@better-auth/core 1.7.0-beta.4 → 1.7.0-beta.6

package/src/social-providers/roblox.ts

@@ -1,8 +1,9 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import type { ProviderOptions, UpstreamProvider } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
+	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -36,20 +37,30 @@ export interface RobloxOptions extends ProviderOptions<RobloxProfile> {
 		| undefined;
 }
 
+const ROBLOX_DEFAULT_SCOPES = ["openid", "profile"];
+
 export const roblox = (options: RobloxOptions) => {
 	const tokenEndpoint = "https://apis.roblox.com/oauth/v1/token";
 	return {
 		id: "roblox",
 		name: "Roblox",
-		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
-			const _scopes = options.disableDefaultScope ? [] : ["openid", "profile"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
+		callbackPath: "/callback/roblox",
+		async createAuthorizationURL({
+			state,
+			scopes,
+			redirectURI,
+			additionalParams,
+		}) {
+			const requestedScopes = resolveRequestedScopes(
+				options,
+				ROBLOX_DEFAULT_SCOPES,
+				scopes,
+			);
 			return createAuthorizationURL({
 				id: "roblox",
 				options,
 				authorizationEndpoint: "https://apis.roblox.com/oauth/v1/authorize",
-				scopes: _scopes,
+				scopes: requestedScopes,
 				state,
 				redirectURI,
 				prompt: options.prompt || "select_account consent",
@@ -113,5 +124,5 @@ export const roblox = (options: RobloxOptions) => {
 			};
 		},
 		options,
-	} satisfies OAuthProvider<RobloxProfile>;
+	} satisfies UpstreamProvider<RobloxProfile>;
 };

package/src/social-providers/salesforce.ts

@@ -1,10 +1,11 @@
 import { betterFetch } from "@better-fetch/fetch";
 import { logger } from "../env";
 import { BetterAuthError } from "../error";
-import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import type { ProviderOptions, UpstreamProvider } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
+	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -39,6 +40,8 @@ export interface SalesforceOptions extends ProviderOptions<SalesforceProfile> {
 	redirectURI?: string | undefined;
 }
 
+const SALESFORCE_DEFAULT_SCOPES = ["openid", "email", "profile"];
+
 export const salesforce = (options: SalesforceOptions) => {
 	const environment = options.environment ?? "production";
 	const isSandbox = environment === "sandbox";
@@ -63,6 +66,7 @@ export const salesforce = (options: SalesforceOptions) => {
 	return {
 		id: "salesforce",
 		name: "Salesforce",
+		callbackPath: "/callback/salesforce",
 
 		async createAuthorizationURL({
 			state,
@@ -81,17 +85,17 @@ export const salesforce = (options: SalesforceOptions) => {
 				throw new BetterAuthError("codeVerifier is required for Salesforce");
 			}
 
-			const _scopes = options.disableDefaultScope
-				? []
-				: ["openid", "email", "profile"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
+			const requestedScopes = resolveRequestedScopes(
+				options,
+				SALESFORCE_DEFAULT_SCOPES,
+				scopes,
+			);
 
 			return createAuthorizationURL({
 				id: "salesforce",
 				options,
 				authorizationEndpoint,
-				scopes: _scopes,
+				scopes: requestedScopes,
 				state,
 				codeVerifier,
 				redirectURI: options.redirectURI || redirectURI,
@@ -162,5 +166,5 @@ export const salesforce = (options: SalesforceOptions) => {
 		},
 
 		options,
-	} satisfies OAuthProvider<SalesforceProfile>;
+	} satisfies UpstreamProvider<SalesforceProfile>;
 };

package/src/social-providers/slack.ts

@@ -1,8 +1,9 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import type { ProviderOptions, UpstreamProvider } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
+	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -41,22 +42,30 @@ export interface SlackOptions extends ProviderOptions<SlackProfile> {
 	clientId: string;
 }
 
+const SLACK_DEFAULT_SCOPES = ["openid", "profile", "email"];
+
 export const slack = (options: SlackOptions) => {
 	const tokenEndpoint = "https://slack.com/api/openid.connect.token";
 	return {
 		id: "slack",
 		name: "Slack",
-		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
-			const _scopes = options.disableDefaultScope
-				? []
-				: ["openid", "profile", "email"];
-			if (scopes) _scopes.push(...scopes);
-			if (options.scope) _scopes.push(...options.scope);
+		callbackPath: "/callback/slack",
+		async createAuthorizationURL({
+			state,
+			scopes,
+			redirectURI,
+			additionalParams,
+		}) {
+			const requestedScopes = resolveRequestedScopes(
+				options,
+				SLACK_DEFAULT_SCOPES,
+				scopes,
+			);
 			return createAuthorizationURL({
 				id: "slack",
 				options,
 				authorizationEndpoint: "https://slack.com/openid/connect/authorize",
-				scopes: _scopes,
+				scopes: requestedScopes,
 				state,
 				redirectURI,
 				additionalParams,
@@ -114,5 +123,5 @@ export const slack = (options: SlackOptions) => {
 			};
 		},
 		options,
-	} satisfies OAuthProvider<SlackProfile>;
+	} satisfies UpstreamProvider<SlackProfile>;
 };

package/src/social-providers/spotify.ts

@@ -1,8 +1,9 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import type { ProviderOptions, UpstreamProvider } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
+	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -19,26 +20,31 @@ export interface SpotifyOptions extends ProviderOptions<SpotifyProfile> {
 	clientId: string;
 }
 
+const SPOTIFY_DEFAULT_SCOPES = ["user-read-email"];
+
 export const spotify = (options: SpotifyOptions) => {
 	const tokenEndpoint = "https://accounts.spotify.com/api/token";
 	return {
 		id: "spotify",
 		name: "Spotify",
-		createAuthorizationURL({
+		callbackPath: "/callback/spotify",
+		async createAuthorizationURL({
 			state,
 			scopes,
 			codeVerifier,
 			redirectURI,
 			additionalParams,
 		}) {
-			const _scopes = options.disableDefaultScope ? [] : ["user-read-email"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
+			const requestedScopes = resolveRequestedScopes(
+				options,
+				SPOTIFY_DEFAULT_SCOPES,
+				scopes,
+			);
 			return createAuthorizationURL({
 				id: "spotify",
 				options,
 				authorizationEndpoint: "https://accounts.spotify.com/authorize",
-				scopes: _scopes,
+				scopes: requestedScopes,
 				state,
 				codeVerifier,
 				redirectURI,
@@ -97,5 +103,5 @@ export const spotify = (options: SpotifyOptions) => {
 			};
 		},
 		options,
-	} satisfies OAuthProvider<SpotifyProfile>;
+	} satisfies UpstreamProvider<SpotifyProfile>;
 };

package/src/social-providers/tiktok.ts

@@ -1,8 +1,9 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import type { ProviderOptions, UpstreamProvider } from "../oauth2";
 import {
 	RESERVED_AUTHORIZATION_PARAMS_SET,
 	refreshAccessToken,
+	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -130,19 +131,24 @@ export interface TiktokOptions extends ProviderOptions {
 	clientKey: string;
 }
 
+const TIKTOK_DEFAULT_SCOPES = ["user.info.profile"];
+
 export const tiktok = (options: TiktokOptions) => {
 	const tokenEndpoint = "https://open.tiktokapis.com/v2/oauth/token/";
 	return {
 		id: "tiktok",
 		name: "TikTok",
+		callbackPath: "/callback/tiktok",
 		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
-			const _scopes = options.disableDefaultScope ? [] : ["user.info.profile"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
+			const requestedScopes = resolveRequestedScopes(
+				options,
+				TIKTOK_DEFAULT_SCOPES,
+				scopes,
+			);
 			// TikTok uses `client_key` instead of the standard `client_id`, so the
 			// shared createAuthorizationURL helper cannot be used directly.
 			const url = new URL("https://www.tiktok.com/v2/auth/authorize");
-			url.searchParams.set("scope", _scopes.join(","));
+			url.searchParams.set("scope", requestedScopes.join(","));
 			url.searchParams.set("response_type", "code");
 			url.searchParams.set("client_key", options.clientKey);
 			url.searchParams.set("redirect_uri", options.redirectURI || redirectURI);
@@ -154,7 +160,7 @@ export const tiktok = (options: TiktokOptions) => {
 					url.searchParams.set(key, value);
 				}
 			}
-			return url;
+			return { url, requestedScopes };
 		},
 
 		validateAuthorizationCode: async ({ code, redirectURI }) => {
@@ -220,5 +226,5 @@ export const tiktok = (options: TiktokOptions) => {
 			};
 		},
 		options,
-	} satisfies OAuthProvider<TiktokProfile, TiktokOptions>;
+	} satisfies UpstreamProvider<TiktokProfile, TiktokOptions>;
 };

package/src/social-providers/twitch.ts

@@ -1,9 +1,10 @@
 import { decodeJwt } from "jose";
 import { logger } from "../env";
-import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import type { ProviderOptions, UpstreamProvider } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
+	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -37,23 +38,26 @@ export interface TwitchOptions extends ProviderOptions<TwitchProfile> {
 	clientId: string;
 	claims?: string[] | undefined;
 }
+const TWITCH_DEFAULT_SCOPES = ["user:read:email", "openid"];
+
 export const twitch = (options: TwitchOptions) => {
 	const tokenEndpoint = "https://id.twitch.tv/oauth2/token";
 	return {
 		id: "twitch",
 		name: "Twitch",
+		callbackPath: "/callback/twitch",
 		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
-			const _scopes = options.disableDefaultScope
-				? []
-				: ["user:read:email", "openid"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
+			const requestedScopes = resolveRequestedScopes(
+				options,
+				TWITCH_DEFAULT_SCOPES,
+				scopes,
+			);
 			return createAuthorizationURL({
 				id: "twitch",
 				redirectURI,
 				options,
 				authorizationEndpoint: "https://id.twitch.tv/oauth2/authorize",
-				scopes: _scopes,
+				scopes: requestedScopes,
 				state,
 				claims: options.claims || [
 					"email",
@@ -109,5 +113,5 @@ export const twitch = (options: TwitchOptions) => {
 			};
 		},
 		options,
-	} satisfies OAuthProvider<TwitchProfile>;
+	} satisfies UpstreamProvider<TwitchProfile>;
 };

package/src/social-providers/twitter.ts

@@ -1,8 +1,9 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import type { ProviderOptions, UpstreamProvider } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
+	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -103,22 +104,30 @@ export interface TwitterOption extends ProviderOptions<TwitterProfile> {
 	clientId: string;
 }
 
+const TWITTER_DEFAULT_SCOPES = [
+	"users.read",
+	"tweet.read",
+	"offline.access",
+	"users.email",
+];
+
 export const twitter = (options: TwitterOption) => {
 	const tokenEndpoint = "https://api.x.com/2/oauth2/token";
 	return {
 		id: "twitter",
 		name: "Twitter",
+		callbackPath: "/callback/twitter",
 		createAuthorizationURL(data) {
-			const _scopes = options.disableDefaultScope
-				? []
-				: ["users.read", "tweet.read", "offline.access", "users.email"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (data.scopes) _scopes.push(...data.scopes);
+			const requestedScopes = resolveRequestedScopes(
+				options,
+				TWITTER_DEFAULT_SCOPES,
+				data.scopes,
+			);
 			return createAuthorizationURL({
 				id: "twitter",
 				options,
 				authorizationEndpoint: "https://x.com/i/oauth2/authorize",
-				scopes: _scopes,
+				scopes: requestedScopes,
 				state: data.state,
 				codeVerifier: data.codeVerifier,
 				redirectURI: data.redirectURI,
@@ -196,5 +205,5 @@ export const twitter = (options: TwitterOption) => {
 			};
 		},
 		options,
-	} satisfies OAuthProvider<TwitterProfile>;
+	} satisfies UpstreamProvider<TwitterProfile>;
 };

package/src/social-providers/vercel.ts

@@ -1,7 +1,11 @@
 import { betterFetch } from "@better-fetch/fetch";
 import { BetterAuthError } from "../error";
-import type { OAuthProvider, ProviderOptions } from "../oauth2";
-import { createAuthorizationURL, validateAuthorizationCode } from "../oauth2";
+import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import {
+	createAuthorizationURL,
+	resolveRequestedScopes,
+	validateAuthorizationCode,
+} from "../oauth2";
 
 export interface VercelProfile {
 	sub: string;
@@ -16,10 +20,13 @@ export interface VercelOptions extends ProviderOptions<VercelProfile> {
 	clientId: string;
 }
 
+const VERCEL_DEFAULT_SCOPES: string[] = [];
+
 export const vercel = (options: VercelOptions) => {
 	return {
 		id: "vercel",
 		name: "Vercel",
+		callbackPath: "/callback/vercel",
 		createAuthorizationURL({
 			state,
 			scopes,
@@ -31,18 +38,17 @@ export const vercel = (options: VercelOptions) => {
 				throw new BetterAuthError("codeVerifier is required for Vercel");
 			}
 
-			let _scopes: string[] | undefined = undefined;
-			if (options.scope !== undefined || scopes !== undefined) {
-				_scopes = [];
-				if (options.scope) _scopes.push(...options.scope);
-				if (scopes) _scopes.push(...scopes);
-			}
+			const requestedScopes = resolveRequestedScopes(
+				options,
+				VERCEL_DEFAULT_SCOPES,
+				scopes,
+			);
 
 			return createAuthorizationURL({
 				id: "vercel",
 				options,
 				authorizationEndpoint: "https://vercel.com/oauth/authorize",
-				scopes: _scopes,
+				scopes: requestedScopes,
 				state,
 				codeVerifier,
 				redirectURI,
@@ -90,5 +96,5 @@ export const vercel = (options: VercelOptions) => {
 			};
 		},
 		options,
-	} satisfies OAuthProvider<VercelProfile>;
+	} satisfies UpstreamProvider<VercelProfile>;
 };

package/src/social-providers/vk.ts

@@ -1,8 +1,9 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import type { ProviderOptions, UpstreamProvider } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
+	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -25,28 +26,33 @@ export interface VkOption extends ProviderOptions {
 	scheme?: ("light" | "dark") | undefined;
 }
 
+const VK_DEFAULT_SCOPES = ["email", "phone"];
+
 export const vk = (options: VkOption) => {
 	const tokenEndpoint = "https://id.vk.com/oauth2/auth";
 	return {
 		id: "vk",
 		name: "VK",
-		async createAuthorizationURL({
+		callbackPath: "/callback/vk",
+		createAuthorizationURL({
 			state,
 			scopes,
 			codeVerifier,
 			redirectURI,
 			additionalParams,
 		}) {
-			const _scopes = options.disableDefaultScope ? [] : ["email", "phone"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
+			const requestedScopes = resolveRequestedScopes(
+				options,
+				VK_DEFAULT_SCOPES,
+				scopes,
+			);
 			const authorizationEndpoint = "https://id.vk.com/authorize";
 
 			return createAuthorizationURL({
 				id: "vk",
 				options,
 				authorizationEndpoint,
-				scopes: _scopes,
+				scopes: requestedScopes,
 				state,
 				redirectURI,
 				codeVerifier,
@@ -128,5 +134,5 @@ export const vk = (options: VkOption) => {
 			};
 		},
 		options,
-	} satisfies OAuthProvider<VkProfile>;
+	} satisfies UpstreamProvider<VkProfile>;
 };

package/src/social-providers/wechat.ts

@@ -1,6 +1,13 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { OAuth2Tokens, OAuthProvider, ProviderOptions } from "../oauth2";
-import { RESERVED_AUTHORIZATION_PARAMS_SET } from "../oauth2";
+import type {
+	OAuth2Tokens,
+	ProviderOptions,
+	UpstreamProvider,
+} from "../oauth2";
+import {
+	RESERVED_AUTHORIZATION_PARAMS_SET,
+	resolveRequestedScopes,
+} from "../oauth2";
 
 /**
  * WeChat user profile information
@@ -55,19 +62,24 @@ export interface WeChatOptions extends ProviderOptions<WeChatProfile> {
 	lang?: "cn" | "en";
 }
 
+const WECHAT_DEFAULT_SCOPES = ["snsapi_login"];
+
 export const wechat = (options: WeChatOptions) => {
 	return {
 		id: "wechat",
 		name: "WeChat",
+		callbackPath: "/callback/wechat",
 		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
-			const _scopes = options.disableDefaultScope ? [] : ["snsapi_login"];
-			options.scope && _scopes.push(...options.scope);
-			scopes && _scopes.push(...scopes);
+			const requestedScopes = resolveRequestedScopes(
+				options,
+				WECHAT_DEFAULT_SCOPES,
+				scopes,
+			);
 
 			// WeChat uses non-standard OAuth2 parameters (appid instead of client_id)
 			// and requires a fragment (#wechat_redirect), so we construct the URL manually.
 			const url = new URL("https://open.weixin.qq.com/connect/qrconnect");
-			url.searchParams.set("scope", _scopes.join(","));
+			url.searchParams.set("scope", requestedScopes.join(","));
 			url.searchParams.set("response_type", "code");
 			url.searchParams.set("appid", options.clientId);
 			url.searchParams.set("redirect_uri", options.redirectURI || redirectURI);
@@ -82,7 +94,7 @@ export const wechat = (options: WeChatOptions) => {
 			}
 			url.hash = "wechat_redirect";
 
-			return url;
+			return { url, requestedScopes };
 		},
 
 		// WeChat uses non-standard token exchange (appid/secret instead of
@@ -208,7 +220,14 @@ export const wechat = (options: WeChatOptions) => {
 				user: {
 					id: profile.unionid || profile.openid || openid,
 					name: profile.nickname,
-					email: profile.email || null,
+					// WeChat does not return an email, and the OAuth callback rejects a
+					// missing one, so the default sign-in would always fail. Synthesize a
+					// stable, non-routable placeholder (RFC 2606 `.invalid`) keyed to the
+					// user's WeChat id, left unverified. Applications that collect a real
+					// email override it via `mapProfileToUser`.
+					email:
+						profile.email ||
+						`${profile.unionid || profile.openid || openid}@wechat.invalid`,
 					image: profile.headimgurl,
 					emailVerified: false,
 					...userMap,
@@ -217,5 +236,5 @@ export const wechat = (options: WeChatOptions) => {
 			};
 		},
 		options,
-	} satisfies OAuthProvider<WeChatProfile, WeChatOptions>;
+	} satisfies UpstreamProvider<WeChatProfile, WeChatOptions>;
 };

package/src/social-providers/zoom.ts

@@ -1,8 +1,9 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import type { ProviderOptions, UpstreamProvider } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
+	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -143,6 +144,8 @@ export interface ZoomOptions extends ProviderOptions<ZoomProfile> {
 	pkce?: boolean | undefined;
 }
 
+const ZOOM_DEFAULT_SCOPES: string[] = [];
+
 export const zoom = (userOptions: ZoomOptions) => {
 	const options = {
 		pkce: true,
@@ -152,21 +155,31 @@ export const zoom = (userOptions: ZoomOptions) => {
 	return {
 		id: "zoom",
 		name: "Zoom",
-		createAuthorizationURL: async ({
+		callbackPath: "/callback/zoom",
+		createAuthorizationURL: ({
 			state,
+			scopes,
 			redirectURI,
 			codeVerifier,
 			additionalParams,
-		}) =>
-			createAuthorizationURL({
+		}) => {
+			const requestedScopes = resolveRequestedScopes(
+				options,
+				ZOOM_DEFAULT_SCOPES,
+				scopes,
+			);
+
+			return createAuthorizationURL({
 				id: "zoom",
 				options,
 				authorizationEndpoint: "https://zoom.us/oauth/authorize",
+				scopes: requestedScopes,
 				state,
 				redirectURI,
 				codeVerifier: options.pkce ? codeVerifier : undefined,
 				additionalParams,
-			}),
+			});
+		},
 		validateAuthorizationCode: async ({ code, redirectURI, codeVerifier }) => {
 			return validateAuthorizationCode({
 				code,
@@ -222,5 +235,5 @@ export const zoom = (userOptions: ZoomOptions) => {
 				},
 			};
 		},
-	} satisfies OAuthProvider<ZoomProfile>;
+	} satisfies UpstreamProvider<ZoomProfile>;
 };