npm - @better-auth/core - Versions diffs - 1.7.0-beta.4 → 1.7.0-beta.6 - Mend

@better-auth/core 1.7.0-beta.4 → 1.7.0-beta.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (170) hide show

package/dist/api/index.d.mts +47 -4
package/dist/api/index.mjs +40 -1
package/dist/context/global.mjs +1 -1
package/dist/context/transaction.d.mts +7 -4
package/dist/context/transaction.mjs +6 -3
package/dist/db/adapter/factory.mjs +57 -31
package/dist/db/adapter/index.d.mts +54 -10
package/dist/db/adapter/types.d.mts +1 -1
package/dist/db/get-tables.mjs +3 -3
package/dist/db/schema/account.d.mts +1 -1
package/dist/db/schema/account.mjs +1 -1
package/dist/db/type.d.mts +12 -7
package/dist/env/env-impl.mjs +1 -1
package/dist/error/codes.d.mts +5 -0
package/dist/error/codes.mjs +5 -0
package/dist/index.d.mts +2 -2
package/dist/instrumentation/tracer.mjs +1 -1
package/dist/oauth2/create-authorization-url.d.mts +4 -1
package/dist/oauth2/create-authorization-url.mjs +5 -2
package/dist/oauth2/dpop.d.mts +142 -0
package/dist/oauth2/dpop.mjs +246 -0
package/dist/oauth2/index.d.mts +6 -3
package/dist/oauth2/index.mjs +5 -2
package/dist/oauth2/oauth-provider.d.mts +128 -9
package/dist/oauth2/refresh-access-token.mjs +1 -1
package/dist/oauth2/scopes.d.mts +76 -0
package/dist/oauth2/scopes.mjs +96 -0
package/dist/oauth2/utils.mjs +2 -1
package/dist/oauth2/verify-id-token.d.mts +26 -0
package/dist/oauth2/verify-id-token.mjs +62 -0
package/dist/oauth2/verify.d.mts +88 -15
package/dist/oauth2/verify.mjs +187 -19
package/dist/social-providers/apple.d.mts +14 -2
package/dist/social-providers/apple.mjs +12 -36
package/dist/social-providers/atlassian.d.mts +5 -1
package/dist/social-providers/atlassian.mjs +4 -4
package/dist/social-providers/cognito.d.mts +13 -2
package/dist/social-providers/cognito.mjs +24 -32
package/dist/social-providers/discord.d.mts +5 -1
package/dist/social-providers/discord.mjs +7 -6
package/dist/social-providers/dropbox.d.mts +5 -1
package/dist/social-providers/dropbox.mjs +5 -5
package/dist/social-providers/facebook.d.mts +21 -2
package/dist/social-providers/facebook.mjs +46 -22
package/dist/social-providers/figma.d.mts +5 -1
package/dist/social-providers/figma.mjs +5 -5
package/dist/social-providers/github.d.mts +5 -1
package/dist/social-providers/github.mjs +4 -4
package/dist/social-providers/gitlab.d.mts +5 -1
package/dist/social-providers/gitlab.mjs +6 -6
package/dist/social-providers/google.d.mts +29 -3
package/dist/social-providers/google.mjs +24 -30
package/dist/social-providers/huggingface.d.mts +5 -1
package/dist/social-providers/huggingface.mjs +8 -8
package/dist/social-providers/index.d.mts +222 -42
package/dist/social-providers/kakao.d.mts +5 -1
package/dist/social-providers/kakao.mjs +8 -8
package/dist/social-providers/kick.d.mts +5 -1
package/dist/social-providers/kick.mjs +4 -4
package/dist/social-providers/line.d.mts +8 -2
package/dist/social-providers/line.mjs +12 -14
package/dist/social-providers/linear.d.mts +5 -1
package/dist/social-providers/linear.mjs +4 -4
package/dist/social-providers/linkedin.d.mts +5 -1
package/dist/social-providers/linkedin.mjs +10 -10
package/dist/social-providers/microsoft-entra-id.d.mts +41 -6
package/dist/social-providers/microsoft-entra-id.mjs +40 -36
package/dist/social-providers/naver.d.mts +5 -1
package/dist/social-providers/naver.mjs +4 -4
package/dist/social-providers/notion.d.mts +5 -1
package/dist/social-providers/notion.mjs +4 -4
package/dist/social-providers/paybin.d.mts +5 -1
package/dist/social-providers/paybin.mjs +10 -10
package/dist/social-providers/paypal.d.mts +5 -2
package/dist/social-providers/paypal.mjs +8 -13
package/dist/social-providers/polar.d.mts +5 -1
package/dist/social-providers/polar.mjs +8 -8
package/dist/social-providers/railway.d.mts +5 -1
package/dist/social-providers/railway.mjs +9 -9
package/dist/social-providers/reddit.d.mts +5 -1
package/dist/social-providers/reddit.mjs +9 -8
package/dist/social-providers/roblox.d.mts +5 -1
package/dist/social-providers/roblox.mjs +5 -5
package/dist/social-providers/salesforce.d.mts +5 -1
package/dist/social-providers/salesforce.mjs +8 -8
package/dist/social-providers/slack.d.mts +5 -1
package/dist/social-providers/slack.mjs +9 -9
package/dist/social-providers/spotify.d.mts +5 -1
package/dist/social-providers/spotify.mjs +5 -5
package/dist/social-providers/tiktok.d.mts +5 -1
package/dist/social-providers/tiktok.mjs +9 -5
package/dist/social-providers/twitch.d.mts +5 -1
package/dist/social-providers/twitch.mjs +4 -4
package/dist/social-providers/twitter.d.mts +6 -4
package/dist/social-providers/twitter.mjs +9 -9
package/dist/social-providers/vercel.d.mts +5 -1
package/dist/social-providers/vercel.mjs +4 -7
package/dist/social-providers/vk.d.mts +5 -1
package/dist/social-providers/vk.mjs +5 -5
package/dist/social-providers/wechat.d.mts +5 -1
package/dist/social-providers/wechat.mjs +10 -6
package/dist/social-providers/zoom.d.mts +6 -1
package/dist/social-providers/zoom.mjs +15 -9
package/dist/types/context.d.mts +27 -8
package/dist/types/index.d.mts +1 -1
package/dist/types/init-options.d.mts +137 -6
package/dist/types/plugin-client.d.mts +12 -2
package/dist/utils/host.mjs +4 -0
package/dist/utils/url.mjs +4 -3
package/package.json +7 -7
package/src/api/index.ts +82 -0
package/src/context/transaction.ts +45 -12
package/src/db/adapter/factory.ts +127 -64
package/src/db/adapter/index.ts +54 -9
package/src/db/adapter/types.ts +1 -0
package/src/db/get-tables.ts +8 -3
package/src/db/schema/account.ts +14 -2
package/src/db/type.ts +12 -7
package/src/env/env-impl.ts +1 -2
package/src/error/codes.ts +5 -0
package/src/oauth2/create-authorization-url.ts +2 -2
package/src/oauth2/dpop.ts +568 -0
package/src/oauth2/index.ts +61 -2
package/src/oauth2/oauth-provider.ts +140 -10
package/src/oauth2/refresh-access-token.ts +2 -2
package/src/oauth2/scopes.ts +118 -0
package/src/oauth2/utils.ts +2 -5
package/src/oauth2/verify-id-token.ts +111 -0
package/src/oauth2/verify.ts +372 -58
package/src/social-providers/apple.ts +24 -61
package/src/social-providers/atlassian.ts +12 -8
package/src/social-providers/cognito.ts +25 -47
package/src/social-providers/discord.ts +19 -8
package/src/social-providers/dropbox.ts +13 -7
package/src/social-providers/facebook.ts +97 -51
package/src/social-providers/figma.ts +13 -9
package/src/social-providers/github.ts +12 -8
package/src/social-providers/gitlab.ts +14 -8
package/src/social-providers/google.ts +66 -47
package/src/social-providers/huggingface.ts +12 -8
package/src/social-providers/kakao.ts +16 -8
package/src/social-providers/kick.ts +12 -7
package/src/social-providers/line.ts +37 -37
package/src/social-providers/linear.ts +12 -6
package/src/social-providers/linkedin.ts +14 -10
package/src/social-providers/microsoft-entra-id.ts +103 -59
package/src/social-providers/naver.ts +12 -6
package/src/social-providers/notion.ts +12 -6
package/src/social-providers/paybin.ts +14 -11
package/src/social-providers/paypal.ts +6 -25
package/src/social-providers/polar.ts +12 -8
package/src/social-providers/railway.ts +13 -9
package/src/social-providers/reddit.ts +25 -10
package/src/social-providers/roblox.ts +18 -7
package/src/social-providers/salesforce.ts +12 -8
package/src/social-providers/slack.ts +18 -9
package/src/social-providers/spotify.ts +13 -7
package/src/social-providers/tiktok.ts +13 -7
package/src/social-providers/twitch.ts +12 -8
package/src/social-providers/twitter.ts +17 -8
package/src/social-providers/vercel.ts +16 -10
package/src/social-providers/vk.ts +13 -7
package/src/social-providers/wechat.ts +28 -9
package/src/social-providers/zoom.ts +19 -6
package/src/types/context.ts +26 -8
package/src/types/index.ts +7 -0
package/src/types/init-options.ts +159 -8
package/src/types/plugin-client.ts +16 -2
package/src/utils/host.ts +15 -0
package/src/utils/url.ts +10 -4

package/dist/social-providers/github.mjs CHANGED Viewed

@@ -1,24 +1,24 @@
 import { logger } from "../env/logger.mjs";
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { getOAuth2Tokens } from "../oauth2/utils.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { authorizationCodeRequest } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/github.ts
+const GITHUB_DEFAULT_SCOPES = ["read:user", "user:email"];
 const github = (options) => {
 	const tokenEndpoint = "https://github.com/login/oauth/access_token";
 	return {
 		id: "github",
 		name: "GitHub",
+		callbackPath: "/callback/github",
 		createAuthorizationURL({ state, scopes, loginHint, codeVerifier, redirectURI, additionalParams }) {
-			const _scopes = options.disableDefaultScope ? [] : ["read:user", "user:email"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "github",
 				options,
 				authorizationEndpoint: "https://github.com/login/oauth/authorize",
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, GITHUB_DEFAULT_SCOPES, scopes),
 				state,
 				codeVerifier,
 				redirectURI,

package/dist/social-providers/gitlab.d.mts CHANGED Viewed

@@ -52,6 +52,7 @@ interface GitlabOptions extends ProviderOptions<GitlabProfile> {
 declare const gitlab: (options: GitlabOptions) => {
   id: "gitlab";
   name: string;
+  callbackPath: string;
   createAuthorizationURL: ({
     state,
     scopes,
@@ -67,7 +68,10 @@ declare const gitlab: (options: GitlabOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }) => Promise<URL>;
+  }) => Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     redirectURI,

package/dist/social-providers/gitlab.mjs CHANGED Viewed

@@ -1,3 +1,4 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
@@ -14,21 +15,20 @@ const issuerToEndpoints = (issuer) => {
 		userinfoEndpoint: cleanDoubleSlashes(`${baseUrl}/api/v4/user`)
 	};
 };
+const GITLAB_DEFAULT_SCOPES = ["read_user"];
 const gitlab = (options) => {
 	const { authorizationEndpoint, tokenEndpoint, userinfoEndpoint } = issuerToEndpoints(options.issuer);
 	const issuerId = "gitlab";
 	return {
 		id: issuerId,
 		name: "Gitlab",
-		createAuthorizationURL: async ({ state, scopes, codeVerifier, loginHint, redirectURI, additionalParams }) => {
-			const _scopes = options.disableDefaultScope ? [] : ["read_user"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
-			return await createAuthorizationURL({
+		callbackPath: "/callback/gitlab",
+		createAuthorizationURL: ({ state, scopes, codeVerifier, loginHint, redirectURI, additionalParams }) => {
+			return createAuthorizationURL({
 				id: issuerId,
 				options,
 				authorizationEndpoint,
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, GITLAB_DEFAULT_SCOPES, scopes),
 				state,
 				redirectURI,
 				codeVerifier,

package/dist/social-providers/google.d.mts CHANGED Viewed

@@ -1,4 +1,6 @@
 import { OAuth2Tokens, ProviderOptions } from "../oauth2/oauth-provider.mjs";
+import * as jose from "jose";
 //#region src/social-providers/google.d.ts
 interface GoogleProfile {
   aud: string;
@@ -37,13 +39,28 @@ interface GoogleOptions extends ProviderOptions<GoogleProfile> {
    */
   display?: ("page" | "popup" | "touch" | "wap") | undefined;
   /**
-   * The hosted domain of the user
+   * The hosted domain (Google Workspace) the user must belong to.
+   *
+   * This is sent to Google as the `hd` authorization hint and, when set, is
+   * also enforced against the `hd` claim of the returned id token/profile.
+   * Sign-in is rejected when the claim is missing or does not match, so this
+   * can be used to restrict sign-in to a Workspace domain.
    */
   hd?: string | undefined;
+  /**
+   * Enable incremental authorization via Google's `include_granted_scopes`
+   * parameter. When enabled, Google reports the user's full granted scope set
+   * in the token response.
+   *
+   * @default true
+   */
+  includeGrantedScopes?: boolean | undefined;
 }
 declare const google: (options: GoogleOptions) => {
   id: "google";
   name: string;
+  callbackPath: string;
+  grantAuthority: "full-grant" | "projection";
   createAuthorizationURL({
     state,
     scopes,
@@ -60,7 +77,10 @@ declare const google: (options: GoogleOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<URL>;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     codeVerifier,
@@ -72,7 +92,13 @@ declare const google: (options: GoogleOptions) => {
     deviceId?: string | undefined;
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
-  verifyIdToken(token: string, nonce: string | undefined): Promise<boolean>;
+  idToken: {
+    jwks: (header: jose.JWTHeaderParameters) => Promise<Uint8Array<ArrayBufferLike> | CryptoKey>;
+    issuer: string[];
+    audience: string | string[];
+    maxTokenAge: string;
+    verifyClaims: ((claims: Record<string, unknown>) => boolean) | undefined;
+  };
   getUserInfo(token: OAuth2Tokens & {
     user?: {
       name?: {

package/dist/social-providers/google.mjs CHANGED Viewed

@@ -1,34 +1,35 @@
 import { APIError, BetterAuthError } from "../error/index.mjs";
 import { logger } from "../env/logger.mjs";
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { getPrimaryClientId } from "../oauth2/utils.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
-import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
+import { decodeJwt, importJWK } from "jose";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/google.ts
+const GOOGLE_DEFAULT_SCOPES = [
+	"email",
+	"profile",
+	"openid"
+];
 const google = (options) => {
 	return {
 		id: "google",
 		name: "Google",
+		callbackPath: "/callback/google",
+		grantAuthority: options.includeGrantedScopes !== false ? "full-grant" : "projection",
 		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, loginHint, display, additionalParams }) {
 			if (!getPrimaryClientId(options.clientId) || !options.clientSecret) {
 				logger.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options.");
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
 			}
 			if (!codeVerifier) throw new BetterAuthError("codeVerifier is required for Google");
-			const _scopes = options.disableDefaultScope ? [] : [
-				"email",
-				"profile",
-				"openid"
-			];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
-			return await createAuthorizationURL({
+			return createAuthorizationURL({
 				id: "google",
 				options,
 				authorizationEndpoint: "https://accounts.google.com/o/oauth2/v2/auth",
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, GOOGLE_DEFAULT_SCOPES, scopes),
 				state,
 				codeVerifier,
 				redirectURI,
@@ -37,9 +38,9 @@ const google = (options) => {
 				display: display || options.display,
 				loginHint,
 				hd: options.hd,
-				additionalParams: {
-					include_granted_scopes: "true",
-					...additionalParams ?? {}
+				additionalParams: options.includeGrantedScopes === false ? { ...additionalParams ?? {} } : {
+					...additionalParams ?? {},
+					include_granted_scopes: "true"
 				}
 			});
 		},
@@ -63,28 +64,21 @@ const google = (options) => {
 				tokenEndpoint: "https://oauth2.googleapis.com/token"
 			});
 		},
-		async verifyIdToken(token, nonce) {
-			if (options.disableIdTokenSignIn) return false;
-			if (options.verifyIdToken) return options.verifyIdToken(token, nonce);
-			try {
-				const { kid, alg: jwtAlg } = decodeProtectedHeader(token);
-				if (!kid || !jwtAlg) return false;
-				const { payload: jwtClaims } = await jwtVerify(token, await getGooglePublicKey(kid), {
-					algorithms: [jwtAlg],
-					issuer: ["https://accounts.google.com", "accounts.google.com"],
-					audience: options.clientId,
-					maxTokenAge: "1h"
-				});
-				if (nonce && jwtClaims.nonce !== nonce) return false;
-				return true;
-			} catch {
-				return false;
-			}
+		idToken: {
+			jwks: (header) => getGooglePublicKey(header.kid),
+			issuer: ["https://accounts.google.com", "accounts.google.com"],
+			audience: options.clientId,
+			maxTokenAge: "1h",
+			verifyClaims: options.hd ? (claims) => claims.hd === options.hd : void 0
 		},
 		async getUserInfo(token) {
 			if (options.getUserInfo) return options.getUserInfo(token);
 			if (!token.idToken) return null;
 			const user = decodeJwt(token.idToken);
+			if (options.hd && user.hd !== options.hd) {
+				logger.error(`Google sign-in rejected: id token hosted domain (hd) "${user.hd ?? "<missing>"}" does not match the configured "hd" option "${options.hd}".`);
+				return null;
+			}
 			const userMap = await options.mapProfileToUser?.(user);
 			return {
 				user: {

package/dist/social-providers/huggingface.d.mts CHANGED Viewed

@@ -34,6 +34,7 @@ interface HuggingFaceOptions extends ProviderOptions<HuggingFaceProfile> {
 declare const huggingface: (options: HuggingFaceOptions) => {
   id: "huggingface";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -48,7 +49,10 @@ declare const huggingface: (options: HuggingFaceOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<URL>;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     codeVerifier,

package/dist/social-providers/huggingface.mjs CHANGED Viewed

@@ -1,26 +1,26 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/huggingface.ts
+const HUGGINGFACE_DEFAULT_SCOPES = [
+	"openid",
+	"profile",
+	"email"
+];
 const huggingface = (options) => {
 	const tokenEndpoint = "https://huggingface.co/oauth/token";
 	return {
 		id: "huggingface",
 		name: "Hugging Face",
+		callbackPath: "/callback/huggingface",
 		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, additionalParams }) {
-			const _scopes = options.disableDefaultScope ? [] : [
-				"openid",
-				"profile",
-				"email"
-			];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "huggingface",
 				options,
 				authorizationEndpoint: "https://huggingface.co/oauth/authorize",
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, HUGGINGFACE_DEFAULT_SCOPES, scopes),
 				state,
 				codeVerifier,
 				redirectURI,