@better-auth/core 1.7.0-beta.5 → 1.7.0-beta.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (87) hide show
  1. package/dist/api/index.d.mts +44 -1
  2. package/dist/api/index.mjs +40 -1
  3. package/dist/context/global.mjs +1 -1
  4. package/dist/context/transaction.d.mts +7 -4
  5. package/dist/context/transaction.mjs +6 -3
  6. package/dist/db/adapter/factory.mjs +57 -31
  7. package/dist/db/adapter/index.d.mts +54 -10
  8. package/dist/db/adapter/types.d.mts +1 -1
  9. package/dist/db/type.d.mts +12 -7
  10. package/dist/instrumentation/tracer.mjs +1 -1
  11. package/dist/oauth2/create-authorization-url.d.mts +3 -1
  12. package/dist/oauth2/create-authorization-url.mjs +3 -1
  13. package/dist/oauth2/dpop.d.mts +142 -0
  14. package/dist/oauth2/dpop.mjs +246 -0
  15. package/dist/oauth2/index.d.mts +4 -3
  16. package/dist/oauth2/index.mjs +3 -2
  17. package/dist/oauth2/oauth-provider.d.mts +37 -3
  18. package/dist/oauth2/refresh-access-token.mjs +15 -1
  19. package/dist/oauth2/verify.d.mts +74 -15
  20. package/dist/oauth2/verify.mjs +172 -20
  21. package/dist/social-providers/apple.d.mts +2 -0
  22. package/dist/social-providers/atlassian.d.mts +2 -0
  23. package/dist/social-providers/cognito.d.mts +2 -0
  24. package/dist/social-providers/discord.d.mts +2 -0
  25. package/dist/social-providers/dropbox.d.mts +2 -0
  26. package/dist/social-providers/facebook.d.mts +2 -0
  27. package/dist/social-providers/figma.d.mts +2 -0
  28. package/dist/social-providers/github.d.mts +2 -0
  29. package/dist/social-providers/gitlab.d.mts +2 -0
  30. package/dist/social-providers/google.d.mts +2 -0
  31. package/dist/social-providers/huggingface.d.mts +2 -0
  32. package/dist/social-providers/index.d.mts +71 -0
  33. package/dist/social-providers/kakao.d.mts +2 -0
  34. package/dist/social-providers/kick.d.mts +2 -0
  35. package/dist/social-providers/line.d.mts +2 -0
  36. package/dist/social-providers/linear.d.mts +2 -0
  37. package/dist/social-providers/linkedin.d.mts +2 -0
  38. package/dist/social-providers/microsoft-entra-id.d.mts +12 -0
  39. package/dist/social-providers/microsoft-entra-id.mjs +17 -2
  40. package/dist/social-providers/naver.d.mts +2 -0
  41. package/dist/social-providers/notion.d.mts +2 -0
  42. package/dist/social-providers/paybin.d.mts +2 -0
  43. package/dist/social-providers/paypal.d.mts +2 -0
  44. package/dist/social-providers/polar.d.mts +2 -0
  45. package/dist/social-providers/railway.d.mts +2 -0
  46. package/dist/social-providers/reddit.d.mts +2 -0
  47. package/dist/social-providers/reddit.mjs +1 -1
  48. package/dist/social-providers/roblox.d.mts +2 -0
  49. package/dist/social-providers/salesforce.d.mts +2 -0
  50. package/dist/social-providers/slack.d.mts +2 -0
  51. package/dist/social-providers/spotify.d.mts +2 -0
  52. package/dist/social-providers/tiktok.d.mts +2 -0
  53. package/dist/social-providers/twitch.d.mts +2 -0
  54. package/dist/social-providers/twitter.d.mts +2 -0
  55. package/dist/social-providers/vercel.d.mts +2 -0
  56. package/dist/social-providers/vk.d.mts +2 -0
  57. package/dist/social-providers/wechat.d.mts +2 -0
  58. package/dist/social-providers/wechat.mjs +1 -1
  59. package/dist/social-providers/zoom.d.mts +2 -0
  60. package/dist/types/context.d.mts +17 -0
  61. package/dist/types/init-options.d.mts +45 -5
  62. package/dist/types/plugin-client.d.mts +12 -2
  63. package/dist/utils/host.d.mts +1 -1
  64. package/dist/utils/host.mjs +7 -0
  65. package/dist/utils/url.mjs +4 -3
  66. package/package.json +5 -5
  67. package/src/api/index.ts +82 -0
  68. package/src/context/transaction.ts +45 -12
  69. package/src/db/adapter/factory.ts +127 -72
  70. package/src/db/adapter/index.ts +54 -9
  71. package/src/db/adapter/types.ts +1 -0
  72. package/src/db/type.ts +12 -7
  73. package/src/oauth2/create-authorization-url.ts +4 -0
  74. package/src/oauth2/dpop.ts +568 -0
  75. package/src/oauth2/index.ts +45 -1
  76. package/src/oauth2/oauth-provider.ts +40 -2
  77. package/src/oauth2/refresh-access-token.ts +27 -3
  78. package/src/oauth2/verify-id-token.ts +2 -0
  79. package/src/oauth2/verify.ts +329 -66
  80. package/src/social-providers/microsoft-entra-id.ts +44 -1
  81. package/src/social-providers/reddit.ts +5 -1
  82. package/src/social-providers/wechat.ts +8 -1
  83. package/src/types/context.ts +18 -0
  84. package/src/types/init-options.ts +40 -8
  85. package/src/types/plugin-client.ts +16 -2
  86. package/src/utils/host.ts +25 -1
  87. package/src/utils/url.ts +10 -4
package/dist/social-providers/index.d.mts CHANGED
@@ -56,6 +56,7 @@ declare const socialProviders: {
56
56
  redirectURI: string;
57
57
  display?: string | undefined;
58
58
  loginHint?: string | undefined;
59
+ idTokenNonce?: string | undefined;
59
60
  additionalParams?: Record<string, string> | undefined;
60
61
  }): Promise<{
61
62
  url: URL;
@@ -80,6 +81,7 @@ declare const socialProviders: {
80
81
  };
81
82
  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
82
83
  getUserInfo(token: OAuth2Tokens & {
84
+ expectedIdTokenNonce?: string | undefined;
83
85
  user?: {
84
86
  name?: {
85
87
  firstName?: string;
@@ -117,6 +119,7 @@ declare const socialProviders: {
117
119
  redirectURI: string;
118
120
  display?: string | undefined;
119
121
  loginHint?: string | undefined;
122
+ idTokenNonce?: string | undefined;
120
123
  additionalParams?: Record<string, string> | undefined;
121
124
  }): Promise<{
122
125
  url: URL;
@@ -134,6 +137,7 @@ declare const socialProviders: {
134
137
  }) => Promise<OAuth2Tokens>;
135
138
  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
136
139
  getUserInfo(token: OAuth2Tokens & {
140
+ expectedIdTokenNonce?: string | undefined;
137
141
  user?: {
138
142
  name?: {
139
143
  firstName?: string;
@@ -171,6 +175,7 @@ declare const socialProviders: {
171
175
  redirectURI: string;
172
176
  display?: string | undefined;
173
177
  loginHint?: string | undefined;
178
+ idTokenNonce?: string | undefined;
174
179
  additionalParams?: Record<string, string> | undefined;
175
180
  }): Promise<{
176
181
  url: URL;
@@ -194,6 +199,7 @@ declare const socialProviders: {
194
199
  maxTokenAge: string;
195
200
  };
196
201
  getUserInfo(token: OAuth2Tokens & {
202
+ expectedIdTokenNonce?: string | undefined;
197
203
  user?: {
198
204
  name?: {
199
205
  firstName?: string;
@@ -230,6 +236,7 @@ declare const socialProviders: {
230
236
  redirectURI: string;
231
237
  display?: string | undefined;
232
238
  loginHint?: string | undefined;
239
+ idTokenNonce?: string | undefined;
233
240
  additionalParams?: Record<string, string> | undefined;
234
241
  }): Promise<{
235
242
  url: URL;
@@ -246,6 +253,7 @@ declare const socialProviders: {
246
253
  }) => Promise<OAuth2Tokens>;
247
254
  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
248
255
  getUserInfo(token: OAuth2Tokens & {
256
+ expectedIdTokenNonce?: string | undefined;
249
257
  user?: {
250
258
  name?: {
251
259
  firstName?: string;
@@ -283,6 +291,7 @@ declare const socialProviders: {
283
291
  redirectURI: string;
284
292
  display?: string | undefined;
285
293
  loginHint?: string | undefined;
294
+ idTokenNonce?: string | undefined;
286
295
  additionalParams?: Record<string, string> | undefined;
287
296
  }): Promise<{
288
297
  url: URL;
@@ -313,6 +322,7 @@ declare const socialProviders: {
313
322
  };
314
323
  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
315
324
  getUserInfo(token: OAuth2Tokens & {
325
+ expectedIdTokenNonce?: string | undefined;
316
326
  user?: {
317
327
  name?: {
318
328
  firstName?: string;
@@ -350,6 +360,7 @@ declare const socialProviders: {
350
360
  redirectURI: string;
351
361
  display?: string | undefined;
352
362
  loginHint?: string | undefined;
363
+ idTokenNonce?: string | undefined;
353
364
  additionalParams?: Record<string, string> | undefined;
354
365
  }): Promise<{
355
366
  url: URL;
@@ -367,6 +378,7 @@ declare const socialProviders: {
367
378
  }) => Promise<OAuth2Tokens>;
368
379
  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
369
380
  getUserInfo(token: OAuth2Tokens & {
381
+ expectedIdTokenNonce?: string | undefined;
370
382
  user?: {
371
383
  name?: {
372
384
  firstName?: string;
@@ -405,6 +417,7 @@ declare const socialProviders: {
405
417
  redirectURI: string;
406
418
  display?: string | undefined;
407
419
  loginHint?: string | undefined;
420
+ idTokenNonce?: string | undefined;
408
421
  additionalParams?: Record<string, string> | undefined;
409
422
  }): Promise<{
410
423
  url: URL;
@@ -422,6 +435,7 @@ declare const socialProviders: {
422
435
  }) => Promise<OAuth2Tokens | null>;
423
436
  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
424
437
  getUserInfo(token: OAuth2Tokens & {
438
+ expectedIdTokenNonce?: string | undefined;
425
439
  user?: {
426
440
  name?: {
427
441
  firstName?: string;
@@ -453,6 +467,7 @@ declare const socialProviders: {
453
467
  redirectURI: string;
454
468
  display?: string | undefined;
455
469
  loginHint?: string | undefined;
470
+ idTokenNonce?: string | undefined;
456
471
  additionalParams?: Record<string, string> | undefined;
457
472
  }): Promise<{
458
473
  url: URL;
@@ -473,8 +488,10 @@ declare const socialProviders: {
473
488
  audience: string | string[];
474
489
  maxTokenAge: string;
475
490
  issuer: string | undefined;
491
+ verifyClaims: (claims: Record<string, unknown>) => boolean;
476
492
  };
477
493
  getUserInfo(token: OAuth2Tokens & {
494
+ expectedIdTokenNonce?: string | undefined;
478
495
  user?: {
479
496
  name?: {
480
497
  firstName?: string;
@@ -516,6 +533,7 @@ declare const socialProviders: {
516
533
  redirectURI: string;
517
534
  display?: string | undefined;
518
535
  loginHint?: string | undefined;
536
+ idTokenNonce?: string | undefined;
519
537
  additionalParams?: Record<string, string> | undefined;
520
538
  }): Promise<{
521
539
  url: URL;
@@ -540,6 +558,7 @@ declare const socialProviders: {
540
558
  verifyClaims: ((claims: Record<string, unknown>) => boolean) | undefined;
541
559
  };
542
560
  getUserInfo(token: OAuth2Tokens & {
561
+ expectedIdTokenNonce?: string | undefined;
543
562
  user?: {
544
563
  name?: {
545
564
  firstName?: string;
@@ -577,6 +596,7 @@ declare const socialProviders: {
577
596
  redirectURI: string;
578
597
  display?: string | undefined;
579
598
  loginHint?: string | undefined;
599
+ idTokenNonce?: string | undefined;
580
600
  additionalParams?: Record<string, string> | undefined;
581
601
  }): Promise<{
582
602
  url: URL;
@@ -594,6 +614,7 @@ declare const socialProviders: {
594
614
  }) => Promise<OAuth2Tokens>;
595
615
  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
596
616
  getUserInfo(token: OAuth2Tokens & {
617
+ expectedIdTokenNonce?: string | undefined;
597
618
  user?: {
598
619
  name?: {
599
620
  firstName?: string;
@@ -630,6 +651,7 @@ declare const socialProviders: {
630
651
  redirectURI: string;
631
652
  display?: string | undefined;
632
653
  loginHint?: string | undefined;
654
+ idTokenNonce?: string | undefined;
633
655
  additionalParams?: Record<string, string> | undefined;
634
656
  }): Promise<{
635
657
  url: URL;
@@ -646,6 +668,7 @@ declare const socialProviders: {
646
668
  }) => Promise<OAuth2Tokens>;
647
669
  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
648
670
  getUserInfo(token: OAuth2Tokens & {
671
+ expectedIdTokenNonce?: string | undefined;
649
672
  user?: {
650
673
  name?: {
651
674
  firstName?: string;
@@ -683,6 +706,7 @@ declare const socialProviders: {
683
706
  redirectURI: string;
684
707
  display?: string | undefined;
685
708
  loginHint?: string | undefined;
709
+ idTokenNonce?: string | undefined;
686
710
  additionalParams?: Record<string, string> | undefined;
687
711
  }): Promise<{
688
712
  url: URL;
@@ -700,6 +724,7 @@ declare const socialProviders: {
700
724
  }) => Promise<OAuth2Tokens>;
701
725
  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
702
726
  getUserInfo(token: OAuth2Tokens & {
727
+ expectedIdTokenNonce?: string | undefined;
703
728
  user?: {
704
729
  name?: {
705
730
  firstName?: string;
@@ -736,6 +761,7 @@ declare const socialProviders: {
736
761
  redirectURI: string;
737
762
  display?: string | undefined;
738
763
  loginHint?: string | undefined;
764
+ idTokenNonce?: string | undefined;
739
765
  additionalParams?: Record<string, string> | undefined;
740
766
  }): Promise<{
741
767
  url: URL;
@@ -752,6 +778,7 @@ declare const socialProviders: {
752
778
  }) => Promise<OAuth2Tokens>;
753
779
  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
754
780
  getUserInfo(token: OAuth2Tokens & {
781
+ expectedIdTokenNonce?: string | undefined;
755
782
  user?: {
756
783
  name?: {
757
784
  firstName?: string;
@@ -783,6 +810,7 @@ declare const socialProviders: {
783
810
  redirectURI: string;
784
811
  display?: string | undefined;
785
812
  loginHint?: string | undefined;
813
+ idTokenNonce?: string | undefined;
786
814
  additionalParams?: Record<string, string> | undefined;
787
815
  }): Promise<{
788
816
  url: URL;
@@ -800,6 +828,7 @@ declare const socialProviders: {
800
828
  }) => Promise<OAuth2Tokens>;
801
829
  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
802
830
  getUserInfo(token: OAuth2Tokens & {
831
+ expectedIdTokenNonce?: string | undefined;
803
832
  user?: {
804
833
  name?: {
805
834
  firstName?: string;
@@ -837,6 +866,7 @@ declare const socialProviders: {
837
866
  redirectURI: string;
838
867
  display?: string | undefined;
839
868
  loginHint?: string | undefined;
869
+ idTokenNonce?: string | undefined;
840
870
  additionalParams?: Record<string, string> | undefined;
841
871
  }) => Promise<{
842
872
  url: URL;
@@ -854,6 +884,7 @@ declare const socialProviders: {
854
884
  }) => Promise<OAuth2Tokens>;
855
885
  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
856
886
  getUserInfo(token: OAuth2Tokens & {
887
+ expectedIdTokenNonce?: string | undefined;
857
888
  user?: {
858
889
  name?: {
859
890
  firstName?: string;
@@ -891,6 +922,7 @@ declare const socialProviders: {
891
922
  redirectURI: string;
892
923
  display?: string | undefined;
893
924
  loginHint?: string | undefined;
925
+ idTokenNonce?: string | undefined;
894
926
  additionalParams?: Record<string, string> | undefined;
895
927
  }): Promise<{
896
928
  url: URL;
@@ -908,6 +940,7 @@ declare const socialProviders: {
908
940
  }): Promise<OAuth2Tokens>;
909
941
  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
910
942
  getUserInfo(token: OAuth2Tokens & {
943
+ expectedIdTokenNonce?: string | undefined;
911
944
  user?: {
912
945
  name?: {
913
946
  firstName?: string;
@@ -945,6 +978,7 @@ declare const socialProviders: {
945
978
  redirectURI: string;
946
979
  display?: string | undefined;
947
980
  loginHint?: string | undefined;
981
+ idTokenNonce?: string | undefined;
948
982
  additionalParams?: Record<string, string> | undefined;
949
983
  }): Promise<{
950
984
  url: URL;
@@ -961,6 +995,7 @@ declare const socialProviders: {
961
995
  }) => Promise<OAuth2Tokens>;
962
996
  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
963
997
  getUserInfo(token: OAuth2Tokens & {
998
+ expectedIdTokenNonce?: string | undefined;
964
999
  user?: {
965
1000
  name?: {
966
1001
  firstName?: string;
@@ -998,6 +1033,7 @@ declare const socialProviders: {
998
1033
  redirectURI: string;
999
1034
  display?: string | undefined;
1000
1035
  loginHint?: string | undefined;
1036
+ idTokenNonce?: string | undefined;
1001
1037
  additionalParams?: Record<string, string> | undefined;
1002
1038
  }) => Promise<{
1003
1039
  url: URL;
@@ -1014,6 +1050,7 @@ declare const socialProviders: {
1014
1050
  }) => Promise<OAuth2Tokens>;
1015
1051
  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
1016
1052
  getUserInfo(token: OAuth2Tokens & {
1053
+ expectedIdTokenNonce?: string | undefined;
1017
1054
  user?: {
1018
1055
  name?: {
1019
1056
  firstName?: string;
@@ -1052,6 +1089,7 @@ declare const socialProviders: {
1052
1089
  redirectURI: string;
1053
1090
  display?: string | undefined;
1054
1091
  loginHint?: string | undefined;
1092
+ idTokenNonce?: string | undefined;
1055
1093
  additionalParams?: Record<string, string> | undefined;
1056
1094
  }) => Promise<{
1057
1095
  url: URL;
@@ -1069,6 +1107,7 @@ declare const socialProviders: {
1069
1107
  }) => Promise<OAuth2Tokens>;
1070
1108
  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
1071
1109
  getUserInfo(token: OAuth2Tokens & {
1110
+ expectedIdTokenNonce?: string | undefined;
1072
1111
  user?: {
1073
1112
  name?: {
1074
1113
  firstName?: string;
@@ -1126,6 +1165,7 @@ declare const socialProviders: {
1126
1165
  redirectURI: string;
1127
1166
  display?: string | undefined;
1128
1167
  loginHint?: string | undefined;
1168
+ idTokenNonce?: string | undefined;
1129
1169
  additionalParams?: Record<string, string> | undefined;
1130
1170
  }): {
1131
1171
  url: URL;
@@ -1142,6 +1182,7 @@ declare const socialProviders: {
1142
1182
  }) => Promise<OAuth2Tokens>;
1143
1183
  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
1144
1184
  getUserInfo(token: OAuth2Tokens & {
1185
+ expectedIdTokenNonce?: string | undefined;
1145
1186
  user?: {
1146
1187
  name?: {
1147
1188
  firstName?: string;
@@ -1178,6 +1219,7 @@ declare const socialProviders: {
1178
1219
  redirectURI: string;
1179
1220
  display?: string | undefined;
1180
1221
  loginHint?: string | undefined;
1222
+ idTokenNonce?: string | undefined;
1181
1223
  additionalParams?: Record<string, string> | undefined;
1182
1224
  }): Promise<{
1183
1225
  url: URL;
@@ -1194,6 +1236,7 @@ declare const socialProviders: {
1194
1236
  }) => Promise<OAuth2Tokens>;
1195
1237
  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
1196
1238
  getUserInfo(token: OAuth2Tokens & {
1239
+ expectedIdTokenNonce?: string | undefined;
1197
1240
  user?: {
1198
1241
  name?: {
1199
1242
  firstName?: string;
@@ -1230,6 +1273,7 @@ declare const socialProviders: {
1230
1273
  redirectURI: string;
1231
1274
  display?: string | undefined;
1232
1275
  loginHint?: string | undefined;
1276
+ idTokenNonce?: string | undefined;
1233
1277
  additionalParams?: Record<string, string> | undefined;
1234
1278
  }): Promise<{
1235
1279
  url: URL;
@@ -1246,6 +1290,7 @@ declare const socialProviders: {
1246
1290
  }) => Promise<OAuth2Tokens>;
1247
1291
  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
1248
1292
  getUserInfo(token: OAuth2Tokens & {
1293
+ expectedIdTokenNonce?: string | undefined;
1249
1294
  user?: {
1250
1295
  name?: {
1251
1296
  firstName?: string;
@@ -1283,6 +1328,7 @@ declare const socialProviders: {
1283
1328
  redirectURI: string;
1284
1329
  display?: string | undefined;
1285
1330
  loginHint?: string | undefined;
1331
+ idTokenNonce?: string | undefined;
1286
1332
  additionalParams?: Record<string, string> | undefined;
1287
1333
  }): Promise<{
1288
1334
  url: URL;
@@ -1300,6 +1346,7 @@ declare const socialProviders: {
1300
1346
  }) => Promise<OAuth2Tokens>;
1301
1347
  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
1302
1348
  getUserInfo(token: OAuth2Tokens & {
1349
+ expectedIdTokenNonce?: string | undefined;
1303
1350
  user?: {
1304
1351
  name?: {
1305
1352
  firstName?: string;
@@ -1337,6 +1384,7 @@ declare const socialProviders: {
1337
1384
  redirectURI: string;
1338
1385
  display?: string | undefined;
1339
1386
  loginHint?: string | undefined;
1387
+ idTokenNonce?: string | undefined;
1340
1388
  additionalParams?: Record<string, string> | undefined;
1341
1389
  }): Promise<{
1342
1390
  url: URL;
@@ -1355,6 +1403,7 @@ declare const socialProviders: {
1355
1403
  }) => Promise<OAuth2Tokens>;
1356
1404
  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
1357
1405
  getUserInfo(data: OAuth2Tokens & {
1406
+ expectedIdTokenNonce?: string | undefined;
1358
1407
  user?: {
1359
1408
  name?: {
1360
1409
  firstName?: string;
@@ -1392,6 +1441,7 @@ declare const socialProviders: {
1392
1441
  redirectURI: string;
1393
1442
  display?: string | undefined;
1394
1443
  loginHint?: string | undefined;
1444
+ idTokenNonce?: string | undefined;
1395
1445
  additionalParams?: Record<string, string> | undefined;
1396
1446
  }) => Promise<{
1397
1447
  url: URL;
@@ -1409,6 +1459,7 @@ declare const socialProviders: {
1409
1459
  }) => Promise<OAuth2Tokens>;
1410
1460
  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
1411
1461
  getUserInfo(token: OAuth2Tokens & {
1462
+ expectedIdTokenNonce?: string | undefined;
1412
1463
  user?: {
1413
1464
  name?: {
1414
1465
  firstName?: string;
@@ -1445,6 +1496,7 @@ declare const socialProviders: {
1445
1496
  redirectURI: string;
1446
1497
  display?: string | undefined;
1447
1498
  loginHint?: string | undefined;
1499
+ idTokenNonce?: string | undefined;
1448
1500
  additionalParams?: Record<string, string> | undefined;
1449
1501
  }): Promise<{
1450
1502
  url: URL;
@@ -1461,6 +1513,7 @@ declare const socialProviders: {
1461
1513
  }) => Promise<OAuth2Tokens>;
1462
1514
  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
1463
1515
  getUserInfo(token: OAuth2Tokens & {
1516
+ expectedIdTokenNonce?: string | undefined;
1464
1517
  user?: {
1465
1518
  name?: {
1466
1519
  firstName?: string;
@@ -1497,6 +1550,7 @@ declare const socialProviders: {
1497
1550
  redirectURI: string;
1498
1551
  display?: string | undefined;
1499
1552
  loginHint?: string | undefined;
1553
+ idTokenNonce?: string | undefined;
1500
1554
  additionalParams?: Record<string, string> | undefined;
1501
1555
  }): Promise<{
1502
1556
  url: URL;
@@ -1513,6 +1567,7 @@ declare const socialProviders: {
1513
1567
  }) => Promise<OAuth2Tokens>;
1514
1568
  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
1515
1569
  getUserInfo(token: OAuth2Tokens & {
1570
+ expectedIdTokenNonce?: string | undefined;
1516
1571
  user?: {
1517
1572
  name?: {
1518
1573
  firstName?: string;
@@ -1570,6 +1625,7 @@ declare const socialProviders: {
1570
1625
  redirectURI: string;
1571
1626
  display?: string | undefined;
1572
1627
  loginHint?: string | undefined;
1628
+ idTokenNonce?: string | undefined;
1573
1629
  additionalParams?: Record<string, string> | undefined;
1574
1630
  }): Promise<{
1575
1631
  url: URL;
@@ -1586,6 +1642,7 @@ declare const socialProviders: {
1586
1642
  }) => Promise<OAuth2Tokens>;
1587
1643
  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
1588
1644
  getUserInfo(token: OAuth2Tokens & {
1645
+ expectedIdTokenNonce?: string | undefined;
1589
1646
  user?: {
1590
1647
  name?: {
1591
1648
  firstName?: string;
@@ -1645,6 +1702,7 @@ declare const socialProviders: {
1645
1702
  redirectURI: string;
1646
1703
  display?: string | undefined;
1647
1704
  loginHint?: string | undefined;
1705
+ idTokenNonce?: string | undefined;
1648
1706
  additionalParams?: Record<string, string> | undefined;
1649
1707
  }): Promise<{
1650
1708
  url: URL;
@@ -1665,6 +1723,7 @@ declare const socialProviders: {
1665
1723
  verify: (token: string, nonce: string | undefined) => Promise<boolean>;
1666
1724
  };
1667
1725
  getUserInfo(token: OAuth2Tokens & {
1726
+ expectedIdTokenNonce?: string | undefined;
1668
1727
  user?: {
1669
1728
  name?: {
1670
1729
  firstName?: string;
@@ -1724,6 +1783,7 @@ declare const socialProviders: {
1724
1783
  redirectURI: string;
1725
1784
  display?: string | undefined;
1726
1785
  loginHint?: string | undefined;
1786
+ idTokenNonce?: string | undefined;
1727
1787
  additionalParams?: Record<string, string> | undefined;
1728
1788
  }): Promise<{
1729
1789
  url: URL;
@@ -1741,6 +1801,7 @@ declare const socialProviders: {
1741
1801
  }) => Promise<OAuth2Tokens>;
1742
1802
  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
1743
1803
  getUserInfo(token: OAuth2Tokens & {
1804
+ expectedIdTokenNonce?: string | undefined;
1744
1805
  user?: {
1745
1806
  name?: {
1746
1807
  firstName?: string;
@@ -1777,6 +1838,7 @@ declare const socialProviders: {
1777
1838
  redirectURI: string;
1778
1839
  display?: string | undefined;
1779
1840
  loginHint?: string | undefined;
1841
+ idTokenNonce?: string | undefined;
1780
1842
  additionalParams?: Record<string, string> | undefined;
1781
1843
  }): Promise<{
1782
1844
  url: URL;
@@ -1802,6 +1864,7 @@ declare const socialProviders: {
1802
1864
  accessTokenExpiresAt: Date | undefined;
1803
1865
  }>);
1804
1866
  getUserInfo(token: OAuth2Tokens & {
1867
+ expectedIdTokenNonce?: string | undefined;
1805
1868
  user?: {
1806
1869
  name?: {
1807
1870
  firstName?: string;
@@ -1860,6 +1923,7 @@ declare const socialProviders: {
1860
1923
  redirectURI: string;
1861
1924
  display?: string | undefined;
1862
1925
  loginHint?: string | undefined;
1926
+ idTokenNonce?: string | undefined;
1863
1927
  additionalParams?: Record<string, string> | undefined;
1864
1928
  }): Promise<{
1865
1929
  url: URL;
@@ -1877,6 +1941,7 @@ declare const socialProviders: {
1877
1941
  }) => Promise<OAuth2Tokens>;
1878
1942
  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
1879
1943
  getUserInfo(token: OAuth2Tokens & {
1944
+ expectedIdTokenNonce?: string | undefined;
1880
1945
  user?: {
1881
1946
  name?: {
1882
1947
  firstName?: string;
@@ -1914,6 +1979,7 @@ declare const socialProviders: {
1914
1979
  redirectURI: string;
1915
1980
  display?: string | undefined;
1916
1981
  loginHint?: string | undefined;
1982
+ idTokenNonce?: string | undefined;
1917
1983
  additionalParams?: Record<string, string> | undefined;
1918
1984
  }): Promise<{
1919
1985
  url: URL;
@@ -1931,6 +1997,7 @@ declare const socialProviders: {
1931
1997
  }) => Promise<OAuth2Tokens>;
1932
1998
  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
1933
1999
  getUserInfo(token: OAuth2Tokens & {
2000
+ expectedIdTokenNonce?: string | undefined;
1934
2001
  user?: {
1935
2002
  name?: {
1936
2003
  firstName?: string;
@@ -1968,6 +2035,7 @@ declare const socialProviders: {
1968
2035
  redirectURI: string;
1969
2036
  display?: string | undefined;
1970
2037
  loginHint?: string | undefined;
2038
+ idTokenNonce?: string | undefined;
1971
2039
  additionalParams?: Record<string, string> | undefined;
1972
2040
  }): Promise<{
1973
2041
  url: URL;
@@ -1984,6 +2052,7 @@ declare const socialProviders: {
1984
2052
  deviceId?: string | undefined;
1985
2053
  }) => Promise<OAuth2Tokens>;
1986
2054
  getUserInfo(token: OAuth2Tokens & {
2055
+ expectedIdTokenNonce?: string | undefined;
1987
2056
  user?: {
1988
2057
  name?: {
1989
2058
  firstName?: string;
@@ -2020,6 +2089,7 @@ declare const socialProviders: {
2020
2089
  redirectURI: string;
2021
2090
  display?: string | undefined;
2022
2091
  loginHint?: string | undefined;
2092
+ idTokenNonce?: string | undefined;
2023
2093
  additionalParams?: Record<string, string> | undefined;
2024
2094
  }): {
2025
2095
  url: URL;
@@ -2049,6 +2119,7 @@ declare const socialProviders: {
2049
2119
  scopes: string[];
2050
2120
  }>);
2051
2121
  getUserInfo(token: OAuth2Tokens & {
2122
+ expectedIdTokenNonce?: string | undefined;
2052
2123
  user?: {
2053
2124
  name?: {
2054
2125
  firstName?: string;
package/dist/social-providers/kakao.d.mts CHANGED
@@ -106,6 +106,7 @@ declare const kakao: (options: KakaoOptions) => {
106
106
  redirectURI: string;
107
107
  display?: string | undefined;
108
108
  loginHint?: string | undefined;
109
+ idTokenNonce?: string | undefined;
109
110
  additionalParams?: Record<string, string> | undefined;
110
111
  }): Promise<{
111
112
  url: URL;
@@ -122,6 +123,7 @@ declare const kakao: (options: KakaoOptions) => {
122
123
  }) => Promise<OAuth2Tokens>;
123
124
  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
124
125
  getUserInfo(token: OAuth2Tokens & {
126
+ expectedIdTokenNonce?: string | undefined;
125
127
  user?: {
126
128
  name?: {
127
129
  firstName?: string;
package/dist/social-providers/kick.d.mts CHANGED
@@ -38,6 +38,7 @@ declare const kick: (options: KickOptions) => {
38
38
  redirectURI: string;
39
39
  display?: string | undefined;
40
40
  loginHint?: string | undefined;
41
+ idTokenNonce?: string | undefined;
41
42
  additionalParams?: Record<string, string> | undefined;
42
43
  }): Promise<{
43
44
  url: URL;
@@ -55,6 +56,7 @@ declare const kick: (options: KickOptions) => {
55
56
  }): Promise<OAuth2Tokens>;
56
57
  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
57
58
  getUserInfo(token: OAuth2Tokens & {
59
+ expectedIdTokenNonce?: string | undefined;
58
60
  user?: {
59
61
  name?: {
60
62
  firstName?: string;
package/dist/social-providers/line.d.mts CHANGED
@@ -48,6 +48,7 @@ declare const line: (options: LineOptions) => {
48
48
  redirectURI: string;
49
49
  display?: string | undefined;
50
50
  loginHint?: string | undefined;
51
+ idTokenNonce?: string | undefined;
51
52
  additionalParams?: Record<string, string> | undefined;
52
53
  }): Promise<{
53
54
  url: URL;
@@ -68,6 +69,7 @@ declare const line: (options: LineOptions) => {
68
69
  verify: (token: string, nonce: string | undefined) => Promise<boolean>;
69
70
  };
70
71
  getUserInfo(token: OAuth2Tokens & {
72
+ expectedIdTokenNonce?: string | undefined;
71
73
  user?: {
72
74
  name?: {
73
75
  firstName?: string;
package/dist/social-providers/linear.d.mts CHANGED
@@ -34,6 +34,7 @@ declare const linear: (options: LinearOptions) => {
34
34
  redirectURI: string;
35
35
  display?: string | undefined;
36
36
  loginHint?: string | undefined;
37
+ idTokenNonce?: string | undefined;
37
38
  additionalParams?: Record<string, string> | undefined;
38
39
  }): Promise<{
39
40
  url: URL;
@@ -50,6 +51,7 @@ declare const linear: (options: LinearOptions) => {
50
51
  }) => Promise<OAuth2Tokens>;
51
52
  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
52
53
  getUserInfo(token: OAuth2Tokens & {
54
+ expectedIdTokenNonce?: string | undefined;
53
55
  user?: {
54
56
  name?: {
55
57
  firstName?: string;
package/dist/social-providers/linkedin.d.mts CHANGED
@@ -33,6 +33,7 @@ declare const linkedin: (options: LinkedInOptions) => {
33
33
  redirectURI: string;
34
34
  display?: string | undefined;
35
35
  loginHint?: string | undefined;
36
+ idTokenNonce?: string | undefined;
36
37
  additionalParams?: Record<string, string> | undefined;
37
38
  }) => Promise<{
38
39
  url: URL;
@@ -49,6 +50,7 @@ declare const linkedin: (options: LinkedInOptions) => {
49
50
  }) => Promise<OAuth2Tokens>;
50
51
  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
51
52
  getUserInfo(token: OAuth2Tokens & {
53
+ expectedIdTokenNonce?: string | undefined;
52
54
  user?: {
53
55
  name?: {
54
56
  firstName?: string;
package/dist/social-providers/microsoft-entra-id.d.mts CHANGED
@@ -147,6 +147,7 @@ declare const microsoft: (options: MicrosoftOptions) => {
147
147
  redirectURI: string;
148
148
  display?: string | undefined;
149
149
  loginHint?: string | undefined;
150
+ idTokenNonce?: string | undefined;
150
151
  additionalParams?: Record<string, string> | undefined;
151
152
  }): Promise<{
152
153
  url: URL;
@@ -172,8 +173,19 @@ declare const microsoft: (options: MicrosoftOptions) => {
172
173
  * @see https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols#endpoints
173
174
  */
174
175
  issuer: string | undefined;
176
+ /**
177
+ * The multi-tenant endpoints (common/organizations/consumers) skip the
178
+ * issuer check above because the issuer varies per tenant, and the
179
+ * organizations and consumers JWKS sets overlap. Enforce the tenant
180
+ * binding explicitly so a token from a disallowed account class cannot
181
+ * pass: the issuer must name the token's own tenant, and the account
182
+ * class must match the configured restriction.
183
+ * @see https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference
184
+ */
185
+ verifyClaims: (claims: Record<string, unknown>) => boolean;
175
186
  };
176
187
  getUserInfo(token: OAuth2Tokens & {
188
+ expectedIdTokenNonce?: string | undefined;
177
189
  user?: {
178
190
  name?: {
179
191
  firstName?: string;
package/dist/social-providers/microsoft-entra-id.mjs CHANGED
@@ -9,6 +9,13 @@ import { base64 } from "@better-auth/utils/base64";
9
9
  import { decodeJwt, importJWK } from "jose";
10
10
  import { betterFetch } from "@better-fetch/fetch";
11
11
  //#region src/social-providers/microsoft-entra-id.ts
12
+ /**
13
+ * Microsoft's fixed tenant id for personal (consumer) Microsoft accounts. Every
14
+ * personal-account token carries it as the `tid` claim, so it distinguishes the
15
+ * consumer account class from work/school tenants.
16
+ * @see https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference
17
+ */
18
+ const MICROSOFT_CONSUMER_TENANT_ID = "9188040d-6c67-4c5b-b112-36a304b66dad";
12
19
  const MICROSOFT_ENTRA_ID_DEFAULT_SCOPES = [
13
20
  "openid",
14
21
  "profile",
@@ -18,7 +25,8 @@ const MICROSOFT_ENTRA_ID_DEFAULT_SCOPES = [
18
25
  ];
19
26
  const microsoft = (options) => {
20
27
  const tenant = options.tenantId || "common";
21
- const authority = options.authority || "https://login.microsoftonline.com";
28
+ let authority = options.authority || "https://login.microsoftonline.com";
29
+ while (authority.endsWith("/")) authority = authority.slice(0, -1);
22
30
  const authorizationEndpoint = `${authority}/${tenant}/oauth2/v2.0/authorize`;
23
31
  const tokenEndpoint = `${authority}/${tenant}/oauth2/v2.0/token`;
24
32
  if (options.clientSecret && options.clientAssertion) throw new BetterAuthError("Microsoft Entra ID clientAssertion cannot be combined with clientSecret");
@@ -63,7 +71,14 @@ const microsoft = (options) => {
63
71
  jwks: (header) => getMicrosoftPublicKey(header.kid, tenant, authority),
64
72
  audience: options.clientId,
65
73
  maxTokenAge: "1h",
66
- issuer: tenant !== "common" && tenant !== "organizations" && tenant !== "consumers" ? `${authority}/${tenant}/v2.0` : void 0
74
+ issuer: tenant !== "common" && tenant !== "organizations" && tenant !== "consumers" ? `${authority}/${tenant}/v2.0` : void 0,
75
+ verifyClaims: (claims) => {
76
+ const tid = claims.tid;
77
+ if (typeof tid !== "string" || claims.iss !== `${authority}/${tid}/v2.0`) return false;
78
+ if (tenant === "organizations" && tid === MICROSOFT_CONSUMER_TENANT_ID) return false;
79
+ if (tenant === "consumers" && tid !== MICROSOFT_CONSUMER_TENANT_ID) return false;
80
+ return true;
81
+ }
67
82
  },
68
83
  async getUserInfo(token) {
69
84
  if (options.getUserInfo) return options.getUserInfo(token);