@better-auth/core 1.7.0-beta.4 → 1.7.0-beta.5

package/dist/social-providers/vercel.d.mts

@@ -14,6 +14,7 @@ interface VercelOptions extends ProviderOptions<VercelProfile> {
 declare const vercel: (options: VercelOptions) => {
   id: "vercel";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -28,7 +29,10 @@ declare const vercel: (options: VercelOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<URL>;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     codeVerifier,

package/dist/social-providers/vercel.mjs

@@ -1,25 +1,22 @@
 import { BetterAuthError } from "../error/index.mjs";
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/vercel.ts
+const VERCEL_DEFAULT_SCOPES = [];
 const vercel = (options) => {
 	return {
 		id: "vercel",
 		name: "Vercel",
+		callbackPath: "/callback/vercel",
 		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, additionalParams }) {
 			if (!codeVerifier) throw new BetterAuthError("codeVerifier is required for Vercel");
-			let _scopes = void 0;
-			if (options.scope !== void 0 || scopes !== void 0) {
-				_scopes = [];
-				if (options.scope) _scopes.push(...options.scope);
-				if (scopes) _scopes.push(...scopes);
-			}
 			return createAuthorizationURL({
 				id: "vercel",
 				options,
 				authorizationEndpoint: "https://vercel.com/oauth/authorize",
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, VERCEL_DEFAULT_SCOPES, scopes),
 				state,
 				codeVerifier,
 				redirectURI,

package/dist/social-providers/vk.d.mts

@@ -20,6 +20,7 @@ interface VkOption extends ProviderOptions {
 declare const vk: (options: VkOption) => {
   id: "vk";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -34,7 +35,10 @@ declare const vk: (options: VkOption) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<URL>;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     codeVerifier,

package/dist/social-providers/vk.mjs

@@ -1,22 +1,22 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/vk.ts
+const VK_DEFAULT_SCOPES = ["email", "phone"];
 const vk = (options) => {
 	const tokenEndpoint = "https://id.vk.com/oauth2/auth";
 	return {
 		id: "vk",
 		name: "VK",
-		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, additionalParams }) {
-			const _scopes = options.disableDefaultScope ? [] : ["email", "phone"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
+		callbackPath: "/callback/vk",
+		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, additionalParams }) {
 			return createAuthorizationURL({
 				id: "vk",
 				options,
 				authorizationEndpoint: "https://id.vk.com/authorize",
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, VK_DEFAULT_SCOPES, scopes),
 				state,
 				redirectURI,
 				codeVerifier,

package/dist/social-providers/wechat.d.mts

@@ -53,6 +53,7 @@ interface WeChatOptions extends ProviderOptions<WeChatProfile> {
 declare const wechat: (options: WeChatOptions) => {
   id: "wechat";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -66,7 +67,10 @@ declare const wechat: (options: WeChatOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): URL;
+  }): {
+    url: URL;
+    requestedScopes: string[];
+  };
   validateAuthorizationCode: ({
     code
   }: {

package/dist/social-providers/wechat.mjs

@@ -1,16 +1,17 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { RESERVED_AUTHORIZATION_PARAMS_SET } from "../oauth2/create-authorization-url.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/wechat.ts
+const WECHAT_DEFAULT_SCOPES = ["snsapi_login"];
 const wechat = (options) => {
 	return {
 		id: "wechat",
 		name: "WeChat",
+		callbackPath: "/callback/wechat",
 		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
-			const _scopes = options.disableDefaultScope ? [] : ["snsapi_login"];
-			options.scope && _scopes.push(...options.scope);
-			scopes && _scopes.push(...scopes);
+			const requestedScopes = resolveRequestedScopes(options, WECHAT_DEFAULT_SCOPES, scopes);
 			const url = new URL("https://open.weixin.qq.com/connect/qrconnect");
-			url.searchParams.set("scope", _scopes.join(","));
+			url.searchParams.set("scope", requestedScopes.join(","));
 			url.searchParams.set("response_type", "code");
 			url.searchParams.set("appid", options.clientId);
 			url.searchParams.set("redirect_uri", options.redirectURI || redirectURI);
@@ -22,7 +23,10 @@ const wechat = (options) => {
 				url.searchParams.set(key, value);
 			}
 			url.hash = "wechat_redirect";
-			return url;
+			return {
+				url,
+				requestedScopes
+			};
 		},
 		validateAuthorizationCode: async ({ code }) => {
 			const { data: tokenData, error } = await betterFetch("https://api.weixin.qq.com/sns/oauth2/access_token?" + new URLSearchParams({

package/dist/social-providers/zoom.d.mts

@@ -116,8 +116,10 @@ interface ZoomOptions extends ProviderOptions<ZoomProfile> {
 declare const zoom: (userOptions: ZoomOptions) => {
   id: "zoom";
   name: string;
+  callbackPath: string;
   createAuthorizationURL: ({
     state,
+    scopes,
     redirectURI,
     codeVerifier,
     additionalParams
@@ -129,7 +131,10 @@ declare const zoom: (userOptions: ZoomOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }) => Promise<URL>;
+  }) => Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     redirectURI,

package/dist/social-providers/zoom.mjs

@@ -1,8 +1,10 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/zoom.ts
+const ZOOM_DEFAULT_SCOPES = [];
 const zoom = (userOptions) => {
 	const options = {
 		pkce: true,
@@ -11,15 +13,19 @@ const zoom = (userOptions) => {
 	return {
 		id: "zoom",
 		name: "Zoom",
-		createAuthorizationURL: async ({ state, redirectURI, codeVerifier, additionalParams }) => createAuthorizationURL({
-			id: "zoom",
-			options,
-			authorizationEndpoint: "https://zoom.us/oauth/authorize",
-			state,
-			redirectURI,
-			codeVerifier: options.pkce ? codeVerifier : void 0,
-			additionalParams
-		}),
+		callbackPath: "/callback/zoom",
+		createAuthorizationURL: ({ state, scopes, redirectURI, codeVerifier, additionalParams }) => {
+			return createAuthorizationURL({
+				id: "zoom",
+				options,
+				authorizationEndpoint: "https://zoom.us/oauth/authorize",
+				scopes: resolveRequestedScopes(options, ZOOM_DEFAULT_SCOPES, scopes),
+				state,
+				redirectURI,
+				codeVerifier: options.pkce ? codeVerifier : void 0,
+				additionalParams
+			});
+		},
 		validateAuthorizationCode: async ({ code, redirectURI, codeVerifier }) => {
 			return validateAuthorizationCode({
 				code,

package/dist/types/context.d.mts

@@ -6,11 +6,11 @@ import { Verification } from "../db/schema/verification.mjs";
 import { createLogger } from "../env/logger.mjs";
 import { Awaitable, LiteralString } from "./helper.mjs";
 import { BetterAuthPlugin } from "./plugin.mjs";
-import { BetterAuthOptions, BetterAuthRateLimitOptions } from "./init-options.mjs";
+import { BetterAuthOptions, BetterAuthRateLimitOptions, UserProvisioningSource } from "./init-options.mjs";
 import { Account } from "../db/schema/account.mjs";
 import { BetterAuthCookie, BetterAuthCookies } from "./cookie.mjs";
 import { SecretConfig } from "./secret.mjs";
-import { OAuthProvider } from "../oauth2/oauth-provider.mjs";
+import { UpstreamProvider } from "../oauth2/oauth-provider.mjs";
 import { CookieOptions, EndpointContext } from "better-call";
 
 //#region src/types/context.d.ts
@@ -54,11 +54,13 @@ type GenericEndpointContext<Options extends BetterAuthOptions = BetterAuthOption
   context: AuthContext<Options>;
 };
 interface InternalAdapter<_Options extends BetterAuthOptions = BetterAuthOptions> {
-  createOAuthUser(user: Omit<User, "id" | "createdAt" | "updatedAt">, account: Omit<Account, "userId" | "id" | "createdAt" | "updatedAt"> & Partial<Account>): Promise<{
-    user: User;
-    account: Account;
-  }>;
-  createUser<T extends Record<string, any>>(user: Omit<User, "id" | "createdAt" | "updatedAt" | "emailVerified"> & Partial<User> & Record<string, any>): Promise<T & User>;
+  createUser<T extends Record<string, any>>(user: Omit<User, "id" | "createdAt" | "updatedAt" | "emailVerified"> & Partial<User> & Record<string, any>,
+  /**
+   * Provisioning source. The creation seam adds `action: "create-user"` and
+   * runs the `user.validateUserInfo` gate.
+   */
+
+  source: UserProvisioningSource): Promise<T & User>;
   createAccount<T extends Record<string, any>>(account: Omit<Account, "id" | "createdAt" | "updatedAt"> & Partial<Account> & T): Promise<T & Account>;
   listSessions(userId: string, options?: {
     onlyActiveSessions?: boolean | undefined;
@@ -213,7 +215,7 @@ type AuthContext<Options extends BetterAuthOptions = BetterAuthOptions> = Plugin
     session: Session & Record<string, any>;
     user: User & Record<string, any>;
   } | null) => void;
-  socialProviders: OAuthProvider[];
+  socialProviders: UpstreamProvider[];
   authCookies: BetterAuthCookies;
   logger: ReturnType<typeof createLogger>;
   rateLimit: {

package/dist/types/index.d.mts

@@ -1,6 +1,6 @@
 import { Awaitable, AwaitableFunction, LiteralString, LiteralUnion, Prettify, Primitive, UnionToIntersection } from "./helper.mjs";
 import { BetterAuthPlugin, BetterAuthPluginErrorCodePart, HookEndpointContext } from "./plugin.mjs";
-import { BaseURLConfig, BetterAuthAdvancedOptions, BetterAuthDBOptions, BetterAuthOptions, BetterAuthRateLimitOptions, BetterAuthRateLimitRule, BetterAuthRateLimitStorage, DynamicBaseURLConfig, GenerateIdFn, StoreIdentifierOption } from "./init-options.mjs";
+import { BaseURLConfig, BetterAuthAdvancedOptions, BetterAuthDBOptions, BetterAuthOptions, BetterAuthRateLimitOptions, BetterAuthRateLimitRule, BetterAuthRateLimitStorage, DynamicBaseURLConfig, GenerateIdFn, StoreIdentifierOption, UserProvisioningSource, ValidateUserInfoAction, ValidateUserInfoMethod, ValidateUserInfoOAuthInfo, ValidateUserInfoResult, ValidateUserInfoSSOInfo, ValidateUserInfoSource } from "./init-options.mjs";
 import { BetterAuthCookie, BetterAuthCookies } from "./cookie.mjs";
 import { SecretConfig } from "./secret.mjs";
 import { AuthContext, BetterAuthPluginRegistry, BetterAuthPluginRegistryIdentifier, GenericEndpointContext, InfoContext, InternalAdapter, PluginContext } from "./context.mjs";

package/dist/types/init-options.d.mts

@@ -27,6 +27,73 @@ type GenerateIdFn = (options: {
   model: ModelNames;
   size?: number | undefined;
 }) => string | false;
+/**
+ * What Better Auth is about to do with an incoming identity when
+ * {@link BetterAuthOptions.user}'s `validateUserInfo` runs.
+ *
+ * - `create-user`: a brand-new user record is about to be created.
+ * - `link-account`: a new provider account is about to be linked to an
+ *   already-existing user.
+ * - `sign-in`: an existing OAuth or SSO user is signing in again. This is the
+ *   one case where the provider can assert *changed* data, so the hook receives
+ *   the fresh provider email and profile (not the stored row), letting a domain
+ *   or org policy reject a user whose provider identity moved out of bounds.
+ *
+ * Non-provider returning sign-ins are not re-validated: they carry only the
+ * stored row, which has not changed since `create-user` gated it. Use the admin
+ * plugin's ban controls or a `databaseHooks.session.create.before` hook to
+ * block those.
+ */
+type ValidateUserInfoAction = "create-user" | "link-account" | "sign-in";
+/**
+ * The authentication method that produced the incoming user info. The named
+ * methods cover Better Auth's built-ins; the open `string` keeps it extensible
+ * for plugins (for example `"scim"`).
+ */
+type ValidateUserInfoMethod = "oauth" | "sso-oidc" | "sso-saml" | "email-password" | "magic-link" | "email-otp" | "anonymous" | "siwe" | "phone-number" | "admin" | (string & {});
+/** OAuth-specific provisioning context; present only when `method` is `"oauth"`. */
+type ValidateUserInfoOAuthInfo = {
+  /** The social or generic OAuth provider id (e.g. `"google"`). */providerId: string; /** The raw provider profile (userinfo or id-token claims), unmapped. */
+  profile?: Record<string, unknown> | undefined;
+};
+/** SSO-specific provisioning context; present for OIDC and SAML SSO methods. */
+type ValidateUserInfoSSOInfo = {
+  /** The configured SSO provider id. */providerId: string; /** The raw OIDC claims or SAML assertion attributes, unmapped. */
+  profile?: Record<string, unknown> | undefined;
+};
+/** Provisioning origin passed to `createUser`; the creation seam adds `action: "create-user"` to build {@link ValidateUserInfoSource}. */
+type UserProvisioningSource = {
+  method: ValidateUserInfoMethod; /** Provider id and raw profile; present iff `method` is `"oauth"`. */
+  oauth?: ValidateUserInfoOAuthInfo | undefined; /** Provider id and raw profile; present iff `method` is `"sso-oidc"` or `"sso-saml"`. */
+  sso?: ValidateUserInfoSSOInfo | undefined;
+};
+/**
+ * The context passed to `validateUserInfo`: the lifecycle
+ * {@link ValidateUserInfoAction}, the {@link ValidateUserInfoMethod}, and (for
+ * OAuth/SSO provider methods) protocol-specific provider metadata.
+ *
+ * ```ts
+ * // Scope to one OAuth provider:
+ * if (source.oauth?.providerId !== "google") return;
+ * // Branch on the method:
+ * if (source.method === "anonymous") return { error: "no_anonymous" };
+ * // Inspect SSO claims:
+ * if (source.method === "sso-saml" && source.sso?.profile?.department !== "eng") {
+ *   return { error: "invalid_department" };
+ * }
+ * ```
+ */
+type ValidateUserInfoSource = UserProvisioningSource & {
+  action: ValidateUserInfoAction;
+};
+type ValidateUserInfoResult = {
+  /** A short, machine-readable rejection code, surfaced to the client. */error: string;
+  /**
+   * A human-readable reason, surfaced to the client. Do not put sensitive
+   * details here.
+   */
+  errorDescription?: string | undefined;
+};
 /**
  * Configuration for dynamic base URL resolution.
  * Allows Better Auth to work with multiple domains (e.g., Vercel preview deployments).
@@ -684,6 +751,30 @@ type BetterAuthOptions = {
    * User configuration
    */
   user?: (BetterAuthDBOptions<"user", keyof BaseUser> & {
+    /**
+     * Gate which identities Better Auth admits. Called just before
+     * `create-user`, `link-account`, and (for OAuth) `sign-in`, across
+     * every authentication method, including stateless setups with no
+     * persistent database. On `sign-in` the hook receives the *fresh*
+     * provider email and profile, so a domain policy can reject a user
+     * whose provider identity moved out of bounds.
+     *
+     * Non-provider returning sign-ins are not re-validated; use the admin
+     * plugin's ban controls or a `databaseHooks.session.create.before`
+     * hook for those.
+     *
+     * Return nothing to allow; return `{ error }` to reject. Browser flows
+     * redirect to the configured error URL; programmatic flows surface a
+     * `403`.
+     *
+     * TODO: rename to `validateUser` (and the `ValidateUserInfo*` types).
+     * "UserInfo" is the OIDC term and misleads for the email/password,
+     * SIWE, phone, and admin methods.
+     */
+    validateUserInfo?: (data: {
+      user: Partial<User> & Record<string, unknown>;
+      source: ValidateUserInfoSource;
+    }, context: GenericEndpointContext) => Awaitable<void | ValidateUserInfoResult>;
     /**
      * Changing email configuration
      */
@@ -1379,4 +1470,4 @@ type BetterAuthOptions = {
   };
 };
 //#endregion
-export { BaseURLConfig, BetterAuthAdvancedOptions, BetterAuthDBOptions, BetterAuthOptions, BetterAuthRateLimitOptions, BetterAuthRateLimitRule, BetterAuthRateLimitStorage, DynamicBaseURLConfig, GenerateIdFn, StoreIdentifierOption };
+export { BaseURLConfig, BetterAuthAdvancedOptions, BetterAuthDBOptions, BetterAuthOptions, BetterAuthRateLimitOptions, BetterAuthRateLimitRule, BetterAuthRateLimitStorage, DynamicBaseURLConfig, GenerateIdFn, StoreIdentifierOption, UserProvisioningSource, ValidateUserInfoAction, ValidateUserInfoMethod, ValidateUserInfoOAuthInfo, ValidateUserInfoResult, ValidateUserInfoSSOInfo, ValidateUserInfoSource };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/core",
-  "version": "1.7.0-beta.4",
+  "version": "1.7.0-beta.5",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "license": "MIT",
@@ -153,11 +153,11 @@
   },
   "devDependencies": {
     "@better-auth/utils": "0.4.1",
-    "@better-fetch/fetch": "1.1.21",
+    "@better-fetch/fetch": "1.2.2",
     "@opentelemetry/api": "^1.9.0",
     "@opentelemetry/sdk-trace-base": "^1.30.0",
     "@opentelemetry/sdk-trace-node": "^1.30.0",
-    "better-call": "1.3.5",
+    "better-call": "1.3.6",
     "@cloudflare/workers-types": "^4.20250121.0",
     "jose": "^6.1.3",
     "kysely": "^0.28.17 || ^0.29.0",
@@ -166,9 +166,9 @@
   },
   "peerDependencies": {
     "@better-auth/utils": "0.4.1",
-    "@better-fetch/fetch": "1.1.21",
+    "@better-fetch/fetch": "1.2.2",
     "@opentelemetry/api": "^1.9.0",
-    "better-call": "1.3.5",
+    "better-call": "1.3.6",
     "@cloudflare/workers-types": ">=4",
     "jose": "^6.1.0",
     "kysely": "^0.28.5 || ^0.29.0",

package/src/db/adapter/factory.ts

@@ -1391,13 +1391,21 @@ export const createAdapterFactory =
 										},
 									],
 								});
-								// A non-numeric count coerces to a false miss, so fail loud.
+								// `deleteMany` is typed `Promise<number>`. A non-number breaks
+								// the contract, so fail loud. A finite-number check then closes
+								// the NaN/Infinity hole: `NaN > 0` is false and `Infinity > 0`
+								// is true, so a bare `deleted > 0` would misclassify both. Only
+								// a finite positive count proves we won the delete race; any
+								// other value fails closed (returns null) so a single-use row
+								// is never reported consumed without proof.
 								if (typeof deleted !== "number") {
 									throw new BetterAuthError(
 										`Adapter "${config.adapterId}" returned a non-numeric value from deleteMany during the consumeOne fallback. Return the number of deleted rows, or implement a native consumeOne for atomic single-use consumption.`,
 									);
 								}
-								return deleted > 0 ? (target as T) : null;
+								return Number.isFinite(deleted) && deleted > 0
+									? (target as T)
+									: null;
 							}),
 					);
 					resultNeedsOutputTransform = false;

package/src/db/get-tables.ts

@@ -261,10 +261,15 @@ export const getAuthTables = (
 						options.account?.fields?.refreshTokenExpiresAt ||
 						"refreshTokenExpiresAt",
 				},
-				scope: {
-					type: "string",
+				// Renamed from the legacy `scope` column. The migration generator
+				// only adds this column; it does not transform the legacy `scope`
+				// value. Upgrading installs need a manual data migration (split
+				// legacy `scope` on comma/space, trim, drop empties, dedupe). Order
+				// is insignificant per RFC 6749 §3.3.
+				grantedScopes: {
+					type: "string[]",
 					required: false,
-					fieldName: options.account?.fields?.scope || "scope",
+					fieldName: options.account?.fields?.grantedScopes || "grantedScopes",
 				},
 				password: {
 					type: "string",

package/src/db/schema/account.ts

@@ -23,9 +23,21 @@ export const accountSchema = coreSchema.extend({
 	 */
 	refreshTokenExpiresAt: z.date().nullish(),
 	/**
-	 * The scopes that the user has authorized
+	 * The scopes the user has granted, as last observed (durable, per-account,
+	 * the unit of revocation and the refresh ceiling). A native array, not a
+	 * delimited string: scope order is insignificant per RFC 6749 §3.3, so the
+	 * value is normalized (trimmed, deduped, sorted) on write.
+	 *
+	 * Renamed from the legacy comma-joined `scope` string. Breaking, with no
+	 * automatic data migration (and no read-time shim): the migration generator
+	 * only adds the new `grantedScopes` column, so legacy accounts read as empty
+	 * here until an upgrade backfills `grantedScopes` from the old `scope` values
+	 * (split on comma/space, trim, drop empties, dedupe). See the release
+	 * changeset for the backfill.
+	 *
+	 * @see https://www.rfc-editor.org/rfc/rfc6749#section-3.3
 	 */
-	scope: z.string().nullish(),
+	grantedScopes: z.array(z.string()).nullish(),
 	/**
 	 * Password is only stored in the credential provider
 	 */

package/src/env/env-impl.ts

@@ -46,8 +46,7 @@ function toBoolean(val: boolean | string | undefined) {
 	return val ? val !== "false" : false;
 }
 
-export const nodeENV =
-	(typeof process !== "undefined" && process.env && process.env.NODE_ENV) || "";
+export const nodeENV = env.NODE_ENV ?? "";
 
 /** Detect if `NODE_ENV` environment variable is `production` */
 export const isProduction = nodeENV === "production";

package/src/error/codes.ts

@@ -29,6 +29,11 @@ export const BASE_ERROR_CODES = defineErrorCodes({
 	TOKEN_EXPIRED: "Token expired",
 	ID_TOKEN_NOT_SUPPORTED: "id_token not supported",
 	FAILED_TO_GET_USER_INFO: "Failed to get user info",
+	PROVIDER_NOT_SUPPORTED: "Provider not supported",
+	TOKEN_REFRESH_NOT_SUPPORTED: "Token refresh not supported",
+	REFRESH_TOKEN_NOT_FOUND: "Refresh token not found",
+	FAILED_TO_GET_ACCESS_TOKEN: "Failed to get a valid access token",
+	FAILED_TO_REFRESH_ACCESS_TOKEN: "Failed to refresh access token",
 	USER_EMAIL_NOT_FOUND: "User email not found",
 	EMAIL_NOT_VERIFIED: "Email not verified",
 	PASSWORD_TOO_SHORT: "Password too short",

package/src/oauth2/create-authorization-url.ts

@@ -70,7 +70,7 @@ export async function createAuthorizationURL({
 	}
 	url.searchParams.set("client_id", primaryClientId);
 	url.searchParams.set("state", state);
-	if (scopes) {
+	if (scopes?.length) {
 		url.searchParams.set("scope", scopes.join(scopeJoiner || " "));
 	}
 	url.searchParams.set("redirect_uri", options.redirectURI || redirectURI);
@@ -107,5 +107,5 @@ export async function createAuthorizationURL({
 			url.searchParams.set(key, value);
 		}
 	}
-	return url;
+	return { url, requestedScopes: scopes ?? [] };
 }

package/src/oauth2/index.ts

@@ -27,15 +27,27 @@ export {
 	RESERVED_AUTHORIZATION_PARAMS_SET,
 } from "./create-authorization-url";
 export type {
+	AuthorizationURLResult,
+	GrantAuthority,
 	OAuth2Tokens,
 	OAuth2UserInfo,
-	OAuthProvider,
+	OAuthIdTokenConfig,
+	ProviderGrantAuthority,
 	ProviderOptions,
+	UpstreamProvider,
 } from "./oauth-provider";
 export {
 	refreshAccessToken,
 	refreshAccessTokenRequest,
 } from "./refresh-access-token";
+export {
+	includesGrantedScope,
+	normalizeScopes,
+	parseScopeField,
+	readGrantedScopes,
+	resolveRequestedScopes,
+	unionGrantedScopes,
+} from "./scopes";
 export type {
 	TokenEndpointAuth,
 	TokenEndpointAuthMethod,
@@ -57,3 +69,7 @@ export {
 	verifyAccessToken,
 	verifyJwsAccessToken,
 } from "./verify";
+export {
+	supportsIdTokenSignIn,
+	verifyProviderIdToken,
+} from "./verify-id-token";