@better-auth/core 1.7.0-beta.3 → 1.7.0-beta.5

package/dist/social-providers/cognito.mjs

@@ -1,12 +1,18 @@
 import { APIError, BetterAuthError } from "../error/index.mjs";
 import { logger } from "../env/logger.mjs";
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { getPrimaryClientId } from "../oauth2/utils.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
-import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
+import { decodeJwt, importJWK } from "jose";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/cognito.ts
+const COGNITO_DEFAULT_SCOPES = [
+	"openid",
+	"profile",
+	"email"
+];
 const cognito = (options) => {
 	if (!options.domain || !options.region || !options.userPoolId) {
 		logger.error("Domain, region and userPoolId are required for Amazon Cognito. Make sure to provide them in the options.");
@@ -19,7 +25,8 @@ const cognito = (options) => {
 	return {
 		id: "cognito",
 		name: "Cognito",
-		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+		callbackPath: "/callback/cognito",
+		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, additionalParams }) {
 			if (!getPrimaryClientId(options.clientId)) {
 				logger.error("ClientId is required for Amazon Cognito. Make sure to provide them in the options.");
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
@@ -28,22 +35,20 @@ const cognito = (options) => {
 				logger.error("Client Secret is required when requireClientSecret is true. Make sure to provide it in the options.");
 				throw new BetterAuthError("CLIENT_SECRET_REQUIRED");
 			}
-			const _scopes = options.disableDefaultScope ? [] : [
-				"openid",
-				"profile",
-				"email"
-			];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
-			const url = await createAuthorizationURL({
+			const requestedScopes = resolveRequestedScopes(options, COGNITO_DEFAULT_SCOPES, scopes);
+			const { url } = await createAuthorizationURL({
 				id: "cognito",
 				options: { ...options },
 				authorizationEndpoint,
-				scopes: _scopes,
+				scopes: requestedScopes,
 				state,
 				codeVerifier,
 				redirectURI,
-				prompt: options.prompt
+				prompt: options.prompt,
+				additionalParams: {
+					...options.identityProvider ? { identity_provider: options.identityProvider } : {},
+					...additionalParams ?? {}
+				}
 			});
 			const scopeValue = url.searchParams.get("scope");
 			if (scopeValue) {
@@ -51,9 +56,15 @@ const cognito = (options) => {
 				const encodedScope = encodeURIComponent(scopeValue);
 				const urlString = url.toString();
 				const separator = urlString.includes("?") ? "&" : "?";
-				return new URL(`${urlString}${separator}scope=${encodedScope}`);
+				return {
+					url: new URL(`${urlString}${separator}scope=${encodedScope}`),
+					requestedScopes
+				};
 			}
-			return url;
+			return {
+				url,
+				requestedScopes
+			};
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
 			return validateAuthorizationCode({
@@ -75,26 +86,11 @@ const cognito = (options) => {
 				tokenEndpoint
 			});
 		},
-		async verifyIdToken(token, nonce) {
-			if (options.disableIdTokenSignIn) return false;
-			if (options.verifyIdToken) return options.verifyIdToken(token, nonce);
-			try {
-				const { kid, alg: jwtAlg } = decodeProtectedHeader(token);
-				if (!kid || !jwtAlg) return false;
-				const publicKey = await getCognitoPublicKey(kid, options.region, options.userPoolId);
-				const expectedIssuer = `https://cognito-idp.${options.region}.amazonaws.com/${options.userPoolId}`;
-				const { payload: jwtClaims } = await jwtVerify(token, publicKey, {
-					algorithms: [jwtAlg],
-					issuer: expectedIssuer,
-					audience: options.clientId,
-					maxTokenAge: "1h"
-				});
-				if (nonce && jwtClaims.nonce !== nonce) return false;
-				return true;
-			} catch (error) {
-				logger.error("Failed to verify ID token:", error);
-				return false;
-			}
+		idToken: {
+			jwks: (header) => getCognitoPublicKey(header.kid, options.region, options.userPoolId),
+			issuer: `https://cognito-idp.${options.region}.amazonaws.com/${options.userPoolId}`,
+			audience: options.clientId,
+			maxTokenAge: "1h"
 		},
 		async getUserInfo(token) {
 			if (options.getUserInfo) return options.getUserInfo(token);

package/dist/social-providers/discord.d.mts

@@ -77,10 +77,12 @@ interface DiscordOptions extends ProviderOptions<DiscordProfile> {
 declare const discord: (options: DiscordOptions) => {
   id: "discord";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
-    redirectURI
+    redirectURI,
+    additionalParams
   }: {
     state: string;
     codeVerifier: string;
@@ -88,7 +90,11 @@ declare const discord: (options: DiscordOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
-  }): URL;
+    additionalParams?: Record<string, string> | undefined;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     redirectURI

package/dist/social-providers/discord.mjs

@@ -1,18 +1,32 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
+import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/discord.ts
+const DISCORD_DEFAULT_SCOPES = ["identify", "email"];
 const discord = (options) => {
 	const tokenEndpoint = "https://discord.com/api/oauth2/token";
 	return {
 		id: "discord",
 		name: "Discord",
-		createAuthorizationURL({ state, scopes, redirectURI }) {
-			const _scopes = options.disableDefaultScope ? [] : ["identify", "email"];
-			if (scopes) _scopes.push(...scopes);
-			if (options.scope) _scopes.push(...options.scope);
-			const permissionsParam = _scopes.includes("bot") && options.permissions !== void 0 ? `&permissions=${options.permissions}` : "";
-			return new URL(`https://discord.com/api/oauth2/authorize?scope=${_scopes.join("+")}&response_type=code&client_id=${options.clientId}&redirect_uri=${encodeURIComponent(options.redirectURI || redirectURI)}&state=${state}&prompt=${options.prompt || "none"}${permissionsParam}`);
+		callbackPath: "/callback/discord",
+		async createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
+			const requestedScopes = resolveRequestedScopes(options, DISCORD_DEFAULT_SCOPES, scopes);
+			const hasBotScope = requestedScopes.includes("bot");
+			return createAuthorizationURL({
+				id: "discord",
+				options,
+				authorizationEndpoint: "https://discord.com/api/oauth2/authorize",
+				scopes: requestedScopes,
+				state,
+				redirectURI,
+				prompt: options.prompt || "none",
+				additionalParams: {
+					...hasBotScope && options.permissions !== void 0 ? { permissions: String(options.permissions) } : {},
+					...additionalParams ?? {}
+				}
+			});
 		},
 		validateAuthorizationCode: async ({ code, redirectURI }) => {
 			return validateAuthorizationCode({

package/dist/social-providers/dropbox.d.mts

@@ -20,11 +20,13 @@ interface DropboxOptions extends ProviderOptions<DropboxProfile> {
 declare const dropbox: (options: DropboxOptions) => {
   id: "dropbox";
   name: string;
+  callbackPath: string;
   createAuthorizationURL: ({
     state,
     scopes,
     codeVerifier,
-    redirectURI
+    redirectURI,
+    additionalParams
   }: {
     state: string;
     codeVerifier: string;
@@ -32,7 +34,11 @@ declare const dropbox: (options: DropboxOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
-  }) => Promise<URL>;
+    additionalParams?: Record<string, string> | undefined;
+  }) => Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     codeVerifier,

package/dist/social-providers/dropbox.mjs

@@ -1,28 +1,29 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/dropbox.ts
+const DROPBOX_DEFAULT_SCOPES = ["account_info.read"];
 const dropbox = (options) => {
 	const tokenEndpoint = "https://api.dropboxapi.com/oauth2/token";
 	return {
 		id: "dropbox",
 		name: "Dropbox",
-		createAuthorizationURL: async ({ state, scopes, codeVerifier, redirectURI }) => {
-			const _scopes = options.disableDefaultScope ? [] : ["account_info.read"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
-			const additionalParams = {};
-			if (options.accessType) additionalParams.token_access_type = options.accessType;
-			return await createAuthorizationURL({
+		callbackPath: "/callback/dropbox",
+		createAuthorizationURL: async ({ state, scopes, codeVerifier, redirectURI, additionalParams }) => {
+			return createAuthorizationURL({
 				id: "dropbox",
 				options,
 				authorizationEndpoint: "https://www.dropbox.com/oauth2/authorize",
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, DROPBOX_DEFAULT_SCOPES, scopes),
 				state,
 				redirectURI,
 				codeVerifier,
-				additionalParams
+				additionalParams: {
+					...options.accessType ? { token_access_type: options.accessType } : {},
+					...additionalParams ?? {}
+				}
 			});
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {

package/dist/social-providers/facebook.d.mts

@@ -1,4 +1,6 @@
 import { OAuth2Tokens, ProviderOptions } from "../oauth2/oauth-provider.mjs";
+import * as jose from "jose";
+
 //#region src/social-providers/facebook.d.ts
 interface FacebookProfile {
   id: string;
@@ -30,11 +32,13 @@ interface FacebookOptions extends ProviderOptions<FacebookProfile> {
 declare const facebook: (options: FacebookOptions) => {
   id: "facebook";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
     redirectURI,
-    loginHint
+    loginHint,
+    additionalParams
   }: {
     state: string;
     codeVerifier: string;
@@ -42,7 +46,11 @@ declare const facebook: (options: FacebookOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
-  }): Promise<URL>;
+    additionalParams?: Record<string, string> | undefined;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     redirectURI
@@ -52,7 +60,20 @@ declare const facebook: (options: FacebookOptions) => {
     codeVerifier?: string | undefined;
     deviceId?: string | undefined;
   }) => Promise<OAuth2Tokens>;
-  verifyIdToken(token: string, nonce: string | undefined): Promise<boolean>;
+  idToken: {
+    jwks: {
+      (protectedHeader?: jose.JWSHeaderParameters, token?: jose.FlattenedJWSInput): Promise<jose.CryptoKey>;
+      coolingDown: boolean;
+      fresh: boolean;
+      reloading: boolean;
+      reload: () => Promise<void>;
+      jwks: () => jose.JSONWebKeySet | undefined;
+    };
+    issuer: string;
+    audience: string | string[];
+    algorithms: string[];
+    allowOpaqueToken: true;
+  };
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
     user?: {

package/dist/social-providers/facebook.mjs

@@ -1,33 +1,64 @@
 import { BetterAuthError } from "../error/index.mjs";
 import { logger } from "../env/logger.mjs";
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { getPrimaryClientId } from "../oauth2/utils.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
-import { createRemoteJWKSet, decodeJwt, jwtVerify } from "jose";
+import { createRemoteJWKSet, decodeJwt } from "jose";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/facebook.ts
+/**
+* Validate an opaque Facebook access token against the configured app.
+*
+* Facebook access tokens are not audience-bound at the Graph `/me` endpoint: a
+* token minted for any Facebook app returns that app's profile. Without this
+* check, a token issued to an unrelated app could be presented to this
+* app's direct sign-in path and accepted as proof of identity. We call the
+* `debug_token` endpoint and require the token to be valid, bound to one of the
+* configured client ids, and tied to a user.
+*
+* @see https://developers.facebook.com/docs/facebook-login/guides/access-tokens/debugging
+*
+* @returns the inspected token's `user_id` when the token is valid and bound to
+* the configured app, otherwise `null`.
+*/
+async function verifyFacebookAccessToken(accessToken, options) {
+	const primaryClientId = getPrimaryClientId(options.clientId);
+	if (!primaryClientId || !options.clientSecret) return null;
+	const clientIds = Array.isArray(options.clientId) ? options.clientId : [options.clientId];
+	const { data, error } = await betterFetch("https://graph.facebook.com/debug_token", { query: {
+		input_token: accessToken,
+		access_token: `${primaryClientId}|${options.clientSecret}`
+	} });
+	if (error || !data?.data) return null;
+	const { is_valid, app_id, user_id } = data.data;
+	if (is_valid !== true || !app_id || !clientIds.includes(app_id) || !user_id) return null;
+	return user_id;
+}
+const FACEBOOK_DEFAULT_SCOPES = ["email", "public_profile"];
 const facebook = (options) => {
 	return {
 		id: "facebook",
 		name: "Facebook",
-		async createAuthorizationURL({ state, scopes, redirectURI, loginHint }) {
+		callbackPath: "/callback/facebook",
+		async createAuthorizationURL({ state, scopes, redirectURI, loginHint, additionalParams }) {
 			if (!getPrimaryClientId(options.clientId) || !options.clientSecret) {
 				logger.error("Client ID and client secret are required for Facebook. Make sure to provide them in the options.");
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
 			}
-			const _scopes = options.disableDefaultScope ? [] : ["email", "public_profile"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
-			return await createAuthorizationURL({
+			return createAuthorizationURL({
 				id: "facebook",
 				options,
 				authorizationEndpoint: "https://www.facebook.com/v24.0/dialog/oauth",
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, FACEBOOK_DEFAULT_SCOPES, scopes),
 				state,
 				redirectURI,
 				loginHint,
-				additionalParams: options.configId ? { config_id: options.configId } : {}
+				additionalParams: {
+					...options.configId ? { config_id: options.configId } : {},
+					...additionalParams ?? {}
+				}
 			});
 		},
 		validateAuthorizationCode: async ({ code, redirectURI }) => {
@@ -38,21 +69,12 @@ const facebook = (options) => {
 				tokenEndpoint: "https://graph.facebook.com/v24.0/oauth/access_token"
 			});
 		},
-		async verifyIdToken(token, nonce) {
-			if (options.disableIdTokenSignIn) return false;
-			if (options.verifyIdToken) return options.verifyIdToken(token, nonce);
-			if (token.split(".").length === 3) try {
-				const { payload: jwtClaims } = await jwtVerify(token, createRemoteJWKSet(new URL("https://limited.facebook.com/.well-known/oauth/openid/jwks/")), {
-					algorithms: ["RS256"],
-					audience: options.clientId,
-					issuer: "https://www.facebook.com"
-				});
-				if (nonce && jwtClaims.nonce !== nonce) return false;
-				return !!jwtClaims;
-			} catch {
-				return false;
-			}
-			return true;
+		idToken: {
+			jwks: createRemoteJWKSet(new URL("https://limited.facebook.com/.well-known/oauth/openid/jwks/")),
+			issuer: "https://www.facebook.com",
+			audience: options.clientId,
+			algorithms: ["RS256"],
+			allowOpaqueToken: true
 		},
 		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
 			return refreshAccessToken({
@@ -93,6 +115,10 @@ const facebook = (options) => {
 					data: profile
 				};
 			}
+			const accessToken = token.accessToken;
+			if (!accessToken) return null;
+			const tokenUserId = await verifyFacebookAccessToken(accessToken, options);
+			if (!tokenUserId) return null;
 			const { data: profile, error } = await betterFetch("https://graph.facebook.com/me?fields=" + [
 				"id",
 				"name",
@@ -101,9 +127,10 @@ const facebook = (options) => {
 				...options?.fields || []
 			].join(","), { auth: {
 				type: "Bearer",
-				token: token.accessToken
+				token: accessToken
 			} });
 			if (error) return null;
+			if (profile.id !== tokenUserId) return null;
 			const userMap = await options.mapProfileToUser?.(profile);
 			return {
 				user: {

package/dist/social-providers/figma.d.mts

@@ -12,11 +12,13 @@ interface FigmaOptions extends ProviderOptions<FigmaProfile> {
 declare const figma: (options: FigmaOptions) => {
   id: "figma";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
     codeVerifier,
-    redirectURI
+    redirectURI,
+    additionalParams
   }: {
     state: string;
     codeVerifier: string;
@@ -24,7 +26,11 @@ declare const figma: (options: FigmaOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
-  }): Promise<URL>;
+    additionalParams?: Record<string, string> | undefined;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     codeVerifier,

package/dist/social-providers/figma.mjs

@@ -1,32 +1,33 @@
 import { BetterAuthError } from "../error/index.mjs";
 import { logger } from "../env/logger.mjs";
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/figma.ts
+const FIGMA_DEFAULT_SCOPES = ["current_user:read"];
 const figma = (options) => {
 	const tokenEndpoint = "https://api.figma.com/v1/oauth/token";
 	return {
 		id: "figma",
 		name: "Figma",
-		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+		callbackPath: "/callback/figma",
+		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, additionalParams }) {
 			if (!options.clientId || !options.clientSecret) {
 				logger.error("Client Id and Client Secret are required for Figma. Make sure to provide them in the options.");
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
 			}
 			if (!codeVerifier) throw new BetterAuthError("codeVerifier is required for Figma");
-			const _scopes = options.disableDefaultScope ? [] : ["current_user:read"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
-			return await createAuthorizationURL({
+			return createAuthorizationURL({
 				id: "figma",
 				options,
 				authorizationEndpoint: "https://www.figma.com/oauth",
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, FIGMA_DEFAULT_SCOPES, scopes),
 				state,
 				codeVerifier,
-				redirectURI
+				redirectURI,
+				additionalParams
 			});
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {

package/dist/social-providers/github.d.mts

@@ -52,12 +52,14 @@ interface GithubOptions extends ProviderOptions<GithubProfile> {
 declare const github: (options: GithubOptions) => {
   id: "github";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
     loginHint,
     codeVerifier,
-    redirectURI
+    redirectURI,
+    additionalParams
   }: {
     state: string;
     codeVerifier: string;
@@ -65,7 +67,11 @@ declare const github: (options: GithubOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
-  }): Promise<URL>;
+    additionalParams?: Record<string, string> | undefined;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     codeVerifier,

package/dist/social-providers/github.mjs

@@ -1,33 +1,34 @@
 import { logger } from "../env/logger.mjs";
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { getOAuth2Tokens } from "../oauth2/utils.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
-import { createAuthorizationCodeRequest } from "../oauth2/validate-authorization-code.mjs";
+import { authorizationCodeRequest } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/github.ts
+const GITHUB_DEFAULT_SCOPES = ["read:user", "user:email"];
 const github = (options) => {
 	const tokenEndpoint = "https://github.com/login/oauth/access_token";
 	return {
 		id: "github",
 		name: "GitHub",
-		createAuthorizationURL({ state, scopes, loginHint, codeVerifier, redirectURI }) {
-			const _scopes = options.disableDefaultScope ? [] : ["read:user", "user:email"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
+		callbackPath: "/callback/github",
+		createAuthorizationURL({ state, scopes, loginHint, codeVerifier, redirectURI, additionalParams }) {
 			return createAuthorizationURL({
 				id: "github",
 				options,
 				authorizationEndpoint: "https://github.com/login/oauth/authorize",
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, GITHUB_DEFAULT_SCOPES, scopes),
 				state,
 				codeVerifier,
 				redirectURI,
 				loginHint,
-				prompt: options.prompt
+				prompt: options.prompt,
+				additionalParams
 			});
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
-			const { body, headers: requestHeaders } = createAuthorizationCodeRequest({
+			const { body, headers: requestHeaders } = await authorizationCodeRequest({
 				code,
 				codeVerifier,
 				redirectURI,

package/dist/social-providers/gitlab.d.mts

@@ -52,12 +52,14 @@ interface GitlabOptions extends ProviderOptions<GitlabProfile> {
 declare const gitlab: (options: GitlabOptions) => {
   id: "gitlab";
   name: string;
+  callbackPath: string;
   createAuthorizationURL: ({
     state,
     scopes,
     codeVerifier,
     loginHint,
-    redirectURI
+    redirectURI,
+    additionalParams
   }: {
     state: string;
     codeVerifier: string;
@@ -65,7 +67,11 @@ declare const gitlab: (options: GitlabOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
-  }) => Promise<URL>;
+    additionalParams?: Record<string, string> | undefined;
+  }) => Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     redirectURI,

package/dist/social-providers/gitlab.mjs

@@ -1,3 +1,4 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
@@ -14,25 +15,25 @@ const issuerToEndpoints = (issuer) => {
 		userinfoEndpoint: cleanDoubleSlashes(`${baseUrl}/api/v4/user`)
 	};
 };
+const GITLAB_DEFAULT_SCOPES = ["read_user"];
 const gitlab = (options) => {
 	const { authorizationEndpoint, tokenEndpoint, userinfoEndpoint } = issuerToEndpoints(options.issuer);
 	const issuerId = "gitlab";
 	return {
 		id: issuerId,
 		name: "Gitlab",
-		createAuthorizationURL: async ({ state, scopes, codeVerifier, loginHint, redirectURI }) => {
-			const _scopes = options.disableDefaultScope ? [] : ["read_user"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
-			return await createAuthorizationURL({
+		callbackPath: "/callback/gitlab",
+		createAuthorizationURL: ({ state, scopes, codeVerifier, loginHint, redirectURI, additionalParams }) => {
+			return createAuthorizationURL({
 				id: issuerId,
 				options,
 				authorizationEndpoint,
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, GITLAB_DEFAULT_SCOPES, scopes),
 				state,
 				redirectURI,
 				codeVerifier,
-				loginHint
+				loginHint,
+				additionalParams
 			});
 		},
 		validateAuthorizationCode: async ({ code, redirectURI, codeVerifier }) => {