@better-auth/core 1.7.0-beta.5 → 1.7.0-beta.7

package/dist/oauth2/verify.mjs

@@ -1,4 +1,5 @@
 import { logger } from "../env/logger.mjs";
+import { createInMemoryDpopReplayStore, enforceDpopBinding, getDpopJktFromPayload, isDpopBindingError, parseAccessTokenAuthorization } from "./dpop.mjs";
 import { APIError } from "better-call";
 import { UnsecuredJWT, createLocalJWKSet, decodeProtectedHeader, errors, jwtVerify } from "jose";
 import { betterFetch } from "@better-fetch/fetch";
@@ -11,13 +12,65 @@ const joseInfrastructureErrorCodes = new Set([
 function isJoseInfrastructureError(error) {
 	return joseInfrastructureErrorCodes.has(error.code);
 }
+/**
+* @internal
+*/
 const jwksCache = /* @__PURE__ */ new Map();
 /**
+* Cache for function jwks sources, keyed by a caller-provided stable object.
+* Entries are released with their key, so per-request keys cannot accumulate.
+*/
+const functionJwksCache = /* @__PURE__ */ new WeakMap();
+/**
 * How long a cached JWKS is trusted before it is refetched
 *
 * @internal
 */
 const JWKS_CACHE_TTL_MS = 300 * 1e3;
+const JWKS_NO_KID_REFETCH_COOLDOWN_MS = 30 * 1e3;
+/**
+* Returns the cached key set when it is within the TTL. When the token carries
+* `kid`, the cached set must contain that key id; without `kid`, key selection
+* is deferred to JOSE because RFC 7515 makes the header parameter optional.
+*/
+function getFreshJwksWithKid(cached, kid) {
+	if (!cached) return void 0;
+	if (Date.now() - cached.fetchedAt >= JWKS_CACHE_TTL_MS) return void 0;
+	if (kid && !cached.jwks.keys.some((jwk) => jwk.kid === kid)) return;
+	return cached.jwks;
+}
+function shouldRefetchCachedJwksWithoutKid(error, resolved) {
+	if (!(resolved.fromCache && !resolved.kid && (error instanceof errors.JWKSNoMatchingKey || error instanceof errors.JWSSignatureVerificationFailed))) return false;
+	if (!resolved.noKidRefetchedAt) return true;
+	return Date.now() - resolved.noKidRefetchedAt >= JWKS_NO_KID_REFETCH_COOLDOWN_MS;
+}
+async function fetchJwks(jwksFetch) {
+	const jwks = typeof jwksFetch === "string" ? await betterFetch(jwksFetch, { headers: { Accept: "application/json" } }).then(async (res) => {
+		if (res.error) throw new Error(`Jwks failed: ${res.error.message ?? res.error.statusText}`);
+		return res.data;
+	}) : await jwksFetch();
+	if (!jwks) throw new Error("No jwks found");
+	return jwks;
+}
+/**
+* Builds a {@link ResourceRequestInput} from a standard `Request`, reading the
+* `Authorization` and `DPoP` headers and the request method and URL. Resource
+* servers share this so every entry point maps the wire request the same way.
+*/
+function requestToResourceInput(request) {
+	return {
+		authorizationHeader: request.headers.get("authorization"),
+		dpopProofJwt: request.headers.get("dpop"),
+		method: request.method,
+		url: request.url
+	};
+}
+/**
+* Process-local, single-instance replay store. See the warning on
+* {@link VerifyAccessTokenRequestOptions.dpop.replayStore}; multi-instance
+* resource servers must pass their own shared store.
+*/
+const defaultDpopReplayStore = createInMemoryDpopReplayStore();
 /**
 * Performs local verification of an access token for your APIs.
 *
@@ -25,7 +78,17 @@ const JWKS_CACHE_TTL_MS = 300 * 1e3;
 */
 async function verifyJwsAccessToken(token, opts) {
 	try {
-		const jwt = await jwtVerify(token, createLocalJWKSet(await getJwks(token, opts)), opts.verifyOptions);
+		const resolved = await getJwksForVerification(token, opts);
+		let jwt;
+		try {
+			jwt = await jwtVerify(token, createLocalJWKSet(resolved.jwks), opts.verifyOptions);
+		} catch (error) {
+			if (shouldRefetchCachedJwksWithoutKid(error, resolved)) jwt = await jwtVerify(token, createLocalJWKSet((await getJwksForVerification(token, {
+				...opts,
+				forceRefresh: true
+			})).jwks), opts.verifyOptions);
+			else throw error;
+		}
 		if (jwt.payload.azp) jwt.payload.client_id = jwt.payload.azp;
 		return jwt.payload;
 	} catch (error) {
@@ -34,6 +97,9 @@ async function verifyJwsAccessToken(token, opts) {
 	}
 }
 async function getJwks(token, opts) {
+	return (await getJwksForVerification(token, opts)).jwks;
+}
+async function getJwksForVerification(token, opts) {
 	let jwtHeaders;
 	try {
 		jwtHeaders = decodeProtectedHeader(token);
@@ -41,32 +107,65 @@ async function getJwks(token, opts) {
 		if (error instanceof Error) throw error;
 		throw new Error(error);
 	}
-	if (!jwtHeaders.kid) throw new APIError("UNAUTHORIZED", { message: "invalid access token" });
 	const kid = jwtHeaders.kid;
+	if (typeof opts.jwksFetch !== "string") {
+		const cacheKey = opts.jwksCacheKey;
+		if (!cacheKey) {
+			const jwks = await opts.jwksFetch();
+			if (!jwks) throw new Error("No jwks found");
+			return {
+				jwks,
+				fromCache: false,
+				kid
+			};
+		}
+		const cached = functionJwksCache.get(cacheKey);
+		const cachedJwks = opts.forceRefresh ? void 0 : getFreshJwksWithKid(cached, kid);
+		if (cachedJwks) return {
+			jwks: cachedJwks,
+			fromCache: true,
+			kid,
+			noKidRefetchedAt: cached?.noKidRefetchedAt
+		};
+		const jwks = await opts.jwksFetch();
+		if (!jwks) throw new Error("No jwks found");
+		const fetchedAt = Date.now();
+		functionJwksCache.set(cacheKey, {
+			jwks,
+			fetchedAt,
+			...opts.forceRefresh && !kid ? { noKidRefetchedAt: fetchedAt } : {}
+		});
+		return {
+			jwks,
+			fromCache: false,
+			kid
+		};
+	}
 	const cacheKey = opts.jwksFetch;
 	const cached = jwksCache.get(cacheKey);
-	const isFresh = cached ? Date.now() - cached.fetchedAt < JWKS_CACHE_TTL_MS : false;
-	const hasKid = cached?.jwks.keys.some((jwk) => jwk.kid === kid) ?? false;
-	if (!cached || !isFresh || !hasKid) {
-		const jwks = typeof opts.jwksFetch === "string" ? await betterFetch(opts.jwksFetch, { headers: { Accept: "application/json" } }).then(async (res) => {
-			if (res.error) throw new Error(`Jwks failed: ${res.error.message ?? res.error.statusText}`);
-			return res.data;
-		}) : await opts.jwksFetch();
-		if (!jwks) throw new Error("No jwks found");
+	const cachedJwks = opts.forceRefresh ? void 0 : getFreshJwksWithKid(cached, kid);
+	if (!cachedJwks) {
+		const jwks = await fetchJwks(opts.jwksFetch);
+		const fetchedAt = Date.now();
 		jwksCache.set(cacheKey, {
 			jwks,
-			fetchedAt: Date.now()
+			fetchedAt,
+			...opts.forceRefresh && !kid ? { noKidRefetchedAt: fetchedAt } : {}
 		});
-		return jwks;
+		return {
+			jwks,
+			fromCache: false,
+			kid
+		};
 	}
-	return cached.jwks;
+	return {
+		jwks: cachedJwks,
+		fromCache: true,
+		kid,
+		noKidRefetchedAt: cached?.noKidRefetchedAt
+	};
 }
-/**
-* Performs local verification of an access token for your API.
-*
-* Can also be configured for remote verification.
-*/
-async function verifyAccessToken(token, opts) {
+async function verifyAccessTokenPayload(token, opts) {
 	let payload;
 	if (opts.jwksUrl && !opts?.remoteVerify?.force) try {
 		payload = await verifyJwsAccessToken(token, {
@@ -114,5 +213,58 @@ async function verifyAccessToken(token, opts) {
 	}
 	return payload;
 }
+function throwDpopUnauthorized(message, error) {
+	throw new APIError("UNAUTHORIZED", error ? {
+		message,
+		error,
+		error_description: message
+	} : { message });
+}
+/**
+* Performs local verification of a bearer access token for your API.
+*
+* Can also be configured for remote verification. DPoP-bound access tokens
+* require {@link verifyAccessTokenRequest}, because sender-constraining cannot
+* be verified without the HTTP method, URL, Authorization scheme, DPoP proof,
+* and access-token hash. This function rejects DPoP-bound tokens; reach for it
+* only when you hold a raw token string and intentionally accept bearer tokens
+* alone.
+*/
+async function verifyBearerToken(token, opts) {
+	const payload = await verifyAccessTokenPayload(token, opts);
+	if (getDpopJktFromPayload(payload)) throwDpopUnauthorized("DPoP-bound access token requires verifyAccessTokenRequest", "invalid_token");
+	return payload;
+}
+/**
+* Verifies an HTTP resource request carrying an OAuth access token. This is the
+* recommended resource-server entry point: it handles both bearer and
+* DPoP-bound tokens, the bearer case being the request with no DPoP proof.
+*
+* It performs the same token validation as {@link verifyBearerToken}, then adds
+* the RFC 9449 sender-constraint checks that need request context: authorization
+* scheme, method, URL, DPoP proof, `ath`, and `cnf.jkt` binding.
+*/
+async function verifyAccessTokenRequest(request, opts) {
+	const authorization = parseAccessTokenAuthorization(request.authorizationHeader);
+	if (!authorization?.token) throwDpopUnauthorized("missing authorization header");
+	if (authorization.scheme === "Unknown") throwDpopUnauthorized("authorization scheme must be Bearer or DPoP", "invalid_token");
+	const payload = await verifyAccessTokenPayload(authorization.token, opts);
+	try {
+		await enforceDpopBinding({
+			payload,
+			authorization,
+			proofJwt: request.dpopProofJwt,
+			method: request.method,
+			url: request.url,
+			replayStore: opts.dpop?.replayStore ?? defaultDpopReplayStore,
+			proofMaxAgeSeconds: opts.dpop?.proofMaxAgeSeconds,
+			signingAlgorithms: opts.dpop?.signingAlgorithms
+		});
+	} catch (error) {
+		if (isDpopBindingError(error)) throwDpopUnauthorized(error.message, error.code);
+		throw error;
+	}
+	return payload;
+}
 //#endregion
-export { getJwks, verifyAccessToken, verifyJwsAccessToken };
+export { getJwks, requestToResourceInput, verifyAccessTokenRequest, verifyBearerToken, verifyJwsAccessToken };

package/dist/social-providers/apple.d.mts

@@ -82,6 +82,7 @@ declare const apple: (options: AppleOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }): Promise<{
     url: URL;
@@ -106,6 +107,7 @@ declare const apple: (options: AppleOptions) => {
   };
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/atlassian.d.mts

@@ -35,6 +35,7 @@ declare const atlassian: (options: AtlassianOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }): Promise<{
     url: URL;
@@ -52,6 +53,7 @@ declare const atlassian: (options: AtlassianOptions) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/cognito.d.mts

@@ -63,6 +63,7 @@ declare const cognito: (options: CognitoOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }): Promise<{
     url: URL;
@@ -86,6 +87,7 @@ declare const cognito: (options: CognitoOptions) => {
     maxTokenAge: string;
   };
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/discord.d.mts

@@ -90,6 +90,7 @@ declare const discord: (options: DiscordOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }): Promise<{
     url: URL;
@@ -106,6 +107,7 @@ declare const discord: (options: DiscordOptions) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/dropbox.d.mts

@@ -34,6 +34,7 @@ declare const dropbox: (options: DropboxOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }) => Promise<{
     url: URL;
@@ -51,6 +52,7 @@ declare const dropbox: (options: DropboxOptions) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/facebook.d.mts

@@ -46,6 +46,7 @@ declare const facebook: (options: FacebookOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }): Promise<{
     url: URL;
@@ -76,6 +77,7 @@ declare const facebook: (options: FacebookOptions) => {
   };
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/figma.d.mts

@@ -26,6 +26,7 @@ declare const figma: (options: FigmaOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }): Promise<{
     url: URL;
@@ -43,6 +44,7 @@ declare const figma: (options: FigmaOptions) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/github.d.mts

@@ -67,6 +67,7 @@ declare const github: (options: GithubOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }): Promise<{
     url: URL;
@@ -84,6 +85,7 @@ declare const github: (options: GithubOptions) => {
   }) => Promise<OAuth2Tokens | null>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/gitlab.d.mts

@@ -67,6 +67,7 @@ declare const gitlab: (options: GitlabOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }) => Promise<{
     url: URL;
@@ -84,6 +85,7 @@ declare const gitlab: (options: GitlabOptions) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/google.d.mts

@@ -76,6 +76,7 @@ declare const google: (options: GoogleOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }): Promise<{
     url: URL;
@@ -100,6 +101,7 @@ declare const google: (options: GoogleOptions) => {
     verifyClaims: ((claims: Record<string, unknown>) => boolean) | undefined;
   };
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/huggingface.d.mts

@@ -48,6 +48,7 @@ declare const huggingface: (options: HuggingFaceOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }): Promise<{
     url: URL;
@@ -65,6 +66,7 @@ declare const huggingface: (options: HuggingFaceOptions) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;