@better-auth/core 1.7.0-beta.4 → 1.7.0-beta.6

package/dist/social-providers/paybin.mjs

@@ -1,10 +1,16 @@
 import { BetterAuthError } from "../error/index.mjs";
 import { logger } from "../env/logger.mjs";
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { decodeJwt } from "jose";
 //#region src/social-providers/paybin.ts
+const PAYBIN_DEFAULT_SCOPES = [
+	"openid",
+	"email",
+	"profile"
+];
 const paybin = (options) => {
 	const issuer = options.issuer || "https://idp.paybin.io";
 	const authorizationEndpoint = `${issuer}/oauth2/authorize`;
@@ -12,24 +18,18 @@ const paybin = (options) => {
 	return {
 		id: "paybin",
 		name: "Paybin",
-		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, loginHint, additionalParams }) {
+		callbackPath: "/callback/paybin",
+		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, loginHint, additionalParams }) {
 			if (!options.clientId || !options.clientSecret) {
 				logger.error("Client Id and Client Secret is required for Paybin. Make sure to provide them in the options.");
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
 			}
 			if (!codeVerifier) throw new BetterAuthError("codeVerifier is required for Paybin");
-			const _scopes = options.disableDefaultScope ? [] : [
-				"openid",
-				"email",
-				"profile"
-			];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
-			return await createAuthorizationURL({
+			return createAuthorizationURL({
 				id: "paybin",
 				options,
 				authorizationEndpoint,
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, PAYBIN_DEFAULT_SCOPES, scopes),
 				state,
 				codeVerifier,
 				redirectURI,

package/dist/social-providers/paypal.d.mts

@@ -51,6 +51,7 @@ interface PayPalOptions extends ProviderOptions<PayPalProfile> {
 declare const paypal: (options: PayPalOptions) => {
   id: "paypal";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     codeVerifier,
@@ -64,7 +65,10 @@ declare const paypal: (options: PayPalOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<URL>;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     redirectURI
@@ -84,7 +88,6 @@ declare const paypal: (options: PayPalOptions) => {
     refreshToken: any;
     accessTokenExpiresAt: Date | undefined;
   }>);
-  verifyIdToken(token: string, nonce: string | undefined): Promise<boolean>;
   getUserInfo(token: OAuth2Tokens & {
     user?: {
       name?: {

package/dist/social-providers/paypal.mjs

@@ -2,7 +2,6 @@ import { BetterAuthError } from "../error/index.mjs";
 import { logger } from "../env/logger.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { base64 } from "@better-auth/utils/base64";
-import { decodeJwt } from "jose";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/paypal.ts
 const paypal = (options) => {
@@ -13,12 +12,18 @@ const paypal = (options) => {
 	return {
 		id: "paypal",
 		name: "PayPal",
-		async createAuthorizationURL({ state, codeVerifier, redirectURI, additionalParams }) {
+		callbackPath: "/callback/paypal",
+		createAuthorizationURL({ state, codeVerifier, redirectURI, additionalParams }) {
 			if (!options.clientId || !options.clientSecret) {
 				logger.error("Client Id and Client Secret is required for PayPal. Make sure to provide them in the options.");
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
 			}
-			return await createAuthorizationURL({
+			/**
+			* Log in with PayPal doesn't use traditional OAuth2 scopes
+			* Instead, permissions are configured in the PayPal Developer Dashboard
+			* We don't pass any scopes to avoid "invalid scope" errors
+			**/
+			return createAuthorizationURL({
 				id: "paypal",
 				options,
 				authorizationEndpoint,
@@ -91,16 +96,6 @@ const paypal = (options) => {
 				throw new BetterAuthError("FAILED_TO_REFRESH_ACCESS_TOKEN");
 			}
 		},
-		async verifyIdToken(token, nonce) {
-			if (options.disableIdTokenSignIn) return false;
-			if (options.verifyIdToken) return options.verifyIdToken(token, nonce);
-			try {
-				return !!decodeJwt(token).sub;
-			} catch (error) {
-				logger.error("Failed to verify PayPal ID token:", error);
-				return false;
-			}
-		},
 		async getUserInfo(token) {
 			if (options.getUserInfo) return options.getUserInfo(token);
 			if (!token.accessToken) {

package/dist/social-providers/polar.d.mts

@@ -25,6 +25,7 @@ interface PolarOptions extends ProviderOptions<PolarProfile> {}
 declare const polar: (options: PolarOptions) => {
   id: "polar";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -39,7 +40,10 @@ declare const polar: (options: PolarOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<URL>;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     codeVerifier,

package/dist/social-providers/polar.mjs

@@ -1,26 +1,26 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/polar.ts
+const POLAR_DEFAULT_SCOPES = [
+	"openid",
+	"profile",
+	"email"
+];
 const polar = (options) => {
 	const tokenEndpoint = "https://api.polar.sh/v1/oauth2/token";
 	return {
 		id: "polar",
 		name: "Polar",
+		callbackPath: "/callback/polar",
 		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, additionalParams }) {
-			const _scopes = options.disableDefaultScope ? [] : [
-				"openid",
-				"profile",
-				"email"
-			];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "polar",
 				options,
 				authorizationEndpoint: "https://polar.sh/oauth2/authorize",
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, POLAR_DEFAULT_SCOPES, scopes),
 				state,
 				codeVerifier,
 				redirectURI,

package/dist/social-providers/railway.d.mts

@@ -16,6 +16,7 @@ interface RailwayOptions extends ProviderOptions<RailwayProfile> {
 declare const railway: (options: RailwayOptions) => {
   id: "railway";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -30,7 +31,10 @@ declare const railway: (options: RailwayOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<URL>;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     codeVerifier,

package/dist/social-providers/railway.mjs

@@ -1,3 +1,4 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
@@ -6,23 +7,22 @@ import { betterFetch } from "@better-fetch/fetch";
 const authorizationEndpoint = "https://backboard.railway.com/oauth/auth";
 const tokenEndpoint = "https://backboard.railway.com/oauth/token";
 const userinfoEndpoint = "https://backboard.railway.com/oauth/me";
+const RAILWAY_DEFAULT_SCOPES = [
+	"openid",
+	"email",
+	"profile"
+];
 const railway = (options) => {
 	return {
 		id: "railway",
 		name: "Railway",
-		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, additionalParams }) {
-			const _scopes = options.disableDefaultScope ? [] : [
-				"openid",
-				"email",
-				"profile"
-			];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
+		callbackPath: "/callback/railway",
+		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, additionalParams }) {
 			return createAuthorizationURL({
 				id: "railway",
 				options,
 				authorizationEndpoint,
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, RAILWAY_DEFAULT_SCOPES, scopes),
 				state,
 				codeVerifier,
 				redirectURI,

package/dist/social-providers/reddit.d.mts

@@ -15,6 +15,7 @@ interface RedditOptions extends ProviderOptions<RedditProfile> {
 declare const reddit: (options: RedditOptions) => {
   id: "reddit";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -28,7 +29,10 @@ declare const reddit: (options: RedditOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<URL>;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     redirectURI

package/dist/social-providers/reddit.mjs

@@ -1,22 +1,22 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { getOAuth2Tokens } from "../oauth2/utils.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { base64 } from "@better-auth/utils/base64";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/reddit.ts
+const REDDIT_DEFAULT_SCOPES = ["identity"];
 const reddit = (options) => {
 	return {
 		id: "reddit",
 		name: "Reddit",
-		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
-			const _scopes = options.disableDefaultScope ? [] : ["identity"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
+		callbackPath: "/callback/reddit",
+		async createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
 			return createAuthorizationURL({
 				id: "reddit",
 				options,
 				authorizationEndpoint: "https://www.reddit.com/api/v1/authorize",
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, REDDIT_DEFAULT_SCOPES, scopes),
 				state,
 				redirectURI,
 				duration: options.duration,
@@ -62,14 +62,15 @@ const reddit = (options) => {
 			} });
 			if (error) return null;
 			const userMap = await options.mapProfileToUser?.(profile);
+			const email = userMap?.email || `${profile.id}@reddit.invalid`;
 			return {
 				user: {
 					id: profile.id,
 					name: profile.name,
-					email: profile.oauth_client_id,
-					emailVerified: profile.has_verified_email,
 					image: profile.icon_img?.split("?")[0],
-					...userMap
+					...userMap,
+					email,
+					emailVerified: userMap?.emailVerified ?? false
 				},
 				data: profile
 			};

package/dist/social-providers/roblox.d.mts

@@ -23,6 +23,7 @@ interface RobloxOptions extends ProviderOptions<RobloxProfile> {
 declare const roblox: (options: RobloxOptions) => {
   id: "roblox";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -36,7 +37,10 @@ declare const roblox: (options: RobloxOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<URL>;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     redirectURI

package/dist/social-providers/roblox.mjs

@@ -1,22 +1,22 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/roblox.ts
+const ROBLOX_DEFAULT_SCOPES = ["openid", "profile"];
 const roblox = (options) => {
 	const tokenEndpoint = "https://apis.roblox.com/oauth/v1/token";
 	return {
 		id: "roblox",
 		name: "Roblox",
-		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
-			const _scopes = options.disableDefaultScope ? [] : ["openid", "profile"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
+		callbackPath: "/callback/roblox",
+		async createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
 			return createAuthorizationURL({
 				id: "roblox",
 				options,
 				authorizationEndpoint: "https://apis.roblox.com/oauth/v1/authorize",
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, ROBLOX_DEFAULT_SCOPES, scopes),
 				state,
 				redirectURI,
 				prompt: options.prompt || "select_account consent",

package/dist/social-providers/salesforce.d.mts

@@ -30,6 +30,7 @@ interface SalesforceOptions extends ProviderOptions<SalesforceProfile> {
 declare const salesforce: (options: SalesforceOptions) => {
   id: "salesforce";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -44,7 +45,10 @@ declare const salesforce: (options: SalesforceOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<URL>;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     codeVerifier,

package/dist/social-providers/salesforce.mjs

@@ -1,10 +1,16 @@
 import { BetterAuthError } from "../error/index.mjs";
 import { logger } from "../env/logger.mjs";
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/salesforce.ts
+const SALESFORCE_DEFAULT_SCOPES = [
+	"openid",
+	"email",
+	"profile"
+];
 const salesforce = (options) => {
 	const isSandbox = (options.environment ?? "production") === "sandbox";
 	const authorizationEndpoint = options.loginUrl ? `https://${options.loginUrl}/services/oauth2/authorize` : isSandbox ? "https://test.salesforce.com/services/oauth2/authorize" : "https://login.salesforce.com/services/oauth2/authorize";
@@ -13,24 +19,18 @@ const salesforce = (options) => {
 	return {
 		id: "salesforce",
 		name: "Salesforce",
+		callbackPath: "/callback/salesforce",
 		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, additionalParams }) {
 			if (!options.clientId || !options.clientSecret) {
 				logger.error("Client Id and Client Secret are required for Salesforce. Make sure to provide them in the options.");
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
 			}
 			if (!codeVerifier) throw new BetterAuthError("codeVerifier is required for Salesforce");
-			const _scopes = options.disableDefaultScope ? [] : [
-				"openid",
-				"email",
-				"profile"
-			];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "salesforce",
 				options,
 				authorizationEndpoint,
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, SALESFORCE_DEFAULT_SCOPES, scopes),
 				state,
 				codeVerifier,
 				redirectURI: options.redirectURI || redirectURI,

package/dist/social-providers/slack.d.mts

@@ -36,6 +36,7 @@ interface SlackOptions extends ProviderOptions<SlackProfile> {
 declare const slack: (options: SlackOptions) => {
   id: "slack";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -49,7 +50,10 @@ declare const slack: (options: SlackOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<URL>;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     redirectURI

package/dist/social-providers/slack.mjs

@@ -1,26 +1,26 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/slack.ts
+const SLACK_DEFAULT_SCOPES = [
+	"openid",
+	"profile",
+	"email"
+];
 const slack = (options) => {
 	const tokenEndpoint = "https://slack.com/api/openid.connect.token";
 	return {
 		id: "slack",
 		name: "Slack",
-		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
-			const _scopes = options.disableDefaultScope ? [] : [
-				"openid",
-				"profile",
-				"email"
-			];
-			if (scopes) _scopes.push(...scopes);
-			if (options.scope) _scopes.push(...options.scope);
+		callbackPath: "/callback/slack",
+		async createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
 			return createAuthorizationURL({
 				id: "slack",
 				options,
 				authorizationEndpoint: "https://slack.com/openid/connect/authorize",
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, SLACK_DEFAULT_SCOPES, scopes),
 				state,
 				redirectURI,
 				additionalParams

package/dist/social-providers/spotify.d.mts

@@ -14,6 +14,7 @@ interface SpotifyOptions extends ProviderOptions<SpotifyProfile> {
 declare const spotify: (options: SpotifyOptions) => {
   id: "spotify";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -28,7 +29,10 @@ declare const spotify: (options: SpotifyOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<URL>;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     codeVerifier,

package/dist/social-providers/spotify.mjs

@@ -1,22 +1,22 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/spotify.ts
+const SPOTIFY_DEFAULT_SCOPES = ["user-read-email"];
 const spotify = (options) => {
 	const tokenEndpoint = "https://accounts.spotify.com/api/token";
 	return {
 		id: "spotify",
 		name: "Spotify",
-		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, additionalParams }) {
-			const _scopes = options.disableDefaultScope ? [] : ["user-read-email"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
+		callbackPath: "/callback/spotify",
+		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, additionalParams }) {
 			return createAuthorizationURL({
 				id: "spotify",
 				options,
 				authorizationEndpoint: "https://accounts.spotify.com/authorize",
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, SPOTIFY_DEFAULT_SCOPES, scopes),
 				state,
 				codeVerifier,
 				redirectURI,

package/dist/social-providers/tiktok.d.mts

@@ -121,6 +121,7 @@ interface TiktokOptions extends ProviderOptions {
 declare const tiktok: (options: TiktokOptions) => {
   id: "tiktok";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -134,7 +135,10 @@ declare const tiktok: (options: TiktokOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): URL;
+  }): {
+    url: URL;
+    requestedScopes: string[];
+  };
   validateAuthorizationCode: ({
     code,
     redirectURI

package/dist/social-providers/tiktok.mjs

@@ -1,19 +1,20 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { RESERVED_AUTHORIZATION_PARAMS_SET } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/tiktok.ts
+const TIKTOK_DEFAULT_SCOPES = ["user.info.profile"];
 const tiktok = (options) => {
 	const tokenEndpoint = "https://open.tiktokapis.com/v2/oauth/token/";
 	return {
 		id: "tiktok",
 		name: "TikTok",
+		callbackPath: "/callback/tiktok",
 		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
-			const _scopes = options.disableDefaultScope ? [] : ["user.info.profile"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
+			const requestedScopes = resolveRequestedScopes(options, TIKTOK_DEFAULT_SCOPES, scopes);
 			const url = new URL("https://www.tiktok.com/v2/auth/authorize");
-			url.searchParams.set("scope", _scopes.join(","));
+			url.searchParams.set("scope", requestedScopes.join(","));
 			url.searchParams.set("response_type", "code");
 			url.searchParams.set("client_key", options.clientKey);
 			url.searchParams.set("redirect_uri", options.redirectURI || redirectURI);
@@ -23,7 +24,10 @@ const tiktok = (options) => {
 				if (key === "client_key") continue;
 				url.searchParams.set(key, value);
 			}
-			return url;
+			return {
+				url,
+				requestedScopes
+			};
 		},
 		validateAuthorizationCode: async ({ code, redirectURI }) => {
 			return validateAuthorizationCode({

package/dist/social-providers/twitch.d.mts

@@ -32,6 +32,7 @@ interface TwitchOptions extends ProviderOptions<TwitchProfile> {
 declare const twitch: (options: TwitchOptions) => {
   id: "twitch";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -45,7 +46,10 @@ declare const twitch: (options: TwitchOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<URL>;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     redirectURI

package/dist/social-providers/twitch.mjs

@@ -1,24 +1,24 @@
 import { logger } from "../env/logger.mjs";
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { decodeJwt } from "jose";
 //#region src/social-providers/twitch.ts
+const TWITCH_DEFAULT_SCOPES = ["user:read:email", "openid"];
 const twitch = (options) => {
 	const tokenEndpoint = "https://id.twitch.tv/oauth2/token";
 	return {
 		id: "twitch",
 		name: "Twitch",
+		callbackPath: "/callback/twitch",
 		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
-			const _scopes = options.disableDefaultScope ? [] : ["user:read:email", "openid"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "twitch",
 				redirectURI,
 				options,
 				authorizationEndpoint: "https://id.twitch.tv/oauth2/authorize",
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, TWITCH_DEFAULT_SCOPES, scopes),
 				state,
 				claims: options.claims || [
 					"email",

package/dist/social-providers/twitter.d.mts

@@ -82,6 +82,7 @@ interface TwitterOption extends ProviderOptions<TwitterProfile> {
 declare const twitter: (options: TwitterOption) => {
   id: "twitter";
   name: string;
+  callbackPath: string;
   createAuthorizationURL(data: {
     state: string;
     codeVerifier: string;
@@ -90,7 +91,10 @@ declare const twitter: (options: TwitterOption) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<URL>;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     codeVerifier,
@@ -106,9 +110,7 @@ declare const twitter: (options: TwitterOption) => {
     user?: {
       name?: {
         firstName?: string;
-        lastName
-
-        /** The fully resolved URL. */? /** The fully resolved URL. */: string;
+        lastName?: string;
       };
       email?: string;
     } | undefined;