@better-auth/core 1.7.0-beta.3 → 1.7.0-beta.5

package/src/oauth2/verify.ts

@@ -9,13 +9,38 @@ import type {
 import {
 	createLocalJWKSet,
 	decodeProtectedHeader,
+	errors as joseErrors,
 	jwtVerify,
 	UnsecuredJWT,
 } from "jose";
 import { logger } from "../env";
 
-/** Last fetched jwks used locally in getJwks @internal */
-let jwks: JSONWebKeySet | undefined;
+const joseInfrastructureErrorCodes = new Set([
+	joseErrors.JWKSTimeout.code,
+	joseErrors.JWKSInvalid.code,
+	joseErrors.JWKSMultipleMatchingKeys.code,
+]);
+
+function isJoseInfrastructureError(error: joseErrors.JOSEError) {
+	return joseInfrastructureErrorCodes.has(error.code);
+}
+
+interface JwksCacheEntry {
+	jwks: JSONWebKeySet;
+	fetchedAt: number;
+}
+
+const jwksCache = new Map<
+	string | (() => Promise<JSONWebKeySet | undefined>),
+	JwksCacheEntry
+>();
+
+/**
+ * How long a cached JWKS is trusted before it is refetched
+ *
+ * @internal
+ */
+const JWKS_CACHE_TTL_MS = 5 * 60 * 1000;
 
 export interface VerifyAccessTokenRemote {
 	/** Full url of the introspect endpoint. Should end with `/oauth2/introspect` */
@@ -30,6 +55,20 @@ export interface VerifyAccessTokenRemote {
 	 * is also still active.
 	 */
 	force?: boolean;
+	/**
+	 * Accept introspection responses that omit the `aud` claim even when a
+	 * required `audience` is configured in `verifyOptions`.
+	 *
+	 * By default verification fails closed: if you configure an `audience` and
+	 * the introspection response has no `aud` (or a mismatching one), the token
+	 * is rejected. Some authorization servers legitimately omit `aud` from
+	 * introspection responses (it is OPTIONAL per RFC 7662 §2.2); only enable
+	 * this if you trust the issuer to bind the token to this resource through
+	 * another mechanism, as it skips the audience check in that case.
+	 *
+	 * @default false
+	 */
+	allowMissingAudience?: boolean;
 }
 
 /**
@@ -82,11 +121,24 @@ export async function getJwks(
 		throw new Error(error as unknown as string);
 	}
 
-	if (!jwtHeaders.kid) throw new Error("Missing jwt kid");
+	if (!jwtHeaders.kid) {
+		throw new APIError("UNAUTHORIZED", { message: "invalid access token" });
+	}
+	const kid = jwtHeaders.kid;
+
+	const cacheKey = opts.jwksFetch;
+	const cached = jwksCache.get(cacheKey);
+	const isFresh = cached
+		? Date.now() - cached.fetchedAt < JWKS_CACHE_TTL_MS
+		: false;
+	const hasKid = cached?.jwks.keys.some((jwk) => jwk.kid === kid) ?? false;
 
-	// Fetch jwks if not set or has a different kid than the one stored
-	if (!jwks || !jwks.keys.find((jwk) => jwk.kid === jwtHeaders.kid)) {
-		jwks =
+	// Refetch when this source has no cached set, the cached set has expired, or
+	// it does not contain the token's kid (e.g. a newly rotated-in key). The
+	// cache is scoped to `cacheKey`, so a token is only ever matched against the
+	// key set published by its own source.
+	if (!cached || !isFresh || !hasKid) {
+		const jwks =
 			typeof opts.jwksFetch === "string"
 				? await betterFetch<JSONWebKeySet>(opts.jwksFetch, {
 						headers: {
@@ -101,9 +153,11 @@ export async function getJwks(
 					})
 				: await opts.jwksFetch();
 		if (!jwks) throw new Error("No jwks found");
+		jwksCache.set(cacheKey, { jwks, fetchedAt: Date.now() });
+		return jwks;
 	}
 
-	return jwks;
+	return cached.jwks;
 }
 
 /**
@@ -137,13 +191,16 @@ export async function verifyAccessToken(
 			if (error instanceof Error) {
 				if (error.name === "TypeError" || error.name === "JWSInvalid") {
 					// likely an opaque token (continue)
-				} else if (error.name === "JWTExpired") {
+				} else if (error instanceof joseErrors.JWTExpired) {
 					throw new APIError("UNAUTHORIZED", {
 						message: "token expired",
 					});
-				} else if (error.name === "JWTInvalid") {
+				} else if (error instanceof joseErrors.JOSEError) {
+					if (isJoseInfrastructureError(error)) {
+						throw error;
+					}
 					throw new APIError("UNAUTHORIZED", {
-						message: "token invalid",
+						message: "invalid access token",
 					});
 				} else {
 					throw error;
@@ -185,13 +242,23 @@ export async function verifyAccessToken(
 			throw new APIError("UNAUTHORIZED", {
 				message: "token inactive",
 			});
-		// Verifies payload using verify options (token valid through introspect)
+		// Verifies payload using verify options (token valid through introspect).
+		// Audience is enforced by default: when `verifyOptions.audience` is set
+		// but the introspection response omits `aud` (or it mismatches),
+		// `UnsecuredJWT.decode` throws and the token is rejected. Otherwise a
+		// token issued for a different resource/client on the same issuer would
+		// also pass. Only drop the audience check when the caller has explicitly
+		// opted in via `remoteVerify.allowMissingAudience`.
 		try {
 			const unsecuredJwt = new UnsecuredJWT(introspect).encode();
-			const { audience: _audience, ...verifyOptions } = opts.verifyOptions;
-			const verify = introspect.aud
-				? UnsecuredJWT.decode(unsecuredJwt, opts.verifyOptions)
-				: UnsecuredJWT.decode(unsecuredJwt, verifyOptions);
+			const { audience: _audience, ...verifyOptionsNoAudience } =
+				opts.verifyOptions;
+			const skipAudience =
+				!introspect.aud && opts.remoteVerify.allowMissingAudience === true;
+			const verify = UnsecuredJWT.decode(
+				unsecuredJwt,
+				skipAudience ? verifyOptionsNoAudience : opts.verifyOptions,
+			);
 			payload = verify.payload;
 		} catch (error) {
 			throw new Error(error as unknown as string);

package/src/social-providers/apple.ts

@@ -1,13 +1,14 @@
 import { betterFetch } from "@better-fetch/fetch";
 
-import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
+import { decodeJwt, importJWK } from "jose";
 import { logger } from "../env";
 import { APIError, BetterAuthError } from "../error";
-import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import type { ProviderOptions, UpstreamProvider } from "../oauth2";
 import {
 	createAuthorizationURL,
 	getPrimaryClientId,
 	refreshAccessToken,
+	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 export interface AppleProfile {
@@ -77,32 +78,42 @@ export interface AppleOptions extends ProviderOptions<AppleProfile> {
 	audience?: (string | string[]) | undefined;
 }
 
+const APPLE_DEFAULT_SCOPES = ["email", "name"];
+
 export const apple = (options: AppleOptions) => {
 	const tokenEndpoint = "https://appleid.apple.com/auth/token";
 	return {
 		id: "apple",
 		name: "Apple",
-		async createAuthorizationURL({ state, scopes, redirectURI }) {
+		callbackPath: "/callback/apple",
+		async createAuthorizationURL({
+			state,
+			scopes,
+			redirectURI,
+			additionalParams,
+		}) {
 			if (!getPrimaryClientId(options.clientId) || !options.clientSecret) {
 				logger.error(
 					"Client ID and client secret are required for Apple. Make sure to provide them in the options.",
 				);
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
 			}
-			const _scope = options.disableDefaultScope ? [] : ["email", "name"];
-			if (options.scope) _scope.push(...options.scope);
-			if (scopes) _scope.push(...scopes);
-			const url = await createAuthorizationURL({
+			const requestedScopes = resolveRequestedScopes(
+				options,
+				APPLE_DEFAULT_SCOPES,
+				scopes,
+			);
+			return createAuthorizationURL({
 				id: "apple",
 				options,
 				authorizationEndpoint: "https://appleid.apple.com/auth/authorize",
-				scopes: _scope,
+				scopes: requestedScopes,
 				state,
 				redirectURI,
 				responseMode: "form_post",
 				responseType: "code id_token",
+				additionalParams,
 			});
-			return url;
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
 			return validateAuthorizationCode({
@@ -113,41 +124,17 @@ export const apple = (options: AppleOptions) => {
 				tokenEndpoint,
 			});
 		},
-		async verifyIdToken(token, nonce) {
-			if (options.disableIdTokenSignIn) {
-				return false;
-			}
-			if (options.verifyIdToken) {
-				return options.verifyIdToken(token, nonce);
-			}
-			try {
-				const decodedHeader = decodeProtectedHeader(token);
-				const { kid, alg: jwtAlg } = decodedHeader;
-				if (!kid || !jwtAlg) return false;
-				const publicKey = await getApplePublicKey(kid);
-				const { payload: jwtClaims } = await jwtVerify(token, publicKey, {
-					algorithms: [jwtAlg],
-					issuer: "https://appleid.apple.com",
-					audience:
-						options.audience && options.audience.length
-							? options.audience
-							: options.appBundleIdentifier
-								? options.appBundleIdentifier
-								: options.clientId,
-					maxTokenAge: "1h",
-				});
-				["email_verified", "is_private_email"].forEach((field) => {
-					if (jwtClaims[field] !== undefined) {
-						jwtClaims[field] = Boolean(jwtClaims[field]);
-					}
-				});
-				if (nonce && jwtClaims.nonce !== nonce) {
-					return false;
-				}
-				return !!jwtClaims;
-			} catch {
-				return false;
-			}
+		idToken: {
+			jwks: (header) => getApplePublicKey(header.kid!),
+			issuer: "https://appleid.apple.com",
+			audience:
+				options.audience && options.audience.length
+					? options.audience
+					: options.appBundleIdentifier
+						? options.appBundleIdentifier
+						: options.clientId,
+			maxTokenAge: "1h",
+			nonceComparison: "exact-or-sha256",
 		},
 		refreshAccessToken: options.refreshAccessToken
 			? options.refreshAccessToken
@@ -202,7 +189,7 @@ export const apple = (options: AppleOptions) => {
 			};
 		},
 		options,
-	} satisfies OAuthProvider<AppleProfile>;
+	} satisfies UpstreamProvider<AppleProfile>;
 };
 
 export const getApplePublicKey = async (kid: string) => {

package/src/social-providers/atlassian.ts

@@ -1,10 +1,11 @@
 import { betterFetch } from "@better-fetch/fetch";
 import { logger } from "../env";
 import { BetterAuthError } from "../error";
-import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import type { ProviderOptions, UpstreamProvider } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
+	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -29,13 +30,22 @@ export interface AtlassianOptions extends ProviderOptions<AtlassianProfile> {
 	clientId: string;
 }
 
+const ATLASSIAN_DEFAULT_SCOPES = ["read:jira-user", "offline_access"];
+
 export const atlassian = (options: AtlassianOptions) => {
 	const tokenEndpoint = "https://auth.atlassian.com/oauth/token";
 	return {
 		id: "atlassian",
 		name: "Atlassian",
+		callbackPath: "/callback/atlassian",
 
-		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+		async createAuthorizationURL({
+			state,
+			scopes,
+			codeVerifier,
+			redirectURI,
+			additionalParams,
+		}) {
 			if (!options.clientId || !options.clientSecret) {
 				logger.error("Client Id and Secret are required for Atlassian");
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
@@ -44,21 +54,22 @@ export const atlassian = (options: AtlassianOptions) => {
 				throw new BetterAuthError("codeVerifier is required for Atlassian");
 			}
 
-			const _scopes = options.disableDefaultScope
-				? []
-				: ["read:jira-user", "offline_access"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
+			const requestedScopes = resolveRequestedScopes(
+				options,
+				ATLASSIAN_DEFAULT_SCOPES,
+				scopes,
+			);
 
 			return createAuthorizationURL({
 				id: "atlassian",
 				options,
 				authorizationEndpoint: "https://auth.atlassian.com/authorize",
-				scopes: _scopes,
+				scopes: requestedScopes,
 				state,
 				codeVerifier,
 				redirectURI,
 				additionalParams: {
+					...(additionalParams ?? {}),
 					audience: "api.atlassian.com",
 				},
 				prompt: options.prompt,
@@ -129,5 +140,5 @@ export const atlassian = (options: AtlassianOptions) => {
 		},
 
 		options,
-	} satisfies OAuthProvider<AtlassianProfile>;
+	} satisfies UpstreamProvider<AtlassianProfile>;
 };

package/src/social-providers/cognito.ts

@@ -1,12 +1,13 @@
 import { betterFetch } from "@better-fetch/fetch";
-import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
+import { decodeJwt, importJWK } from "jose";
 import { logger } from "../env";
 import { APIError, BetterAuthError } from "../error";
-import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import type { ProviderOptions, UpstreamProvider } from "../oauth2";
 import {
 	createAuthorizationURL,
 	getPrimaryClientId,
 	refreshAccessToken,
+	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -42,8 +43,23 @@ export interface CognitoOptions extends ProviderOptions<CognitoProfile> {
 	region: string;
 	userPoolId: string;
 	requireClientSecret?: boolean | undefined;
+	/**
+	 * Skip the Cognito hosted-UI identity-provider picker by preselecting an
+	 * IdP (maps to the `identity_provider` query parameter on the authorize
+	 * request). Accepts `"COGNITO"`, a SAML/OIDC provider name configured on
+	 * the User Pool, or one of the social providers (`"Google"`, `"Facebook"`,
+	 * `"LoginWithAmazon"`, `"SignInWithApple"`).
+	 *
+	 * Per-request overrides via `signIn.social({ additionalParams: { identity_provider } })`
+	 * take precedence over this value.
+	 *
+	 * @see https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html
+	 */
+	identityProvider?: string | undefined;
 }
 
+const COGNITO_DEFAULT_SCOPES = ["openid", "profile", "email"];
+
 export const cognito = (options: CognitoOptions) => {
 	if (!options.domain || !options.region || !options.userPoolId) {
 		logger.error(
@@ -60,7 +76,14 @@ export const cognito = (options: CognitoOptions) => {
 	return {
 		id: "cognito",
 		name: "Cognito",
-		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+		callbackPath: "/callback/cognito",
+		async createAuthorizationURL({
+			state,
+			scopes,
+			codeVerifier,
+			redirectURI,
+			additionalParams,
+		}) {
 			if (!getPrimaryClientId(options.clientId)) {
 				logger.error(
 					"ClientId is required for Amazon Cognito. Make sure to provide them in the options.",
@@ -74,23 +97,29 @@ export const cognito = (options: CognitoOptions) => {
 				);
 				throw new BetterAuthError("CLIENT_SECRET_REQUIRED");
 			}
-			const _scopes = options.disableDefaultScope
-				? []
-				: ["openid", "profile", "email"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
+			const requestedScopes = resolveRequestedScopes(
+				options,
+				COGNITO_DEFAULT_SCOPES,
+				scopes,
+			);
 
-			const url = await createAuthorizationURL({
+			const { url } = await createAuthorizationURL({
 				id: "cognito",
 				options: {
 					...options,
 				},
 				authorizationEndpoint,
-				scopes: _scopes,
+				scopes: requestedScopes,
 				state,
 				codeVerifier,
 				redirectURI,
 				prompt: options.prompt,
+				additionalParams: {
+					...(options.identityProvider
+						? { identity_provider: options.identityProvider }
+						: {}),
+					...(additionalParams ?? {}),
+				},
 			});
 			// AWS Cognito requires scopes to be encoded with %20 instead of +
 			// URLSearchParams encodes spaces as + by default, so we need to fix this
@@ -101,9 +130,12 @@ export const cognito = (options: CognitoOptions) => {
 				// Manually append the scope with proper encoding to the URL
 				const urlString = url.toString();
 				const separator = urlString.includes("?") ? "&" : "?";
-				return new URL(`${urlString}${separator}scope=${encodedScope}`);
+				return {
+					url: new URL(`${urlString}${separator}scope=${encodedScope}`),
+					requestedScopes,
+				};
 			}
-			return url;
+			return { url, requestedScopes };
 		},
 
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
@@ -130,41 +162,12 @@ export const cognito = (options: CognitoOptions) => {
 					});
 				},
 
-		async verifyIdToken(token, nonce) {
-			if (options.disableIdTokenSignIn) {
-				return false;
-			}
-			if (options.verifyIdToken) {
-				return options.verifyIdToken(token, nonce);
-			}
-
-			try {
-				const decodedHeader = decodeProtectedHeader(token);
-				const { kid, alg: jwtAlg } = decodedHeader;
-				if (!kid || !jwtAlg) return false;
-
-				const publicKey = await getCognitoPublicKey(
-					kid,
-					options.region,
-					options.userPoolId,
-				);
-				const expectedIssuer = `https://cognito-idp.${options.region}.amazonaws.com/${options.userPoolId}`;
-
-				const { payload: jwtClaims } = await jwtVerify(token, publicKey, {
-					algorithms: [jwtAlg],
-					issuer: expectedIssuer,
-					audience: options.clientId,
-					maxTokenAge: "1h",
-				});
-
-				if (nonce && jwtClaims.nonce !== nonce) {
-					return false;
-				}
-				return true;
-			} catch (error) {
-				logger.error("Failed to verify ID token:", error);
-				return false;
-			}
+		idToken: {
+			jwks: (header) =>
+				getCognitoPublicKey(header.kid!, options.region, options.userPoolId),
+			issuer: `https://cognito-idp.${options.region}.amazonaws.com/${options.userPoolId}`,
+			audience: options.clientId,
+			maxTokenAge: "1h",
 		},
 
 		async getUserInfo(token) {
@@ -240,7 +243,7 @@ export const cognito = (options: CognitoOptions) => {
 		},
 
 		options,
-	} satisfies OAuthProvider<CognitoProfile>;
+	} satisfies UpstreamProvider<CognitoProfile>;
 };
 
 export const getCognitoPublicKey = async (

package/src/social-providers/discord.ts

@@ -1,6 +1,11 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { OAuthProvider, ProviderOptions } from "../oauth2";
-import { refreshAccessToken, validateAuthorizationCode } from "../oauth2";
+import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import {
+	createAuthorizationURL,
+	refreshAccessToken,
+	resolveRequestedScopes,
+	validateAuthorizationCode,
+} from "../oauth2";
 export interface DiscordProfile extends Record<string, any> {
 	/** the user's id (i.e. the numerical snowflake) */
 	id: string;
@@ -79,31 +84,41 @@ export interface DiscordOptions extends ProviderOptions<DiscordProfile> {
 	permissions?: number | undefined;
 }
 
+const DISCORD_DEFAULT_SCOPES = ["identify", "email"];
+
 export const discord = (options: DiscordOptions) => {
 	const tokenEndpoint = "https://discord.com/api/oauth2/token";
 	return {
 		id: "discord",
 		name: "Discord",
-		createAuthorizationURL({ state, scopes, redirectURI }) {
-			const _scopes = options.disableDefaultScope ? [] : ["identify", "email"];
-			if (scopes) _scopes.push(...scopes);
-			if (options.scope) _scopes.push(...options.scope);
-			const hasBotScope = _scopes.includes("bot");
-			const permissionsParam =
-				hasBotScope && options.permissions !== undefined
-					? `&permissions=${options.permissions}`
-					: "";
-			return new URL(
-				`https://discord.com/api/oauth2/authorize?scope=${_scopes.join(
-					"+",
-				)}&response_type=code&client_id=${
-					options.clientId
-				}&redirect_uri=${encodeURIComponent(
-					options.redirectURI || redirectURI,
-				)}&state=${state}&prompt=${
-					options.prompt || "none"
-				}${permissionsParam}`,
+		callbackPath: "/callback/discord",
+		async createAuthorizationURL({
+			state,
+			scopes,
+			redirectURI,
+			additionalParams,
+		}) {
+			const requestedScopes = resolveRequestedScopes(
+				options,
+				DISCORD_DEFAULT_SCOPES,
+				scopes,
 			);
+			const hasBotScope = requestedScopes.includes("bot");
+			return createAuthorizationURL({
+				id: "discord",
+				options,
+				authorizationEndpoint: "https://discord.com/api/oauth2/authorize",
+				scopes: requestedScopes,
+				state,
+				redirectURI,
+				prompt: options.prompt || "none",
+				additionalParams: {
+					...(hasBotScope && options.permissions !== undefined
+						? { permissions: String(options.permissions) }
+						: {}),
+					...(additionalParams ?? {}),
+				},
+			});
 		},
 		validateAuthorizationCode: async ({ code, redirectURI }) => {
 			return validateAuthorizationCode({
@@ -166,5 +181,5 @@ export const discord = (options: DiscordOptions) => {
 			};
 		},
 		options,
-	} satisfies OAuthProvider<DiscordProfile>;
+	} satisfies UpstreamProvider<DiscordProfile>;
 };

package/src/social-providers/dropbox.ts

@@ -1,8 +1,9 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import type { ProviderOptions, UpstreamProvider } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
+	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -25,34 +26,41 @@ export interface DropboxOptions extends ProviderOptions<DropboxProfile> {
 	accessType?: ("offline" | "online" | "legacy") | undefined;
 }
 
+const DROPBOX_DEFAULT_SCOPES = ["account_info.read"];
+
 export const dropbox = (options: DropboxOptions) => {
 	const tokenEndpoint = "https://api.dropboxapi.com/oauth2/token";
 
 	return {
 		id: "dropbox",
 		name: "Dropbox",
+		callbackPath: "/callback/dropbox",
 		createAuthorizationURL: async ({
 			state,
 			scopes,
 			codeVerifier,
 			redirectURI,
+			additionalParams,
 		}) => {
-			const _scopes = options.disableDefaultScope ? [] : ["account_info.read"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
-			const additionalParams: Record<string, string> = {};
-			if (options.accessType) {
-				additionalParams.token_access_type = options.accessType;
-			}
-			return await createAuthorizationURL({
+			const requestedScopes = resolveRequestedScopes(
+				options,
+				DROPBOX_DEFAULT_SCOPES,
+				scopes,
+			);
+			return createAuthorizationURL({
 				id: "dropbox",
 				options,
 				authorizationEndpoint: "https://www.dropbox.com/oauth2/authorize",
-				scopes: _scopes,
+				scopes: requestedScopes,
 				state,
 				redirectURI,
 				codeVerifier,
-				additionalParams,
+				additionalParams: {
+					...(options.accessType
+						? { token_access_type: options.accessType }
+						: {}),
+					...(additionalParams ?? {}),
+				},
 			});
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
@@ -108,5 +116,5 @@ export const dropbox = (options: DropboxOptions) => {
 			};
 		},
 		options,
-	} satisfies OAuthProvider<DropboxProfile>;
+	} satisfies UpstreamProvider<DropboxProfile>;
 };