectURI }) {
+		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
 			const _scopes = options.disableDefaultScope ? [] : ["profile", "email"];
 			if (options.scope) _scopes.push(...options.scope);
 			if (scopes) _scopes.push(...scopes);
@@ -55,6 +55,7 @@ export const naver = (options: NaverOptions) => {
 				scopes: _scopes,
 				state,
 				redirectURI,
+				additionalParams,
 			});
 		},
 		validateAuthorizationCode: async ({ code, redirectURI }) => {

package/src/social-providers/notion.ts

@@ -28,7 +28,13 @@ export const notion = (options: NotionOptions) => {
 	return {
 		id: "notion",
 		name: "Notion",
-		createAuthorizationURL({ state, scopes, loginHint, redirectURI }) {
+		createAuthorizationURL({
+			state,
+			scopes,
+			loginHint,
+			redirectURI,
+			additionalParams,
+		}) {
 			const _scopes: string[] = options.disableDefaultScope ? [] : [];
 			if (options.scope) _scopes.push(...options.scope);
 			if (scopes) _scopes.push(...scopes);
@@ -41,6 +47,7 @@ export const notion = (options: NotionOptions) => {
 				redirectURI,
 				loginHint,
 				additionalParams: {
+					...(additionalParams ?? {}),
 					owner: "user",
 				},
 			});

package/src/social-providers/paybin.ts

@@ -42,6 +42,7 @@ export const paybin = (options: PaybinOptions) => {
 			codeVerifier,
 			redirectURI,
 			loginHint,
+			additionalParams,
 		}) {
 			if (!options.clientId || !options.clientSecret) {
 				logger.error(
@@ -67,6 +68,7 @@ export const paybin = (options: PaybinOptions) => {
 				redirectURI,
 				prompt: options.prompt,
 				loginHint,
+				additionalParams,
 			});
 			return url;
 		},

package/src/social-providers/paypal.ts

@@ -78,7 +78,12 @@ export const paypal = (options: PayPalOptions) => {
 	return {
 		id: "paypal",
 		name: "PayPal",
-		async createAuthorizationURL({ state, codeVerifier, redirectURI }) {
+		async createAuthorizationURL({
+			state,
+			codeVerifier,
+			redirectURI,
+			additionalParams,
+		}) {
 			if (!options.clientId || !options.clientSecret) {
 				logger.error(
 					"Client Id and Client Secret is required for PayPal. Make sure to provide them in the options.",
@@ -103,6 +108,7 @@ export const paypal = (options: PayPalOptions) => {
 				codeVerifier,
 				redirectURI,
 				prompt: options.prompt,
+				additionalParams,
 			});
 			return url;
 		},

package/src/social-providers/polar.ts

@@ -37,7 +37,13 @@ export const polar = (options: PolarOptions) => {
 	return {
 		id: "polar",
 		name: "Polar",
-		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+		createAuthorizationURL({
+			state,
+			scopes,
+			codeVerifier,
+			redirectURI,
+			additionalParams,
+		}) {
 			const _scopes = options.disableDefaultScope
 				? []
 				: ["openid", "profile", "email"];
@@ -52,6 +58,7 @@ export const polar = (options: PolarOptions) => {
 				codeVerifier,
 				redirectURI,
 				prompt: options.prompt,
+				additionalParams,
 			});
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {

package/src/social-providers/railway.ts

@@ -29,7 +29,13 @@ export const railway = (options: RailwayOptions) => {
 	return {
 		id: "railway",
 		name: "Railway",
-		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+		createAuthorizationURL({
+			state,
+			scopes,
+			codeVerifier,
+			redirectURI,
+			additionalParams,
+		}) {
 			const _scopes = options.disableDefaultScope
 				? []
 				: ["openid", "email", "profile"];
@@ -43,6 +49,7 @@ export const railway = (options: RailwayOptions) => {
 				state,
 				codeVerifier,
 				redirectURI,
+				additionalParams,
 			});
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {

package/src/social-providers/reddit.ts

@@ -25,7 +25,7 @@ export const reddit = (options: RedditOptions) => {
 	return {
 		id: "reddit",
 		name: "Reddit",
-		createAuthorizationURL({ state, scopes, redirectURI }) {
+		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
 			const _scopes = options.disableDefaultScope ? [] : ["identity"];
 			if (options.scope) _scopes.push(...options.scope);
 			if (scopes) _scopes.push(...scopes);
@@ -37,6 +37,7 @@ export const reddit = (options: RedditOptions) => {
 				state,
 				redirectURI,
 				duration: options.duration,
+				additionalParams,
 			});
 		},
 		validateAuthorizationCode: async ({ code, redirectURI }) => {

package/src/social-providers/roblox.ts

@@ -1,6 +1,10 @@
 import { betterFetch } from "@better-fetch/fetch";
 import type { OAuthProvider, ProviderOptions } from "../oauth2";
-import { refreshAccessToken, validateAuthorizationCode } from "../oauth2";
+import {
+	createAuthorizationURL,
+	refreshAccessToken,
+	validateAuthorizationCode,
+} from "../oauth2";
 
 export interface RobloxProfile extends Record<string, any> {
 	/** the user's id */
@@ -37,19 +41,20 @@ export const roblox = (options: RobloxOptions) => {
 	return {
 		id: "roblox",
 		name: "Roblox",
-		createAuthorizationURL({ state, scopes, redirectURI }) {
+		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
 			const _scopes = options.disableDefaultScope ? [] : ["openid", "profile"];
 			if (options.scope) _scopes.push(...options.scope);
 			if (scopes) _scopes.push(...scopes);
-			return new URL(
-				`https://apis.roblox.com/oauth/v1/authorize?scope=${_scopes.join(
-					"+",
-				)}&response_type=code&client_id=${
-					options.clientId
-				}&redirect_uri=${encodeURIComponent(
-					options.redirectURI || redirectURI,
-				)}&state=${state}&prompt=${options.prompt || "select_account consent"}`,
-			);
+			return createAuthorizationURL({
+				id: "roblox",
+				options,
+				authorizationEndpoint: "https://apis.roblox.com/oauth/v1/authorize",
+				scopes: _scopes,
+				state,
+				redirectURI,
+				prompt: options.prompt || "select_account consent",
+				additionalParams,
+			});
 		},
 		validateAuthorizationCode: async ({ code, redirectURI }) => {
 			return validateAuthorizationCode({

package/src/social-providers/salesforce.ts

@@ -64,7 +64,13 @@ export const salesforce = (options: SalesforceOptions) => {
 		id: "salesforce",
 		name: "Salesforce",
 
-		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+		async createAuthorizationURL({
+			state,
+			scopes,
+			codeVerifier,
+			redirectURI,
+			additionalParams,
+		}) {
 			if (!options.clientId || !options.clientSecret) {
 				logger.error(
 					"Client Id and Client Secret are required for Salesforce. Make sure to provide them in the options.",
@@ -89,6 +95,7 @@ export const salesforce = (options: SalesforceOptions) => {
 				state,
 				codeVerifier,
 				redirectURI: options.redirectURI || redirectURI,
+				additionalParams,
 			});
 		},
 

package/src/social-providers/slack.ts

@@ -1,6 +1,10 @@
 import { betterFetch } from "@better-fetch/fetch";
 import type { OAuthProvider, ProviderOptions } from "../oauth2";
-import { refreshAccessToken, validateAuthorizationCode } from "../oauth2";
+import {
+	createAuthorizationURL,
+	refreshAccessToken,
+	validateAuthorizationCode,
+} from "../oauth2";
 
 export interface SlackProfile extends Record<string, any> {
 	ok: boolean;
@@ -42,19 +46,21 @@ export const slack = (options: SlackOptions) => {
 	return {
 		id: "slack",
 		name: "Slack",
-		createAuthorizationURL({ state, scopes, redirectURI }) {
+		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
 			const _scopes = options.disableDefaultScope
 				? []
 				: ["openid", "profile", "email"];
 			if (scopes) _scopes.push(...scopes);
 			if (options.scope) _scopes.push(...options.scope);
-			const url = new URL("https://slack.com/openid/connect/authorize");
-			url.searchParams.set("scope", _scopes.join(" "));
-			url.searchParams.set("response_type", "code");
-			url.searchParams.set("client_id", options.clientId);
-			url.searchParams.set("redirect_uri", options.redirectURI || redirectURI);
-			url.searchParams.set("state", state);
-			return url;
+			return createAuthorizationURL({
+				id: "slack",
+				options,
+				authorizationEndpoint: "https://slack.com/openid/connect/authorize",
+				scopes: _scopes,
+				state,
+				redirectURI,
+				additionalParams,
+			});
 		},
 		validateAuthorizationCode: async ({ code, redirectURI }) => {
 			return validateAuthorizationCode({

package/src/social-providers/spotify.ts

@@ -24,7 +24,13 @@ export const spotify = (options: SpotifyOptions) => {
 	return {
 		id: "spotify",
 		name: "Spotify",
-		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+		createAuthorizationURL({
+			state,
+			scopes,
+			codeVerifier,
+			redirectURI,
+			additionalParams,
+		}) {
 			const _scopes = options.disableDefaultScope ? [] : ["user-read-email"];
 			if (options.scope) _scopes.push(...options.scope);
 			if (scopes) _scopes.push(...scopes);
@@ -36,6 +42,7 @@ export const spotify = (options: SpotifyOptions) => {
 				state,
 				codeVerifier,
 				redirectURI,
+				additionalParams,
 			});
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {

package/src/social-providers/tiktok.ts

@@ -1,6 +1,10 @@
 import { betterFetch } from "@better-fetch/fetch";
 import type { OAuthProvider, ProviderOptions } from "../oauth2";
-import { refreshAccessToken, validateAuthorizationCode } from "../oauth2";
+import {
+	RESERVED_AUTHORIZATION_PARAMS_SET,
+	refreshAccessToken,
+	validateAuthorizationCode,
+} from "../oauth2";
 
 /**
  * [More info](https://developers.tiktok.com/doc/tiktok-api-v2-get-user-info/)
@@ -131,17 +135,26 @@ export const tiktok = (options: TiktokOptions) => {
 	return {
 		id: "tiktok",
 		name: "TikTok",
-		createAuthorizationURL({ state, scopes, redirectURI }) {
+		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
 			const _scopes = options.disableDefaultScope ? [] : ["user.info.profile"];
 			if (options.scope) _scopes.push(...options.scope);
 			if (scopes) _scopes.push(...scopes);
-			return new URL(
-				`https://www.tiktok.com/v2/auth/authorize?scope=${_scopes.join(
-					",",
-				)}&response_type=code&client_key=${options.clientKey}&redirect_uri=${encodeURIComponent(
-					options.redirectURI || redirectURI,
-				)}&state=${state}`,
-			);
+			// TikTok uses `client_key` instead of the standard `client_id`, so the
+			// shared createAuthorizationURL helper cannot be used directly.
+			const url = new URL("https://www.tiktok.com/v2/auth/authorize");
+			url.searchParams.set("scope", _scopes.join(","));
+			url.searchParams.set("response_type", "code");
+			url.searchParams.set("client_key", options.clientKey);
+			url.searchParams.set("redirect_uri", options.redirectURI || redirectURI);
+			url.searchParams.set("state", state);
+			if (additionalParams) {
+				for (const [key, value] of Object.entries(additionalParams)) {
+					if (RESERVED_AUTHORIZATION_PARAMS_SET.has(key)) continue;
+					if (key === "client_key") continue;
+					url.searchParams.set(key, value);
+				}
+			}
+			return url;
 		},
 
 		validateAuthorizationCode: async ({ code, redirectURI }) => {