npm - @better-auth/core - Versions diffs - 1.7.0-beta.4 → 1.7.0-beta.6 - Mend

@better-auth/core 1.7.0-beta.4 → 1.7.0-beta.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (170) hide show

package/dist/api/index.d.mts +47 -4
package/dist/api/index.mjs +40 -1
package/dist/context/global.mjs +1 -1
package/dist/context/transaction.d.mts +7 -4
package/dist/context/transaction.mjs +6 -3
package/dist/db/adapter/factory.mjs +57 -31
package/dist/db/adapter/index.d.mts +54 -10
package/dist/db/adapter/types.d.mts +1 -1
package/dist/db/get-tables.mjs +3 -3
package/dist/db/schema/account.d.mts +1 -1
package/dist/db/schema/account.mjs +1 -1
package/dist/db/type.d.mts +12 -7
package/dist/env/env-impl.mjs +1 -1
package/dist/error/codes.d.mts +5 -0
package/dist/error/codes.mjs +5 -0
package/dist/index.d.mts +2 -2
package/dist/instrumentation/tracer.mjs +1 -1
package/dist/oauth2/create-authorization-url.d.mts +4 -1
package/dist/oauth2/create-authorization-url.mjs +5 -2
package/dist/oauth2/dpop.d.mts +142 -0
package/dist/oauth2/dpop.mjs +246 -0
package/dist/oauth2/index.d.mts +6 -3
package/dist/oauth2/index.mjs +5 -2
package/dist/oauth2/oauth-provider.d.mts +128 -9
package/dist/oauth2/refresh-access-token.mjs +1 -1
package/dist/oauth2/scopes.d.mts +76 -0
package/dist/oauth2/scopes.mjs +96 -0
package/dist/oauth2/utils.mjs +2 -1
package/dist/oauth2/verify-id-token.d.mts +26 -0
package/dist/oauth2/verify-id-token.mjs +62 -0
package/dist/oauth2/verify.d.mts +88 -15
package/dist/oauth2/verify.mjs +187 -19
package/dist/social-providers/apple.d.mts +14 -2
package/dist/social-providers/apple.mjs +12 -36
package/dist/social-providers/atlassian.d.mts +5 -1
package/dist/social-providers/atlassian.mjs +4 -4
package/dist/social-providers/cognito.d.mts +13 -2
package/dist/social-providers/cognito.mjs +24 -32
package/dist/social-providers/discord.d.mts +5 -1
package/dist/social-providers/discord.mjs +7 -6
package/dist/social-providers/dropbox.d.mts +5 -1
package/dist/social-providers/dropbox.mjs +5 -5
package/dist/social-providers/facebook.d.mts +21 -2
package/dist/social-providers/facebook.mjs +46 -22
package/dist/social-providers/figma.d.mts +5 -1
package/dist/social-providers/figma.mjs +5 -5
package/dist/social-providers/github.d.mts +5 -1
package/dist/social-providers/github.mjs +4 -4
package/dist/social-providers/gitlab.d.mts +5 -1
package/dist/social-providers/gitlab.mjs +6 -6
package/dist/social-providers/google.d.mts +29 -3
package/dist/social-providers/google.mjs +24 -30
package/dist/social-providers/huggingface.d.mts +5 -1
package/dist/social-providers/huggingface.mjs +8 -8
package/dist/social-providers/index.d.mts +222 -42
package/dist/social-providers/kakao.d.mts +5 -1
package/dist/social-providers/kakao.mjs +8 -8
package/dist/social-providers/kick.d.mts +5 -1
package/dist/social-providers/kick.mjs +4 -4
package/dist/social-providers/line.d.mts +8 -2
package/dist/social-providers/line.mjs +12 -14
package/dist/social-providers/linear.d.mts +5 -1
package/dist/social-providers/linear.mjs +4 -4
package/dist/social-providers/linkedin.d.mts +5 -1
package/dist/social-providers/linkedin.mjs +10 -10
package/dist/social-providers/microsoft-entra-id.d.mts +41 -6
package/dist/social-providers/microsoft-entra-id.mjs +40 -36
package/dist/social-providers/naver.d.mts +5 -1
package/dist/social-providers/naver.mjs +4 -4
package/dist/social-providers/notion.d.mts +5 -1
package/dist/social-providers/notion.mjs +4 -4
package/dist/social-providers/paybin.d.mts +5 -1
package/dist/social-providers/paybin.mjs +10 -10
package/dist/social-providers/paypal.d.mts +5 -2
package/dist/social-providers/paypal.mjs +8 -13
package/dist/social-providers/polar.d.mts +5 -1
package/dist/social-providers/polar.mjs +8 -8
package/dist/social-providers/railway.d.mts +5 -1
package/dist/social-providers/railway.mjs +9 -9
package/dist/social-providers/reddit.d.mts +5 -1
package/dist/social-providers/reddit.mjs +9 -8
package/dist/social-providers/roblox.d.mts +5 -1
package/dist/social-providers/roblox.mjs +5 -5
package/dist/social-providers/salesforce.d.mts +5 -1
package/dist/social-providers/salesforce.mjs +8 -8
package/dist/social-providers/slack.d.mts +5 -1
package/dist/social-providers/slack.mjs +9 -9
package/dist/social-providers/spotify.d.mts +5 -1
package/dist/social-providers/spotify.mjs +5 -5
package/dist/social-providers/tiktok.d.mts +5 -1
package/dist/social-providers/tiktok.mjs +9 -5
package/dist/social-providers/twitch.d.mts +5 -1
package/dist/social-providers/twitch.mjs +4 -4
package/dist/social-providers/twitter.d.mts +6 -4
package/dist/social-providers/twitter.mjs +9 -9
package/dist/social-providers/vercel.d.mts +5 -1
package/dist/social-providers/vercel.mjs +4 -7
package/dist/social-providers/vk.d.mts +5 -1
package/dist/social-providers/vk.mjs +5 -5
package/dist/social-providers/wechat.d.mts +5 -1
package/dist/social-providers/wechat.mjs +10 -6
package/dist/social-providers/zoom.d.mts +6 -1
package/dist/social-providers/zoom.mjs +15 -9
package/dist/types/context.d.mts +27 -8
package/dist/types/index.d.mts +1 -1
package/dist/types/init-options.d.mts +137 -6
package/dist/types/plugin-client.d.mts +12 -2
package/dist/utils/host.mjs +4 -0
package/dist/utils/url.mjs +4 -3
package/package.json +7 -7
package/src/api/index.ts +82 -0
package/src/context/transaction.ts +45 -12
package/src/db/adapter/factory.ts +127 -64
package/src/db/adapter/index.ts +54 -9
package/src/db/adapter/types.ts +1 -0
package/src/db/get-tables.ts +8 -3
package/src/db/schema/account.ts +14 -2
package/src/db/type.ts +12 -7
package/src/env/env-impl.ts +1 -2
package/src/error/codes.ts +5 -0
package/src/oauth2/create-authorization-url.ts +2 -2
package/src/oauth2/dpop.ts +568 -0
package/src/oauth2/index.ts +61 -2
package/src/oauth2/oauth-provider.ts +140 -10
package/src/oauth2/refresh-access-token.ts +2 -2
package/src/oauth2/scopes.ts +118 -0
package/src/oauth2/utils.ts +2 -5
package/src/oauth2/verify-id-token.ts +111 -0
package/src/oauth2/verify.ts +372 -58
package/src/social-providers/apple.ts +24 -61
package/src/social-providers/atlassian.ts +12 -8
package/src/social-providers/cognito.ts +25 -47
package/src/social-providers/discord.ts +19 -8
package/src/social-providers/dropbox.ts +13 -7
package/src/social-providers/facebook.ts +97 -51
package/src/social-providers/figma.ts +13 -9
package/src/social-providers/github.ts +12 -8
package/src/social-providers/gitlab.ts +14 -8
package/src/social-providers/google.ts +66 -47
package/src/social-providers/huggingface.ts +12 -8
package/src/social-providers/kakao.ts +16 -8
package/src/social-providers/kick.ts +12 -7
package/src/social-providers/line.ts +37 -37
package/src/social-providers/linear.ts +12 -6
package/src/social-providers/linkedin.ts +14 -10
package/src/social-providers/microsoft-entra-id.ts +103 -59
package/src/social-providers/naver.ts +12 -6
package/src/social-providers/notion.ts +12 -6
package/src/social-providers/paybin.ts +14 -11
package/src/social-providers/paypal.ts +6 -25
package/src/social-providers/polar.ts +12 -8
package/src/social-providers/railway.ts +13 -9
package/src/social-providers/reddit.ts +25 -10
package/src/social-providers/roblox.ts +18 -7
package/src/social-providers/salesforce.ts +12 -8
package/src/social-providers/slack.ts +18 -9
package/src/social-providers/spotify.ts +13 -7
package/src/social-providers/tiktok.ts +13 -7
package/src/social-providers/twitch.ts +12 -8
package/src/social-providers/twitter.ts +17 -8
package/src/social-providers/vercel.ts +16 -10
package/src/social-providers/vk.ts +13 -7
package/src/social-providers/wechat.ts +28 -9
package/src/social-providers/zoom.ts +19 -6
package/src/types/context.ts +26 -8
package/src/types/index.ts +7 -0
package/src/types/init-options.ts +159 -8
package/src/types/plugin-client.ts +16 -2
package/src/utils/host.ts +15 -0
package/src/utils/url.ts +10 -4

package/dist/social-providers/kakao.d.mts CHANGED Viewed

@@ -93,6 +93,7 @@ interface KakaoOptions extends ProviderOptions<KakaoProfile> {
 declare const kakao: (options: KakaoOptions) => {
   id: "kakao";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -106,7 +107,10 @@ declare const kakao: (options: KakaoOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<URL>;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     redirectURI

package/dist/social-providers/kakao.mjs CHANGED Viewed

@@ -1,26 +1,26 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/kakao.ts
+const KAKAO_DEFAULT_SCOPES = [
+	"account_email",
+	"profile_image",
+	"profile_nickname"
+];
 const kakao = (options) => {
 	const tokenEndpoint = "https://kauth.kakao.com/oauth/token";
 	return {
 		id: "kakao",
 		name: "Kakao",
+		callbackPath: "/callback/kakao",
 		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
-			const _scopes = options.disableDefaultScope ? [] : [
-				"account_email",
-				"profile_image",
-				"profile_nickname"
-			];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "kakao",
 				options,
 				authorizationEndpoint: "https://kauth.kakao.com/oauth/authorize",
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, KAKAO_DEFAULT_SCOPES, scopes),
 				state,
 				redirectURI,
 				additionalParams

package/dist/social-providers/kick.d.mts CHANGED Viewed

@@ -24,6 +24,7 @@ interface KickOptions extends ProviderOptions<KickProfile> {
 declare const kick: (options: KickOptions) => {
   id: "kick";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -38,7 +39,10 @@ declare const kick: (options: KickOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<URL>;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode({
     code,
     redirectURI,

package/dist/social-providers/kick.mjs CHANGED Viewed

@@ -1,22 +1,22 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/kick.ts
+const KICK_DEFAULT_SCOPES = ["user:read"];
 const kick = (options) => {
 	return {
 		id: "kick",
 		name: "Kick",
+		callbackPath: "/callback/kick",
 		createAuthorizationURL({ state, scopes, redirectURI, codeVerifier, additionalParams }) {
-			const _scopes = options.disableDefaultScope ? [] : ["user:read"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "kick",
 				redirectURI,
 				options,
 				authorizationEndpoint: "https://id.kick.com/oauth/authorize",
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, KICK_DEFAULT_SCOPES, scopes),
 				codeVerifier,
 				state,
 				additionalParams

package/dist/social-providers/line.d.mts CHANGED Viewed

@@ -33,6 +33,7 @@ interface LineOptions extends ProviderOptions<LineUserInfo | LineIdTokenPayload>
 declare const line: (options: LineOptions) => {
   id: "line";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -48,7 +49,10 @@ declare const line: (options: LineOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<URL>;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     codeVerifier,
@@ -60,7 +64,9 @@ declare const line: (options: LineOptions) => {
     deviceId?: string | undefined;
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
-  verifyIdToken(token: string, nonce: string | undefined): Promise<boolean>;
+  idToken: {
+    verify: (token: string, nonce: string | undefined) => Promise<boolean>;
+  };
   getUserInfo(token: OAuth2Tokens & {
     user?: {
       name?: {

package/dist/social-providers/line.mjs CHANGED Viewed

@@ -1,9 +1,15 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { decodeJwt } from "jose";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/line.ts
+const LINE_DEFAULT_SCOPES = [
+	"openid",
+	"profile",
+	"email"
+];
 /**
 * LINE Login v2.1
 * - Authorization endpoint: https://access.line.me/oauth2/v2.1/authorize
@@ -21,19 +27,13 @@ const line = (options) => {
 	return {
 		id: "line",
 		name: "LINE",
-		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, loginHint, additionalParams }) {
-			const _scopes = options.disableDefaultScope ? [] : [
-				"openid",
-				"profile",
-				"email"
-			];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
-			return await createAuthorizationURL({
+		callbackPath: "/callback/line",
+		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, loginHint, additionalParams }) {
+			return createAuthorizationURL({
 				id: "line",
 				options,
 				authorizationEndpoint,
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, LINE_DEFAULT_SCOPES, scopes),
 				state,
 				codeVerifier,
 				redirectURI,
@@ -60,9 +60,7 @@ const line = (options) => {
 				tokenEndpoint
 			});
 		},
-		async verifyIdToken(token, nonce) {
-			if (options.disableIdTokenSignIn) return false;
-			if (options.verifyIdToken) return options.verifyIdToken(token, nonce);
+		idToken: { verify: async (token, nonce) => {
 			const body = new URLSearchParams();
 			body.set("id_token", token);
 			body.set("client_id", options.clientId);
@@ -76,7 +74,7 @@ const line = (options) => {
 			if (data.aud !== options.clientId) return false;
 			if (data.nonce && data.nonce !== nonce) return false;
 			return true;
-		},
+		} },
 		async getUserInfo(token) {
 			if (options.getUserInfo) return options.getUserInfo(token);
 			let profile = null;

package/dist/social-providers/linear.d.mts CHANGED Viewed

@@ -20,6 +20,7 @@ interface LinearOptions extends ProviderOptions<LinearUser> {
 declare const linear: (options: LinearOptions) => {
   id: "linear";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -34,7 +35,10 @@ declare const linear: (options: LinearOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<URL>;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     redirectURI

package/dist/social-providers/linear.mjs CHANGED Viewed

@@ -1,22 +1,22 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/linear.ts
+const LINEAR_DEFAULT_SCOPES = ["read"];
 const linear = (options) => {
 	const tokenEndpoint = "https://api.linear.app/oauth/token";
 	return {
 		id: "linear",
 		name: "Linear",
+		callbackPath: "/callback/linear",
 		createAuthorizationURL({ state, scopes, loginHint, redirectURI, additionalParams }) {
-			const _scopes = options.disableDefaultScope ? [] : ["read"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "linear",
 				options,
 				authorizationEndpoint: "https://linear.app/oauth/authorize",
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, LINEAR_DEFAULT_SCOPES, scopes),
 				state,
 				redirectURI,
 				loginHint,

package/dist/social-providers/linkedin.d.mts CHANGED Viewed

@@ -19,6 +19,7 @@ interface LinkedInOptions extends ProviderOptions<LinkedInProfile> {
 declare const linkedin: (options: LinkedInOptions) => {
   id: "linkedin";
   name: string;
+  callbackPath: string;
   createAuthorizationURL: ({
     state,
     scopes,
@@ -33,7 +34,10 @@ declare const linkedin: (options: LinkedInOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }) => Promise<URL>;
+  }) => Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     redirectURI

package/dist/social-providers/linkedin.mjs CHANGED Viewed

@@ -1,27 +1,27 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/linkedin.ts
+const LINKEDIN_DEFAULT_SCOPES = [
+	"profile",
+	"email",
+	"openid"
+];
 const linkedin = (options) => {
 	const authorizationEndpoint = "https://www.linkedin.com/oauth/v2/authorization";
 	const tokenEndpoint = "https://www.linkedin.com/oauth/v2/accessToken";
 	return {
 		id: "linkedin",
 		name: "Linkedin",
-		createAuthorizationURL: async ({ state, scopes, redirectURI, loginHint, additionalParams }) => {
-			const _scopes = options.disableDefaultScope ? [] : [
-				"profile",
-				"email",
-				"openid"
-			];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
-			return await createAuthorizationURL({
+		callbackPath: "/callback/linkedin",
+		createAuthorizationURL: ({ state, scopes, redirectURI, loginHint, additionalParams }) => {
+			return createAuthorizationURL({
 				id: "linkedin",
 				options,
 				authorizationEndpoint,
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, LINKEDIN_DEFAULT_SCOPES, scopes),
 				state,
 				loginHint,
 				redirectURI,

package/dist/social-providers/microsoft-entra-id.d.mts CHANGED Viewed

@@ -1,4 +1,7 @@
+import { ClientAssertionGetter } from "../oauth2/client-assertion.mjs";
 import { OAuth2Tokens, ProviderOptions } from "../oauth2/oauth-provider.mjs";
+import * as jose from "jose";
 //#region src/social-providers/microsoft-entra-id.d.ts
 /**
  * @see [Microsoft Identity Platform - Optional claims reference](https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims-reference)
@@ -109,25 +112,34 @@ interface MicrosoftOptions extends ProviderOptions<MicrosoftEntraIDProfile> {
    * The tenant ID of the Microsoft account
    * @default "common"
    */
-  tenantId?: string | undefined;
+  tenantId?: string;
   /**
    * The authentication authority URL. Use the default "https://login.microsoftonline.com" for standard Entra ID or "https://<tenant-id>.ciamlogin.com" for CIAM scenarios.
    * @default "https://login.microsoftonline.com"
    */
-  authority?: string | undefined;
+  authority?: string;
+  /**
+   * Function that returns a JWT client assertion for token endpoint authentication.
+   *
+   * Use this instead of `clientSecret` when your Microsoft Entra ID app is
+   * configured for client authentication with assertions (private_key_jwt or
+   * workload identity federation).
+   */
+  clientAssertion?: ClientAssertionGetter;
   /**
    * The size of the profile photo
    * @default 48
    */
-  profilePhotoSize?: (48 | 64 | 96 | 120 | 240 | 360 | 432 | 504 | 648) | undefined;
+  profilePhotoSize?: 48 | 64 | 96 | 120 | 240 | 360 | 432 | 504 | 648;
   /**
    * Disable profile photo
    */
-  disableProfilePhoto?: boolean | undefined;
+  disableProfilePhoto?: boolean;
 }
 declare const microsoft: (options: MicrosoftOptions) => {
   id: "microsoft";
   name: string;
+  callbackPath: string;
   createAuthorizationURL(data: {
     state: string;
     codeVerifier: string;
@@ -136,7 +148,10 @@ declare const microsoft: (options: MicrosoftOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<URL>;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode({
     code,
     codeVerifier,
@@ -147,7 +162,27 @@ declare const microsoft: (options: MicrosoftOptions) => {
     codeVerifier?: string | undefined;
     deviceId?: string | undefined;
   }): Promise<OAuth2Tokens>;
-  verifyIdToken(token: string, nonce: string | undefined): Promise<boolean>;
+  idToken: {
+    jwks: (header: jose.JWTHeaderParameters) => Promise<Uint8Array<ArrayBufferLike> | CryptoKey>;
+    audience: string | string[];
+    maxTokenAge: string;
+    /**
+     * Issuer varies per tenant for multi-tenant endpoints, so only validate it for
+     * specific tenants.
+     * @see https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols#endpoints
+     */
+    issuer: string | undefined;
+    /**
+     * The multi-tenant endpoints (common/organizations/consumers) skip the
+     * issuer check above because the issuer varies per tenant, and the
+     * organizations and consumers JWKS sets overlap. Enforce the tenant
+     * binding explicitly so a token from a disallowed account class cannot
+     * pass: the issuer must name the token's own tenant, and the account
+     * class must match the configured restriction.
+     * @see https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference
+     */
+    verifyClaims: (claims: Record<string, unknown>) => boolean;
+  };
   getUserInfo(token: OAuth2Tokens & {
     user?: {
       name?: {

package/dist/social-providers/microsoft-entra-id.mjs CHANGED Viewed

@@ -1,42 +1,56 @@
 import { APIError, BetterAuthError } from "../error/index.mjs";
 import { logger } from "../env/logger.mjs";
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { getPrimaryClientId } from "../oauth2/utils.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { base64 } from "@better-auth/utils/base64";
-import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
+import { decodeJwt, importJWK } from "jose";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/microsoft-entra-id.ts
+/**
+* Microsoft's fixed tenant id for personal (consumer) Microsoft accounts. Every
+* personal-account token carries it as the `tid` claim, so it distinguishes the
+* consumer account class from work/school tenants.
+* @see https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference
+*/
+const MICROSOFT_CONSUMER_TENANT_ID = "9188040d-6c67-4c5b-b112-36a304b66dad";
+const MICROSOFT_ENTRA_ID_DEFAULT_SCOPES = [
+	"openid",
+	"profile",
+	"email",
+	"User.Read",
+	"offline_access"
+];
 const microsoft = (options) => {
 	const tenant = options.tenantId || "common";
-	const authority = options.authority || "https://login.microsoftonline.com";
+	let authority = options.authority || "https://login.microsoftonline.com";
+	while (authority.endsWith("/")) authority = authority.slice(0, -1);
 	const authorizationEndpoint = `${authority}/${tenant}/oauth2/v2.0/authorize`;
 	const tokenEndpoint = `${authority}/${tenant}/oauth2/v2.0/token`;
+	if (options.clientSecret && options.clientAssertion) throw new BetterAuthError("Microsoft Entra ID clientAssertion cannot be combined with clientSecret");
+	const tokenEndpointAuth = options.clientAssertion ? {
+		method: "private_key_jwt",
+		getClientAssertion: options.clientAssertion
+	} : void 0;
 	return {
 		id: "microsoft",
 		name: "Microsoft EntraID",
+		callbackPath: "/callback/microsoft",
 		createAuthorizationURL(data) {
 			if (!getPrimaryClientId(options.clientId)) {
 				logger.error("Client Id is required for Microsoft Entra ID. Make sure to provide it in the options.");
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
 			}
-			const scopes = options.disableDefaultScope ? [] : [
-				"openid",
-				"profile",
-				"email",
-				"User.Read",
-				"offline_access"
-			];
-			if (options.scope) scopes.push(...options.scope);
-			if (data.scopes) scopes.push(...data.scopes);
+			const requestedScopes = resolveRequestedScopes(options, MICROSOFT_ENTRA_ID_DEFAULT_SCOPES, data.scopes);
 			return createAuthorizationURL({
 				id: "microsoft",
 				options,
 				authorizationEndpoint,
 				state: data.state,
 				codeVerifier: data.codeVerifier,
-				scopes,
+				scopes: requestedScopes,
 				redirectURI: data.redirectURI,
 				prompt: options.prompt,
 				loginHint: data.loginHint,
@@ -49,32 +63,21 @@ const microsoft = (options) => {
 				codeVerifier,
 				redirectURI,
 				options,
-				tokenEndpoint
+				tokenEndpoint,
+				tokenEndpointAuth
 			});
 		},
-		async verifyIdToken(token, nonce) {
-			if (options.disableIdTokenSignIn) return false;
-			if (options.verifyIdToken) return options.verifyIdToken(token, nonce);
-			try {
-				const { kid, alg: jwtAlg } = decodeProtectedHeader(token);
-				if (!kid || !jwtAlg) return false;
-				const publicKey = await getMicrosoftPublicKey(kid, tenant, authority);
-				const verifyOptions = {
-					algorithms: [jwtAlg],
-					audience: options.clientId,
-					maxTokenAge: "1h"
-				};
-				/**
-				* Issuer varies per user's tenant for multi-tenant endpoints, so only validate for specific tenants.
-				* @see https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols#endpoints
-				*/
-				if (tenant !== "common" && tenant !== "organizations" && tenant !== "consumers") verifyOptions.issuer = `${authority}/${tenant}/v2.0`;
-				const { payload: jwtClaims } = await jwtVerify(token, publicKey, verifyOptions);
-				if (nonce && jwtClaims.nonce !== nonce) return false;
+		idToken: {
+			jwks: (header) => getMicrosoftPublicKey(header.kid, tenant, authority),
+			audience: options.clientId,
+			maxTokenAge: "1h",
+			issuer: tenant !== "common" && tenant !== "organizations" && tenant !== "consumers" ? `${authority}/${tenant}/v2.0` : void 0,
+			verifyClaims: (claims) => {
+				const tid = claims.tid;
+				if (typeof tid !== "string" || claims.iss !== `${authority}/${tid}/v2.0`) return false;
+				if (tenant === "organizations" && tid === MICROSOFT_CONSUMER_TENANT_ID) return false;
+				if (tenant === "consumers" && tid !== MICROSOFT_CONSUMER_TENANT_ID) return false;
 				return true;
-			} catch (error) {
-				logger.error("Failed to verify ID token:", error);
-				return false;
 			}
 		},
 		async getUserInfo(token) {
@@ -124,7 +127,8 @@ const microsoft = (options) => {
 					clientSecret: options.clientSecret
 				},
 				extraParams: { scope: scopes.join(" ") },
-				tokenEndpoint
+				tokenEndpoint,
+				tokenEndpointAuth
 			});
 		},
 		options

package/dist/social-providers/naver.d.mts CHANGED Viewed

@@ -24,6 +24,7 @@ interface NaverOptions extends ProviderOptions<NaverProfile> {
 declare const naver: (options: NaverOptions) => {
   id: "naver";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -37,7 +38,10 @@ declare const naver: (options: NaverOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<URL>;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     redirectURI

package/dist/social-providers/naver.mjs CHANGED Viewed

@@ -1,22 +1,22 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/naver.ts
+const NAVER_DEFAULT_SCOPES = ["profile", "email"];
 const naver = (options) => {
 	const tokenEndpoint = "https://nid.naver.com/oauth2.0/token";
 	return {
 		id: "naver",
 		name: "Naver",
+		callbackPath: "/callback/naver",
 		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
-			const _scopes = options.disableDefaultScope ? [] : ["profile", "email"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "naver",
 				options,
 				authorizationEndpoint: "https://nid.naver.com/oauth2.0/authorize",
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, NAVER_DEFAULT_SCOPES, scopes),
 				state,
 				redirectURI,
 				additionalParams

package/dist/social-providers/notion.d.mts CHANGED Viewed

@@ -16,6 +16,7 @@ interface NotionOptions extends ProviderOptions<NotionProfile> {
 declare const notion: (options: NotionOptions) => {
   id: "notion";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -30,7 +31,10 @@ declare const notion: (options: NotionOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<URL>;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     redirectURI

package/dist/social-providers/notion.mjs CHANGED Viewed

@@ -1,22 +1,22 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/notion.ts
+const NOTION_DEFAULT_SCOPES = [];
 const notion = (options) => {
 	const tokenEndpoint = "https://api.notion.com/v1/oauth/token";
 	return {
 		id: "notion",
 		name: "Notion",
+		callbackPath: "/callback/notion",
 		createAuthorizationURL({ state, scopes, loginHint, redirectURI, additionalParams }) {
-			const _scopes = options.disableDefaultScope ? [] : [];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "notion",
 				options,
 				authorizationEndpoint: "https://api.notion.com/v1/oauth/authorize",
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, NOTION_DEFAULT_SCOPES, scopes),
 				state,
 				redirectURI,
 				loginHint,

package/dist/social-providers/paybin.d.mts CHANGED Viewed

@@ -21,6 +21,7 @@ interface PaybinOptions extends ProviderOptions<PaybinProfile> {
 declare const paybin: (options: PaybinOptions) => {
   id: "paybin";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -36,7 +37,10 @@ declare const paybin: (options: PaybinOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<URL>;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     codeVerifier,