@better-auth/core 1.7.0-beta.6 → 1.7.0-beta.7

package/dist/context/global.mjs

@@ -2,7 +2,7 @@
 const symbol = Symbol.for("better-auth:global");
 let bind = null;
 const __context = {};
-const __betterAuthVersion = "1.7.0-beta.6";
+const __betterAuthVersion = "1.7.0-beta.7";
 /**
 * We store context instance in the globalThis.
 *

package/dist/db/adapter/factory.mjs

@@ -1,7 +1,7 @@
 import { BetterAuthError } from "../../error/index.mjs";
-import { getAuthTables } from "../get-tables.mjs";
 import { getColorDepth } from "../../env/color-depth.mjs";
 import { TTY_COLORS, createLogger } from "../../env/logger.mjs";
+import { getAuthTables } from "../get-tables.mjs";
 import { safeJSONParse } from "../../utils/json.mjs";
 import { initGetDefaultModelName } from "./get-default-model-name.mjs";
 import { initGetDefaultFieldName } from "./get-default-field-name.mjs";

package/dist/instrumentation/tracer.mjs

@@ -2,7 +2,7 @@ import { ATTR_HTTP_RESPONSE_STATUS_CODE } from "./attributes.mjs";
 import { getOpenTelemetryAPI } from "./api.mjs";
 //#region src/instrumentation/tracer.ts
 const INSTRUMENTATION_SCOPE = "better-auth";
-const INSTRUMENTATION_VERSION = "1.7.0-beta.6";
+const INSTRUMENTATION_VERSION = "1.7.0-beta.7";
 /**
 * Better-auth uses `throw ctx.redirect(url)` for flow control (e.g. OAuth
 * callbacks). These are APIErrors with 3xx status codes and should not be

package/dist/oauth2/create-authorization-url.d.mts

@@ -7,7 +7,7 @@ import { ProviderOptions } from "./oauth-provider.mjs";
  * `additionalParams`. Overriding `state`, PKCE, or `redirect_uri` would
  * break the callback correlation and session pinning guarantees.
  */
-declare const RESERVED_AUTHORIZATION_PARAMS: readonly ["state", "client_id", "redirect_uri", "response_type", "code_challenge", "code_challenge_method", "scope"];
+declare const RESERVED_AUTHORIZATION_PARAMS: readonly ["state", "client_id", "redirect_uri", "response_type", "code_challenge", "code_challenge_method", "nonce", "scope"];
 declare const RESERVED_AUTHORIZATION_PARAMS_SET: ReadonlySet<string>;
 declare function createAuthorizationURL({
   id,
@@ -24,6 +24,7 @@ declare function createAuthorizationURL({
   responseType,
   display,
   loginHint,
+  nonce,
   hd,
   responseMode,
   additionalParams,
@@ -43,6 +44,7 @@ declare function createAuthorizationURL({
   responseType?: string | undefined;
   display?: string | undefined;
   loginHint?: string | undefined;
+  nonce?: string | undefined;
   hd?: string | undefined;
   responseMode?: string | undefined;
   additionalParams?: Record<string, string> | undefined;

package/dist/oauth2/create-authorization-url.mjs

@@ -13,10 +13,11 @@ const RESERVED_AUTHORIZATION_PARAMS = [
 	"response_type",
 	"code_challenge",
 	"code_challenge_method",
+	"nonce",
 	"scope"
 ];
 const RESERVED_AUTHORIZATION_PARAMS_SET = new Set(RESERVED_AUTHORIZATION_PARAMS);
-async function createAuthorizationURL({ id, options, authorizationEndpoint, state, codeVerifier, scopes, claims, redirectURI, duration, prompt, accessType, responseType, display, loginHint, hd, responseMode, additionalParams, scopeJoiner }) {
+async function createAuthorizationURL({ id, options, authorizationEndpoint, state, codeVerifier, scopes, claims, redirectURI, duration, prompt, accessType, responseType, display, loginHint, nonce, hd, responseMode, additionalParams, scopeJoiner }) {
 	options = typeof options === "function" ? await options() : options;
 	const url = new URL(options.authorizationEndpoint || authorizationEndpoint);
 	url.searchParams.set("response_type", responseType || "code");
@@ -29,6 +30,7 @@ async function createAuthorizationURL({ id, options, authorizationEndpoint, stat
 	duration && url.searchParams.set("duration", duration);
 	display && url.searchParams.set("display", display);
 	loginHint && url.searchParams.set("login_hint", loginHint);
+	nonce && url.searchParams.set("nonce", nonce);
 	prompt && url.searchParams.set("prompt", prompt);
 	hd && url.searchParams.set("hd", hd);
 	accessType && url.searchParams.set("access_type", accessType);

package/dist/oauth2/index.d.mts

@@ -1,7 +1,7 @@
 import { additionalAuthorizationParamsSchema } from "./authorization-params.mjs";
 import { decodeBasicCredentials, encodeBasicCredentials } from "./basic-credentials.mjs";
 import { CLIENT_ASSERTION_TYPE, ClientAssertionContext, ClientAssertionGetter, ClientAssertionGrantType, PRIVATE_KEY_JWT_SIGNING_ALGORITHMS, PrivateKeyJwtClientAssertionGetterOptions, PrivateKeyJwtSigningAlgorithm, createPrivateKeyJwtClientAssertionGetter, resolveClientAssertionParams, signPrivateKeyJwtClientAssertion } from "./client-assertion.mjs";
-import { AuthorizationURLResult, GrantAuthority, OAuth2Tokens, OAuth2UserInfo, OAuthIdTokenConfig, ProviderGrantAuthority, ProviderOptions, UpstreamProvider } from "./oauth-provider.mjs";
+import { AuthorizationURLResult, GrantAuthority, OAuth2Tokens, OAuth2UserInfo, OAuthIdTokenConfig, OAuthRefreshContext, ProviderGrantAuthority, ProviderOptions, UpstreamProvider } from "./oauth-provider.mjs";
 import { TokenEndpointAuth, TokenEndpointAuthMethod, TokenEndpointSecretAuthentication } from "./token-endpoint-auth.mjs";
 import { clientCredentialsToken, clientCredentialsTokenRequest } from "./client-credentials-token.mjs";
 import { RESERVED_AUTHORIZATION_PARAMS, RESERVED_AUTHORIZATION_PARAMS_SET, createAuthorizationURL } from "./create-authorization-url.mjs";
@@ -12,4 +12,4 @@ import { applyDefaultAccessTokenExpiry, generateCodeChallenge, getOAuth2Tokens,
 import { authorizationCodeRequest, validateAuthorizationCode, validateToken } from "./validate-authorization-code.mjs";
 import { ResourceRequestInput, VerifyAccessTokenOptions, VerifyAccessTokenRequestOptions, getJwks, requestToResourceInput, verifyAccessTokenRequest, verifyBearerToken, verifyJwsAccessToken } from "./verify.mjs";
 import { supportsIdTokenSignIn, verifyProviderIdToken } from "./verify-id-token.mjs";
-export { type AccessTokenAuthorization, type AccessTokenAuthorizationScheme, type AuthorizationURLResult, BEARER_AUTHORIZATION_SCHEME, CLIENT_ASSERTION_TYPE, type ClientAssertionContext, type ClientAssertionGetter, type ClientAssertionGrantType, DPOP_AUTHORIZATION_SCHEME, DPOP_PROOF_TYPE, DPOP_SIGNING_ALGORITHMS, type DpopBindingError, type DpopBindingErrorCode, type DpopProofError, type DpopProofErrorCode, type DpopReplayReservation, type DpopReplayReservations, type DpopReplayStore, type DpopSigningAlgorithm, type EnforceDpopBindingParams, type GrantAuthority, type OAuth2Tokens, type OAuth2UserInfo, type OAuthIdTokenConfig, PRIVATE_KEY_JWT_SIGNING_ALGORITHMS, type PrivateKeyJwtClientAssertionGetterOptions, type PrivateKeyJwtSigningAlgorithm, type ProviderGrantAuthority, type ProviderOptions, RESERVED_AUTHORIZATION_PARAMS, RESERVED_AUTHORIZATION_PARAMS_SET, type ResourceRequestInput, type TokenEndpointAuth, type TokenEndpointAuthMethod, type TokenEndpointSecretAuthentication, type UpstreamProvider, type VerifiedDpopProof, type VerifyAccessTokenOptions, type VerifyAccessTokenRequestOptions, type VerifyDpopProofOptions, additionalAuthorizationParamsSchema, applyDefaultAccessTokenExpiry, authorizationCodeRequest, clientCredentialsToken, clientCredentialsTokenRequest, createAuthorizationURL, createDpopBindingError, createDpopProofError, createDpopReplayStore, createInMemoryDpopReplayStore, createPrivateKeyJwtClientAssertionGetter, decodeBasicCredentials, deriveDpopAth, deriveDpopJkt, encodeBasicCredentials, enforceDpopBinding, generateCodeChallenge, getConfirmationJkt, getDpopJktFromPayload, getJwks, getOAuth2Tokens, getPrimaryClientId, includesGrantedScope, isDpopBindingError, isDpopProofError, normalizeDpopHtu, normalizeScopes, parseAccessTokenAuthorization, parseScopeField, readGrantedScopes, refreshAccessToken, refreshAccessTokenRequest, requestToResourceInput, resolveClientAssertionParams, resolveRequestedScopes, signPrivateKeyJwtClientAssertion, stripAccessTokenAuthorizationScheme, supportsIdTokenSignIn, unionGrantedScopes, validateAuthorizationCode, validateToken, verifyAccessTokenRequest, verifyBearerToken, verifyDpopProof, verifyJwsAccessToken, verifyProviderIdToken };
+export { type AccessTokenAuthorization, type AccessTokenAuthorizationScheme, type AuthorizationURLResult, BEARER_AUTHORIZATION_SCHEME, CLIENT_ASSERTION_TYPE, type ClientAssertionContext, type ClientAssertionGetter, type ClientAssertionGrantType, DPOP_AUTHORIZATION_SCHEME, DPOP_PROOF_TYPE, DPOP_SIGNING_ALGORITHMS, type DpopBindingError, type DpopBindingErrorCode, type DpopProofError, type DpopProofErrorCode, type DpopReplayReservation, type DpopReplayReservations, type DpopReplayStore, type DpopSigningAlgorithm, type EnforceDpopBindingParams, type GrantAuthority, type OAuth2Tokens, type OAuth2UserInfo, type OAuthIdTokenConfig, type OAuthRefreshContext, PRIVATE_KEY_JWT_SIGNING_ALGORITHMS, type PrivateKeyJwtClientAssertionGetterOptions, type PrivateKeyJwtSigningAlgorithm, type ProviderGrantAuthority, type ProviderOptions, RESERVED_AUTHORIZATION_PARAMS, RESERVED_AUTHORIZATION_PARAMS_SET, type ResourceRequestInput, type TokenEndpointAuth, type TokenEndpointAuthMethod, type TokenEndpointSecretAuthentication, type UpstreamProvider, type VerifiedDpopProof, type VerifyAccessTokenOptions, type VerifyAccessTokenRequestOptions, type VerifyDpopProofOptions, additionalAuthorizationParamsSchema, applyDefaultAccessTokenExpiry, authorizationCodeRequest, clientCredentialsToken, clientCredentialsTokenRequest, createAuthorizationURL, createDpopBindingError, createDpopProofError, createDpopReplayStore, createInMemoryDpopReplayStore, createPrivateKeyJwtClientAssertionGetter, decodeBasicCredentials, deriveDpopAth, deriveDpopJkt, encodeBasicCredentials, enforceDpopBinding, generateCodeChallenge, getConfirmationJkt, getDpopJktFromPayload, getJwks, getOAuth2Tokens, getPrimaryClientId, includesGrantedScope, isDpopBindingError, isDpopProofError, normalizeDpopHtu, normalizeScopes, parseAccessTokenAuthorization, parseScopeField, readGrantedScopes, refreshAccessToken, refreshAccessTokenRequest, requestToResourceInput, resolveClientAssertionParams, resolveRequestedScopes, signPrivateKeyJwtClientAssertion, stripAccessTokenAuthorizationScheme, supportsIdTokenSignIn, unionGrantedScopes, validateAuthorizationCode, validateToken, verifyAccessTokenRequest, verifyBearerToken, verifyDpopProof, verifyJwsAccessToken, verifyProviderIdToken };

package/dist/oauth2/oauth-provider.d.mts

@@ -69,6 +69,17 @@ type OAuth2UserInfo = {
   image?: string | undefined;
   emailVerified: boolean;
 };
+/**
+ * Request metadata available to provider refresh hooks.
+ *
+ * The refresh flow may be triggered by endpoints such as `getAccessToken` or
+ * `refreshToken`; this context gives provider hooks access to the triggering
+ * request without exposing the full endpoint implementation surface.
+ */
+interface OAuthRefreshContext {
+  headers?: Headers | undefined;
+  request?: Request | undefined;
+}
 /**
  * The result of building a provider authorization URL.
  *
@@ -128,6 +139,12 @@ interface UpstreamProvider<T extends Record<string, any> = Record<string, any>,
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    /**
+     * OIDC nonce generated by the redirect initiator and persisted in OAuth
+     * state. Providers that set `requiresIdTokenNonce` must forward this to
+     * the authorization URL as the `nonce` parameter.
+     */
+    idTokenNonce?: string | undefined;
     /**
      * Extra query parameters to append to the authorization URL.
      * Providers forward these to the shared `createAuthorizationURL` helper,
@@ -144,6 +161,12 @@ interface UpstreamProvider<T extends Record<string, any> = Record<string, any>,
     deviceId?: string | undefined;
   }) => Promise<OAuth2Tokens | null>;
   getUserInfo: (token: OAuth2Tokens & {
+    /**
+     * OIDC nonce recovered from OAuth state. Providers that required an
+     * ID-token nonce must pass this to `verifyProviderIdToken` before
+     * trusting ID-token claims.
+     */
+    expectedIdTokenNonce?: string | undefined;
     /**
      * The user object from the provider
      * This is only available for some providers like Apple
@@ -160,9 +183,13 @@ interface UpstreamProvider<T extends Record<string, any> = Record<string, any>,
     data: T;
   } | null>;
   /**
-   * Custom function to refresh a token
+   * Custom function to refresh a token.
+   *
+   * Receives request metadata from the endpoint that triggered the refresh.
+   * Providers that don't need request-scoped data can ignore the second
+   * argument.
    */
-  refreshAccessToken?: ((refreshToken: string) => Promise<OAuth2Tokens>) | undefined;
+  refreshAccessToken?: ((refreshToken: string, ctx?: OAuthRefreshContext) => Promise<OAuth2Tokens>) | undefined;
   /**
    * Declarative id_token verification config consumed by the shared
    * `verifyProviderIdToken` verifier. Providers set this instead of implementing a boolean
@@ -175,6 +202,13 @@ interface UpstreamProvider<T extends Record<string, any> = Record<string, any>,
    * against this value to prevent authorization server mix-up attacks.
    */
   issuer?: string | undefined;
+  /**
+   * Require shared OAuth redirect routes to bind ID-token verification to an
+   * authorization request nonce. When true, routes generate `idTokenNonce`,
+   * pass it to `createAuthorizationURL`, persist it in state, and provide it
+   * back to `getUserInfo` as `expectedIdTokenNonce`.
+   */
+  requiresIdTokenNonce?: boolean | undefined;
   /**
    * Disable implicit sign up for new users. When set to true for the provider,
    * sign-in need to be called with with requestSignUp as true to create new users.
@@ -333,4 +367,4 @@ type ProviderOptions<Profile extends Record<string, any> = any> = {
   requireEmailVerification?: boolean | undefined;
 };
 //#endregion
-export { AuthorizationURLResult, GrantAuthority, OAuth2Tokens, OAuth2UserInfo, OAuthIdTokenConfig, ProviderGrantAuthority, ProviderOptions, UpstreamProvider };
+export { AuthorizationURLResult, GrantAuthority, OAuth2Tokens, OAuth2UserInfo, OAuthIdTokenConfig, OAuthRefreshContext, ProviderGrantAuthority, ProviderOptions, UpstreamProvider };

package/dist/oauth2/refresh-access-token.mjs

@@ -1,6 +1,13 @@
 import { applyTokenEndpointAuth } from "./token-endpoint-auth.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/oauth2/refresh-access-token.ts
+const BLOCKED_REFRESH_TOKEN_PARAMS_SET = new Set([
+	"grant_type",
+	"refresh_token",
+	"__proto__",
+	"constructor",
+	"prototype"
+]);
 async function refreshAccessTokenRequest({ refreshToken, options, authentication, tokenEndpointAuth, tokenEndpoint, extraParams, resource }) {
 	options = typeof options === "function" ? await options() : options;
 	const request = buildRefreshAccessTokenRequest({
@@ -20,6 +27,13 @@ async function refreshAccessTokenRequest({ refreshToken, options, authentication
 	});
 	return request;
 }
+function applyRefreshExtraParams(body, extraParams) {
+	if (!extraParams) return;
+	for (const [key, value] of Object.entries(extraParams)) {
+		if (BLOCKED_REFRESH_TOKEN_PARAMS_SET.has(key)) continue;
+		body.set(key, value);
+	}
+}
 function buildRefreshAccessTokenRequest({ refreshToken, options, extraParams, resource }) {
 	const body = new URLSearchParams();
 	const headers = {
@@ -30,7 +44,7 @@ function buildRefreshAccessTokenRequest({ refreshToken, options, extraParams, re
 	body.set("refresh_token", refreshToken);
 	if (resource) if (typeof resource === "string") body.append("resource", resource);
 	else for (const _resource of resource) body.append("resource", _resource);
-	if (extraParams) for (const [key, value] of Object.entries(extraParams)) body.set(key, value);
+	if (extraParams) applyRefreshExtraParams(body, extraParams);
 	return {
 		body,
 		headers

package/dist/social-providers/apple.d.mts

@@ -82,6 +82,7 @@ declare const apple: (options: AppleOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }): Promise<{
     url: URL;
@@ -106,6 +107,7 @@ declare const apple: (options: AppleOptions) => {
   };
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/atlassian.d.mts

@@ -35,6 +35,7 @@ declare const atlassian: (options: AtlassianOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }): Promise<{
     url: URL;
@@ -52,6 +53,7 @@ declare const atlassian: (options: AtlassianOptions) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/cognito.d.mts

@@ -63,6 +63,7 @@ declare const cognito: (options: CognitoOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }): Promise<{
     url: URL;
@@ -86,6 +87,7 @@ declare const cognito: (options: CognitoOptions) => {
     maxTokenAge: string;
   };
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/discord.d.mts

@@ -90,6 +90,7 @@ declare const discord: (options: DiscordOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }): Promise<{
     url: URL;
@@ -106,6 +107,7 @@ declare const discord: (options: DiscordOptions) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/dropbox.d.mts

@@ -34,6 +34,7 @@ declare const dropbox: (options: DropboxOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }) => Promise<{
     url: URL;
@@ -51,6 +52,7 @@ declare const dropbox: (options: DropboxOptions) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/facebook.d.mts

@@ -46,6 +46,7 @@ declare const facebook: (options: FacebookOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }): Promise<{
     url: URL;
@@ -76,6 +77,7 @@ declare const facebook: (options: FacebookOptions) => {
   };
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/figma.d.mts

@@ -26,6 +26,7 @@ declare const figma: (options: FigmaOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }): Promise<{
     url: URL;
@@ -43,6 +44,7 @@ declare const figma: (options: FigmaOptions) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/github.d.mts

@@ -67,6 +67,7 @@ declare const github: (options: GithubOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }): Promise<{
     url: URL;
@@ -84,6 +85,7 @@ declare const github: (options: GithubOptions) => {
   }) => Promise<OAuth2Tokens | null>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/gitlab.d.mts

@@ -67,6 +67,7 @@ declare const gitlab: (options: GitlabOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }) => Promise<{
     url: URL;
@@ -84,6 +85,7 @@ declare const gitlab: (options: GitlabOptions) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/google.d.mts

@@ -76,6 +76,7 @@ declare const google: (options: GoogleOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }): Promise<{
     url: URL;
@@ -100,6 +101,7 @@ declare const google: (options: GoogleOptions) => {
     verifyClaims: ((claims: Record<string, unknown>) => boolean) | undefined;
   };
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/huggingface.d.mts

@@ -48,6 +48,7 @@ declare const huggingface: (options: HuggingFaceOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }): Promise<{
     url: URL;
@@ -65,6 +66,7 @@ declare const huggingface: (options: HuggingFaceOptions) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;