@better-auth/core 1.7.0-beta.4 → 1.7.0-beta.6

package/src/social-providers/microsoft-entra-id.ts

@@ -1,16 +1,30 @@
 import { base64 } from "@better-auth/utils/base64";
 import { betterFetch } from "@better-fetch/fetch";
-import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
+import { decodeJwt, importJWK } from "jose";
 import { logger } from "../env";
 import { APIError, BetterAuthError } from "../error";
-import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import type {
+	ClientAssertionGetter,
+	ProviderOptions,
+	TokenEndpointAuth,
+	UpstreamProvider,
+} from "../oauth2";
 import {
 	createAuthorizationURL,
 	getPrimaryClientId,
 	refreshAccessToken,
+	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
+/**
+ * Microsoft's fixed tenant id for personal (consumer) Microsoft accounts. Every
+ * personal-account token carries it as the `tid` claim, so it distinguishes the
+ * consumer account class from work/school tenants.
+ * @see https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference
+ */
+const MICROSOFT_CONSUMER_TENANT_ID = "9188040d-6c67-4c5b-b112-36a304b66dad";
+
 /**
  * @see [Microsoft Identity Platform - Optional claims reference](https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims-reference)
  */
@@ -122,33 +136,67 @@ export interface MicrosoftOptions
 	 * The tenant ID of the Microsoft account
 	 * @default "common"
 	 */
-	tenantId?: string | undefined;
+	tenantId?: string;
 	/**
 	 * The authentication authority URL. Use the default "https://login.microsoftonline.com" for standard Entra ID or "https://<tenant-id>.ciamlogin.com" for CIAM scenarios.
 	 * @default "https://login.microsoftonline.com"
 	 */
-	authority?: string | undefined;
+	authority?: string;
+	/**
+	 * Function that returns a JWT client assertion for token endpoint authentication.
+	 *
+	 * Use this instead of `clientSecret` when your Microsoft Entra ID app is
+	 * configured for client authentication with assertions (private_key_jwt or
+	 * workload identity federation).
+	 */
+	clientAssertion?: ClientAssertionGetter;
 	/**
 	 * The size of the profile photo
 	 * @default 48
 	 */
-	profilePhotoSize?:
-		| (48 | 64 | 96 | 120 | 240 | 360 | 432 | 504 | 648)
-		| undefined;
+	profilePhotoSize?: 48 | 64 | 96 | 120 | 240 | 360 | 432 | 504 | 648;
 	/**
 	 * Disable profile photo
 	 */
-	disableProfilePhoto?: boolean | undefined;
+	disableProfilePhoto?: boolean;
 }
 
+const MICROSOFT_ENTRA_ID_DEFAULT_SCOPES = [
+	"openid",
+	"profile",
+	"email",
+	"User.Read",
+	"offline_access",
+];
+
 export const microsoft = (options: MicrosoftOptions) => {
 	const tenant = options.tenantId || "common";
-	const authority = options.authority || "https://login.microsoftonline.com";
+	// Trim any trailing slash so endpoint URLs and the issuer comparison below
+	// never produce a double slash (e.g. a configured `https://host/` would make
+	// the expected issuer `https://host//<tid>/v2.0` and reject every token). A
+	// loop avoids a trailing-slash regex, which is a polynomial-ReDoS shape.
+	let authority = options.authority || "https://login.microsoftonline.com";
+	while (authority.endsWith("/")) {
+		authority = authority.slice(0, -1);
+	}
 	const authorizationEndpoint = `${authority}/${tenant}/oauth2/v2.0/authorize`;
 	const tokenEndpoint = `${authority}/${tenant}/oauth2/v2.0/token`;
+	if (options.clientSecret && options.clientAssertion) {
+		throw new BetterAuthError(
+			"Microsoft Entra ID clientAssertion cannot be combined with clientSecret",
+		);
+	}
+	const tokenEndpointAuth: TokenEndpointAuth | undefined =
+		options.clientAssertion
+			? {
+					method: "private_key_jwt",
+					getClientAssertion: options.clientAssertion,
+				}
+			: undefined;
 	return {
 		id: "microsoft",
 		name: "Microsoft EntraID",
+		callbackPath: "/callback/microsoft",
 		createAuthorizationURL(data) {
 			// Microsoft Entra supports public clients (SPA / native apps with
 			// PKCE only), so clientSecret is intentionally not required here.
@@ -159,18 +207,18 @@ export const microsoft = (options: MicrosoftOptions) => {
 				);
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
 			}
-			const scopes = options.disableDefaultScope
-				? []
-				: ["openid", "profile", "email", "User.Read", "offline_access"];
-			if (options.scope) scopes.push(...options.scope);
-			if (data.scopes) scopes.push(...data.scopes);
+			const requestedScopes = resolveRequestedScopes(
+				options,
+				MICROSOFT_ENTRA_ID_DEFAULT_SCOPES,
+				data.scopes,
+			);
 			return createAuthorizationURL({
 				id: "microsoft",
 				options,
 				authorizationEndpoint,
 				state: data.state,
 				codeVerifier: data.codeVerifier,
-				scopes,
+				scopes: requestedScopes,
 				redirectURI: data.redirectURI,
 				prompt: options.prompt,
 				loginHint: data.loginHint,
@@ -184,57 +232,52 @@ export const microsoft = (options: MicrosoftOptions) => {
 				redirectURI,
 				options,
 				tokenEndpoint,
+				tokenEndpointAuth,
 			});
 		},
-		async verifyIdToken(token, nonce) {
-			if (options.disableIdTokenSignIn) {
-				return false;
-			}
-			if (options.verifyIdToken) {
-				return options.verifyIdToken(token, nonce);
-			}
-
-			try {
-				const { kid, alg: jwtAlg } = decodeProtectedHeader(token);
-				if (!kid || !jwtAlg) return false;
-
-				const publicKey = await getMicrosoftPublicKey(kid, tenant, authority);
-				const verifyOptions: {
-					algorithms: [string];
-					audience: string | string[];
-					maxTokenAge: string;
-					issuer?: string;
-				} = {
-					algorithms: [jwtAlg],
-					audience: options.clientId,
-					maxTokenAge: "1h",
-				};
-				/**
-				 * Issuer varies per user's tenant for multi-tenant endpoints, so only validate for specific tenants.
-				 * @see https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols#endpoints
-				 */
+		idToken: {
+			jwks: (header) => getMicrosoftPublicKey(header.kid!, tenant, authority),
+			audience: options.clientId,
+			maxTokenAge: "1h",
+			/**
+			 * Issuer varies per tenant for multi-tenant endpoints, so only validate it for
+			 * specific tenants.
+			 * @see https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols#endpoints
+			 */
+			issuer:
+				tenant !== "common" &&
+				tenant !== "organizations" &&
+				tenant !== "consumers"
+					? `${authority}/${tenant}/v2.0`
+					: undefined,
+			/**
+			 * The multi-tenant endpoints (common/organizations/consumers) skip the
+			 * issuer check above because the issuer varies per tenant, and the
+			 * organizations and consumers JWKS sets overlap. Enforce the tenant
+			 * binding explicitly so a token from a disallowed account class cannot
+			 * pass: the issuer must name the token's own tenant, and the account
+			 * class must match the configured restriction.
+			 * @see https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference
+			 */
+			verifyClaims: (claims) => {
+				const tid = claims.tid;
 				if (
-					tenant !== "common" &&
-					tenant !== "organizations" &&
-					tenant !== "consumers"
+					typeof tid !== "string" ||
+					claims.iss !== `${authority}/${tid}/v2.0`
 				) {
-					verifyOptions.issuer = `${authority}/${tenant}/v2.0`;
+					return false;
 				}
-				const { payload: jwtClaims } = await jwtVerify(
-					token,
-					publicKey,
-					verifyOptions,
-				);
-
-				if (nonce && jwtClaims.nonce !== nonce) {
+				if (
+					tenant === "organizations" &&
+					tid === MICROSOFT_CONSUMER_TENANT_ID
+				) {
+					return false;
+				}
+				if (tenant === "consumers" && tid !== MICROSOFT_CONSUMER_TENANT_ID) {
 					return false;
 				}
-
 				return true;
-			} catch (error) {
-				logger.error("Failed to verify ID token:", error);
-				return false;
-			}
+			},
 		},
 		async getUserInfo(token) {
 			if (options.getUserInfo) {
@@ -314,10 +357,11 @@ export const microsoft = (options: MicrosoftOptions) => {
 							scope: scopes.join(" "), // Include the scopes in request to microsoft
 						},
 						tokenEndpoint,
+						tokenEndpointAuth,
 					});
 				},
 		options,
-	} satisfies OAuthProvider;
+	} satisfies UpstreamProvider;
 };
 
 export const getMicrosoftPublicKey = async (

package/src/social-providers/naver.ts

@@ -1,8 +1,9 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import type { ProviderOptions, UpstreamProvider } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
+	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -39,20 +40,25 @@ export interface NaverOptions extends ProviderOptions<NaverProfile> {
 	clientId: string;
 }
 
+const NAVER_DEFAULT_SCOPES = ["profile", "email"];
+
 export const naver = (options: NaverOptions) => {
 	const tokenEndpoint = "https://nid.naver.com/oauth2.0/token";
 	return {
 		id: "naver",
 		name: "Naver",
+		callbackPath: "/callback/naver",
 		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
-			const _scopes = options.disableDefaultScope ? [] : ["profile", "email"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
+			const requestedScopes = resolveRequestedScopes(
+				options,
+				NAVER_DEFAULT_SCOPES,
+				scopes,
+			);
 			return createAuthorizationURL({
 				id: "naver",
 				options,
 				authorizationEndpoint: "https://nid.naver.com/oauth2.0/authorize",
-				scopes: _scopes,
+				scopes: requestedScopes,
 				state,
 				redirectURI,
 				additionalParams,
@@ -110,5 +116,5 @@ export const naver = (options: NaverOptions) => {
 			};
 		},
 		options,
-	} satisfies OAuthProvider<NaverProfile>;
+	} satisfies UpstreamProvider<NaverProfile>;
 };

package/src/social-providers/notion.ts

@@ -1,8 +1,9 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import type { ProviderOptions, UpstreamProvider } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
+	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -23,11 +24,14 @@ export interface NotionOptions extends ProviderOptions<NotionProfile> {
 	clientId: string;
 }
 
+const NOTION_DEFAULT_SCOPES: string[] = [];
+
 export const notion = (options: NotionOptions) => {
 	const tokenEndpoint = "https://api.notion.com/v1/oauth/token";
 	return {
 		id: "notion",
 		name: "Notion",
+		callbackPath: "/callback/notion",
 		createAuthorizationURL({
 			state,
 			scopes,
@@ -35,14 +39,16 @@ export const notion = (options: NotionOptions) => {
 			redirectURI,
 			additionalParams,
 		}) {
-			const _scopes: string[] = options.disableDefaultScope ? [] : [];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
+			const requestedScopes = resolveRequestedScopes(
+				options,
+				NOTION_DEFAULT_SCOPES,
+				scopes,
+			);
 			return createAuthorizationURL({
 				id: "notion",
 				options,
 				authorizationEndpoint: "https://api.notion.com/v1/oauth/authorize",
-				scopes: _scopes,
+				scopes: requestedScopes,
 				state,
 				redirectURI,
 				loginHint,
@@ -111,5 +117,5 @@ export const notion = (options: NotionOptions) => {
 			};
 		},
 		options,
-	} satisfies OAuthProvider<NotionProfile>;
+	} satisfies UpstreamProvider<NotionProfile>;
 };

package/src/social-providers/paybin.ts

@@ -1,10 +1,11 @@
 import { decodeJwt } from "jose";
 import { logger } from "../env";
 import { BetterAuthError } from "../error";
-import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import type { ProviderOptions, UpstreamProvider } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
+	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -28,6 +29,8 @@ export interface PaybinOptions extends ProviderOptions<PaybinProfile> {
 	issuer?: string | undefined;
 }
 
+const PAYBIN_DEFAULT_SCOPES = ["openid", "email", "profile"];
+
 export const paybin = (options: PaybinOptions) => {
 	const issuer = options.issuer || "https://idp.paybin.io";
 	const authorizationEndpoint = `${issuer}/oauth2/authorize`;
@@ -36,7 +39,8 @@ export const paybin = (options: PaybinOptions) => {
 	return {
 		id: "paybin",
 		name: "Paybin",
-		async createAuthorizationURL({
+		callbackPath: "/callback/paybin",
+		createAuthorizationURL({
 			state,
 			scopes,
 			codeVerifier,
@@ -53,16 +57,16 @@ export const paybin = (options: PaybinOptions) => {
 			if (!codeVerifier) {
 				throw new BetterAuthError("codeVerifier is required for Paybin");
 			}
-			const _scopes = options.disableDefaultScope
-				? []
-				: ["openid", "email", "profile"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
-			const url = await createAuthorizationURL({
+			const requestedScopes = resolveRequestedScopes(
+				options,
+				PAYBIN_DEFAULT_SCOPES,
+				scopes,
+			);
+			return createAuthorizationURL({
 				id: "paybin",
 				options,
 				authorizationEndpoint,
-				scopes: _scopes,
+				scopes: requestedScopes,
 				state,
 				codeVerifier,
 				redirectURI,
@@ -70,7 +74,6 @@ export const paybin = (options: PaybinOptions) => {
 				loginHint,
 				additionalParams,
 			});
-			return url;
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
 			return validateAuthorizationCode({
@@ -116,5 +119,5 @@ export const paybin = (options: PaybinOptions) => {
 			};
 		},
 		options,
-	} satisfies OAuthProvider<PaybinProfile>;
+	} satisfies UpstreamProvider<PaybinProfile>;
 };

package/src/social-providers/paypal.ts

@@ -1,9 +1,8 @@
 import { base64 } from "@better-auth/utils/base64";
 import { betterFetch } from "@better-fetch/fetch";
-import { decodeJwt } from "jose";
 import { logger } from "../env";
 import { BetterAuthError } from "../error";
-import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import type { ProviderOptions, UpstreamProvider } from "../oauth2";
 import { createAuthorizationURL } from "../oauth2";
 
 export interface PayPalProfile {
@@ -78,7 +77,8 @@ export const paypal = (options: PayPalOptions) => {
 	return {
 		id: "paypal",
 		name: "PayPal",
-		async createAuthorizationURL({
+		callbackPath: "/callback/paypal",
+		createAuthorizationURL({
 			state,
 			codeVerifier,
 			redirectURI,
@@ -97,20 +97,17 @@ export const paypal = (options: PayPalOptions) => {
 			 * We don't pass any scopes to avoid "invalid scope" errors
 			 **/
 
-			const _scopes: string[] = [];
-
-			const url = await createAuthorizationURL({
+			return createAuthorizationURL({
 				id: "paypal",
 				options,
 				authorizationEndpoint,
-				scopes: _scopes,
+				scopes: [],
 				state,
 				codeVerifier,
 				redirectURI,
 				prompt: options.prompt,
 				additionalParams,
 			});
-			return url;
 		},
 
 		validateAuthorizationCode: async ({ code, redirectURI }) => {
@@ -200,22 +197,6 @@ export const paypal = (options: PayPalOptions) => {
 					}
 				},
 
-		async verifyIdToken(token, nonce) {
-			if (options.disableIdTokenSignIn) {
-				return false;
-			}
-			if (options.verifyIdToken) {
-				return options.verifyIdToken(token, nonce);
-			}
-			try {
-				const payload = decodeJwt(token);
-				return !!payload.sub;
-			} catch (error) {
-				logger.error("Failed to verify PayPal ID token:", error);
-				return false;
-			}
-		},
-
 		async getUserInfo(token) {
 			if (options.getUserInfo) {
 				return options.getUserInfo(token);
@@ -265,5 +246,5 @@ export const paypal = (options: PayPalOptions) => {
 		},
 
 		options,
-	} satisfies OAuthProvider<PayPalProfile>;
+	} satisfies UpstreamProvider<PayPalProfile>;
 };

package/src/social-providers/polar.ts

@@ -1,8 +1,9 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import type { ProviderOptions, UpstreamProvider } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
+	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -32,11 +33,14 @@ export interface PolarProfile {
 
 export interface PolarOptions extends ProviderOptions<PolarProfile> {}
 
+const POLAR_DEFAULT_SCOPES = ["openid", "profile", "email"];
+
 export const polar = (options: PolarOptions) => {
 	const tokenEndpoint = "https://api.polar.sh/v1/oauth2/token";
 	return {
 		id: "polar",
 		name: "Polar",
+		callbackPath: "/callback/polar",
 		createAuthorizationURL({
 			state,
 			scopes,
@@ -44,16 +48,16 @@ export const polar = (options: PolarOptions) => {
 			redirectURI,
 			additionalParams,
 		}) {
-			const _scopes = options.disableDefaultScope
-				? []
-				: ["openid", "profile", "email"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
+			const requestedScopes = resolveRequestedScopes(
+				options,
+				POLAR_DEFAULT_SCOPES,
+				scopes,
+			);
 			return createAuthorizationURL({
 				id: "polar",
 				options,
 				authorizationEndpoint: "https://polar.sh/oauth2/authorize",
-				scopes: _scopes,
+				scopes: requestedScopes,
 				state,
 				codeVerifier,
 				redirectURI,
@@ -114,5 +118,5 @@ export const polar = (options: PolarOptions) => {
 			};
 		},
 		options,
-	} satisfies OAuthProvider<PolarProfile>;
+	} satisfies UpstreamProvider<PolarProfile>;
 };

package/src/social-providers/railway.ts

@@ -1,8 +1,9 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import type { ProviderOptions, UpstreamProvider } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
+	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -25,27 +26,30 @@ export interface RailwayOptions extends ProviderOptions<RailwayProfile> {
 	clientId: string;
 }
 
+const RAILWAY_DEFAULT_SCOPES = ["openid", "email", "profile"];
+
 export const railway = (options: RailwayOptions) => {
 	return {
 		id: "railway",
 		name: "Railway",
-		createAuthorizationURL({
+		callbackPath: "/callback/railway",
+		async createAuthorizationURL({
 			state,
 			scopes,
 			codeVerifier,
 			redirectURI,
 			additionalParams,
 		}) {
-			const _scopes = options.disableDefaultScope
-				? []
-				: ["openid", "email", "profile"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
+			const requestedScopes = resolveRequestedScopes(
+				options,
+				RAILWAY_DEFAULT_SCOPES,
+				scopes,
+			);
 			return createAuthorizationURL({
 				id: "railway",
 				options,
 				authorizationEndpoint,
-				scopes: _scopes,
+				scopes: requestedScopes,
 				state,
 				codeVerifier,
 				redirectURI,
@@ -103,5 +107,5 @@ export const railway = (options: RailwayOptions) => {
 			};
 		},
 		options,
-	} satisfies OAuthProvider<RailwayProfile>;
+	} satisfies UpstreamProvider<RailwayProfile>;
 };

package/src/social-providers/reddit.ts

@@ -1,10 +1,11 @@
 import { base64 } from "@better-auth/utils/base64";
 import { betterFetch } from "@better-fetch/fetch";
-import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import type { ProviderOptions, UpstreamProvider } from "../oauth2";
 import {
 	createAuthorizationURL,
 	getOAuth2Tokens,
 	refreshAccessToken,
+	resolveRequestedScopes,
 } from "../oauth2";
 
 export interface RedditProfile {
@@ -21,19 +22,29 @@ export interface RedditOptions extends ProviderOptions<RedditProfile> {
 	duration?: string | undefined;
 }
 
+const REDDIT_DEFAULT_SCOPES = ["identity"];
+
 export const reddit = (options: RedditOptions) => {
 	return {
 		id: "reddit",
 		name: "Reddit",
-		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
-			const _scopes = options.disableDefaultScope ? [] : ["identity"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
+		callbackPath: "/callback/reddit",
+		async createAuthorizationURL({
+			state,
+			scopes,
+			redirectURI,
+			additionalParams,
+		}) {
+			const requestedScopes = resolveRequestedScopes(
+				options,
+				REDDIT_DEFAULT_SCOPES,
+				scopes,
+			);
 			return createAuthorizationURL({
 				id: "reddit",
 				options,
 				authorizationEndpoint: "https://www.reddit.com/api/v1/authorize",
-				scopes: _scopes,
+				scopes: requestedScopes,
 				state,
 				redirectURI,
 				duration: options.duration,
@@ -105,19 +116,23 @@ export const reddit = (options: RedditOptions) => {
 			}
 
 			const userMap = await options.mapProfileToUser?.(profile);
-
+			// Reddit's identity scope does not return an email. Synthesize a stable,
+			// non-routable placeholder (RFC 2606 `.invalid`) keyed to the user's
+			// Reddit id rather than the routable `reddit.com`, which could collide
+			// with a real address. Left unverified; `mapProfileToUser` can override.
+			const email = userMap?.email || `${profile.id}@reddit.invalid`;
 			return {
 				user: {
 					id: profile.id,
 					name: profile.name,
-					email: profile.oauth_client_id,
-					emailVerified: profile.has_verified_email,
 					image: profile.icon_img?.split("?")[0]!,
 					...userMap,
+					email,
+					emailVerified: userMap?.emailVerified ?? false,
 				},
 				data: profile,
 			};
 		},
 		options,
-	} satisfies OAuthProvider<RedditProfile>;
+	} satisfies UpstreamProvider<RedditProfile>;
 };