@better-auth/core 1.7.0-beta.6 → 1.7.0-beta.8

package/src/social-providers/vercel.ts

@@ -1,11 +1,7 @@
 import { betterFetch } from "@better-fetch/fetch";
 import { BetterAuthError } from "../error";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
-import {
-	createAuthorizationURL,
-	resolveRequestedScopes,
-	validateAuthorizationCode,
-} from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import { createAuthorizationURL, validateAuthorizationCode } from "../oauth2";
 
 export interface VercelProfile {
 	sub: string;
@@ -20,13 +16,10 @@ export interface VercelOptions extends ProviderOptions<VercelProfile> {
 	clientId: string;
 }
 
-const VERCEL_DEFAULT_SCOPES: string[] = [];
-
 export const vercel = (options: VercelOptions) => {
 	return {
 		id: "vercel",
 		name: "Vercel",
-		callbackPath: "/callback/vercel",
 		createAuthorizationURL({
 			state,
 			scopes,
@@ -38,17 +31,18 @@ export const vercel = (options: VercelOptions) => {
 				throw new BetterAuthError("codeVerifier is required for Vercel");
 			}
 
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				VERCEL_DEFAULT_SCOPES,
-				scopes,
-			);
+			let _scopes: string[] | undefined = undefined;
+			if (options.scope !== undefined || scopes !== undefined) {
+				_scopes = [];
+				if (options.scope) _scopes.push(...options.scope);
+				if (scopes) _scopes.push(...scopes);
+			}
 
 			return createAuthorizationURL({
 				id: "vercel",
 				options,
 				authorizationEndpoint: "https://vercel.com/oauth/authorize",
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				codeVerifier,
 				redirectURI,
@@ -96,5 +90,5 @@ export const vercel = (options: VercelOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<VercelProfile>;
+	} satisfies OAuthProvider<VercelProfile>;
 };

package/src/social-providers/vk.ts

@@ -1,9 +1,8 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -26,33 +25,28 @@ export interface VkOption extends ProviderOptions {
 	scheme?: ("light" | "dark") | undefined;
 }
 
-const VK_DEFAULT_SCOPES = ["email", "phone"];
-
 export const vk = (options: VkOption) => {
 	const tokenEndpoint = "https://id.vk.com/oauth2/auth";
 	return {
 		id: "vk",
 		name: "VK",
-		callbackPath: "/callback/vk",
-		createAuthorizationURL({
+		async createAuthorizationURL({
 			state,
 			scopes,
 			codeVerifier,
 			redirectURI,
 			additionalParams,
 		}) {
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				VK_DEFAULT_SCOPES,
-				scopes,
-			);
+			const _scopes = options.disableDefaultScope ? [] : ["email", "phone"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			const authorizationEndpoint = "https://id.vk.com/authorize";
 
 			return createAuthorizationURL({
 				id: "vk",
 				options,
 				authorizationEndpoint,
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				redirectURI,
 				codeVerifier,
@@ -134,5 +128,5 @@ export const vk = (options: VkOption) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<VkProfile>;
+	} satisfies OAuthProvider<VkProfile>;
 };

package/src/social-providers/wechat.ts

@@ -1,13 +1,6 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type {
-	OAuth2Tokens,
-	ProviderOptions,
-	UpstreamProvider,
-} from "../oauth2";
-import {
-	RESERVED_AUTHORIZATION_PARAMS_SET,
-	resolveRequestedScopes,
-} from "../oauth2";
+import type { OAuth2Tokens, OAuthProvider, ProviderOptions } from "../oauth2";
+import { RESERVED_AUTHORIZATION_PARAMS_SET } from "../oauth2";
 
 /**
  * WeChat user profile information
@@ -62,24 +55,19 @@ export interface WeChatOptions extends ProviderOptions<WeChatProfile> {
 	lang?: "cn" | "en";
 }
 
-const WECHAT_DEFAULT_SCOPES = ["snsapi_login"];
-
 export const wechat = (options: WeChatOptions) => {
 	return {
 		id: "wechat",
 		name: "WeChat",
-		callbackPath: "/callback/wechat",
 		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				WECHAT_DEFAULT_SCOPES,
-				scopes,
-			);
+			const _scopes = options.disableDefaultScope ? [] : ["snsapi_login"];
+			options.scope && _scopes.push(...options.scope);
+			scopes && _scopes.push(...scopes);
 
 			// WeChat uses non-standard OAuth2 parameters (appid instead of client_id)
 			// and requires a fragment (#wechat_redirect), so we construct the URL manually.
 			const url = new URL("https://open.weixin.qq.com/connect/qrconnect");
-			url.searchParams.set("scope", requestedScopes.join(","));
+			url.searchParams.set("scope", _scopes.join(","));
 			url.searchParams.set("response_type", "code");
 			url.searchParams.set("appid", options.clientId);
 			url.searchParams.set("redirect_uri", options.redirectURI || redirectURI);
@@ -94,7 +82,7 @@ export const wechat = (options: WeChatOptions) => {
 			}
 			url.hash = "wechat_redirect";
 
-			return { url, requestedScopes };
+			return url;
 		},
 
 		// WeChat uses non-standard token exchange (appid/secret instead of
@@ -236,5 +224,5 @@ export const wechat = (options: WeChatOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<WeChatProfile, WeChatOptions>;
+	} satisfies OAuthProvider<WeChatProfile, WeChatOptions>;
 };

package/src/social-providers/zoom.ts

@@ -1,9 +1,8 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -144,8 +143,6 @@ export interface ZoomOptions extends ProviderOptions<ZoomProfile> {
 	pkce?: boolean | undefined;
 }
 
-const ZOOM_DEFAULT_SCOPES: string[] = [];
-
 export const zoom = (userOptions: ZoomOptions) => {
 	const options = {
 		pkce: true,
@@ -155,31 +152,21 @@ export const zoom = (userOptions: ZoomOptions) => {
 	return {
 		id: "zoom",
 		name: "Zoom",
-		callbackPath: "/callback/zoom",
-		createAuthorizationURL: ({
+		createAuthorizationURL: async ({
 			state,
-			scopes,
 			redirectURI,
 			codeVerifier,
 			additionalParams,
-		}) => {
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				ZOOM_DEFAULT_SCOPES,
-				scopes,
-			);
-
-			return createAuthorizationURL({
+		}) =>
+			createAuthorizationURL({
 				id: "zoom",
 				options,
 				authorizationEndpoint: "https://zoom.us/oauth/authorize",
-				scopes: requestedScopes,
 				state,
 				redirectURI,
 				codeVerifier: options.pkce ? codeVerifier : undefined,
 				additionalParams,
-			});
-		},
+			}),
 		validateAuthorizationCode: async ({ code, redirectURI, codeVerifier }) => {
 			return validateAuthorizationCode({
 				code,
@@ -235,5 +222,5 @@ export const zoom = (userOptions: ZoomOptions) => {
 				},
 			};
 		},
-	} satisfies UpstreamProvider<ZoomProfile>;
+	} satisfies OAuthProvider<ZoomProfile>;
 };

package/src/types/context.ts

@@ -10,7 +10,7 @@ import type {
 } from "../db";
 import type { DBAdapter, Where } from "../db/adapter";
 import type { createLogger } from "../env";
-import type { UpstreamProvider } from "../oauth2";
+import type { OAuthProvider } from "../oauth2";
 import type { BetterAuthCookie, BetterAuthCookies } from "./cookie";
 import type { Awaitable, LiteralString } from "./helper";
 import type {
@@ -88,6 +88,12 @@ export type GenericEndpointContext<
 export interface InternalAdapter<
 	_Options extends BetterAuthOptions = BetterAuthOptions,
 > {
+	createOAuthUser(
+		user: Omit<User, "id" | "createdAt" | "updatedAt">,
+		account: Omit<Account, "userId" | "id" | "createdAt" | "updatedAt"> &
+			Partial<Account>,
+	): Promise<{ user: User; account: Account }>;
+
 	createUser<T extends Record<string, any>>(
 		user: Omit<User, "id" | "createdAt" | "updatedAt" | "emailVerified"> &
 			Partial<User> &
@@ -369,7 +375,7 @@ export type AuthContext<Options extends BetterAuthOptions = BetterAuthOptions> =
 					user: User & Record<string, any>;
 				} | null,
 			) => void;
-			socialProviders: UpstreamProvider[];
+			socialProviders: OAuthProvider[];
 			authCookies: BetterAuthCookies;
 			logger: ReturnType<typeof createLogger>;
 			rateLimit: {

package/src/utils/host.ts

@@ -49,7 +49,7 @@ export type HostKind =
 	| "multicast"
 	/** IPv4 limited broadcast `255.255.255.255`. */
 	| "broadcast"
-	/** Other RFC 6890 special-purpose ranges (0/8, 192.0.0/24, 240/4, 2001::/32, etc.). */
+	/** Other RFC 6890 special-purpose ranges (0.0.0.0/8, 192.0.0.0/24, 192.88.99.0/24, 240.0.0.0/4, 2001::/32, etc.). */
 	| "reserved"
 	/** Cloud metadata service FQDN (e.g. `metadata.google.internal`). */
 	| "cloudMetadata"
@@ -183,6 +183,8 @@ function classifyIPv4(ip: string): HostKind {
 	if (inIPv4Range(n, ipv4ToUint32("224.0.0.0"), 4)) return "multicast";
 	if (inIPv4Range(n, ipv4ToUint32("0.0.0.0"), 8)) return "reserved";
 	if (inIPv4Range(n, ipv4ToUint32("192.0.0.0"), 24)) return "reserved";
+	// 6to4 relay anycast (RFC 7526, deprecated), not globally reachable.
+	if (inIPv4Range(n, ipv4ToUint32("192.88.99.0"), 24)) return "reserved";
 	if (inIPv4Range(n, ipv4ToUint32("240.0.0.0"), 4)) return "reserved";
 
 	return "public";
@@ -231,6 +233,8 @@ function classifyIPv6(expanded: string): HostKind {
 
 	if (firstByte === 0xff) return "multicast";
 	if (firstByte === 0xfe && (secondByte & 0xc0) === 0x80) return "linkLocal";
+	// fec0::/10 — deprecated site-local (RFC 3879), not globally reachable.
+	if (firstByte === 0xfe && (secondByte & 0xc0) === 0xc0) return "reserved";
 	if ((firstByte & 0xfe) === 0xfc) return "private";
 
 	if (expanded.startsWith("2001:0db8:")) return "documentation";
@@ -270,6 +274,11 @@ function classifyIPv6(expanded: string): HostKind {
 	// 5f00::/16 — SRv6 SIDs (RFC 9602), not globally reachable.
 	if (expanded.startsWith("5f00:")) return "reserved";
 
+	// ::/96 — deprecated IPv4-compatible IPv6 (RFC 4291 §2.5.5.1). `::` and
+	// `::1` are matched above; the rest of the block embeds an IPv4 (e.g.
+	// `::127.0.0.1`) and is never a valid public target.
+	if (expanded.startsWith("0000:0000:0000:0000:0000:0000:")) return "reserved";
+
 	return "public";
 }
 

package/dist/oauth2/scopes.d.mts

@@ -1,76 +0,0 @@
-import { ProviderOptions } from "./oauth-provider.mjs";
-
-//#region src/oauth2/scopes.d.ts
-/**
- * Parse a provider's `scope` token-response field into a string array.
- *
- * RFC 6749 §3.3 defines `scope` as a space-delimited string, but providers
- * vary: some (e.g. Twitch) return an already-split array. Accept both, plus the
- * omitted/empty case, without ever calling `.split` on a non-string. Returns
- * `[]` when no scope is present.
- *
- * @see https://github.com/better-auth/better-auth/issues/9076
- */
-declare function parseScopeField(scope: unknown): string[];
-/**
- * Normalize a scope set into a single deduped, sorted array.
- *
- * Scope order is insignificant per RFC 6749 §3.3, so normalize for idempotent
- * writes and trivial comparisons: trim each token, drop empties, dedupe, and
- * sort ascending. Returns `[]` when the union is empty.
- *
- * @see https://www.rfc-editor.org/rfc/rfc6749#section-3.3
- */
-declare function normalizeScopes(stored: string[] | null | undefined, incoming?: string[] | undefined): string[];
-/**
- * Union the stored granted-scope set with the scopes observed on an
- * authorization or token exchange.
- *
- * The provider's echoed `scope` is authoritative when present. RFC 6749 §3.3
- * and §5.1 say an omitted or empty echo means the grant equals what was
- * requested, so fall back to `requested` in that case. The result unions onto
- * the stored grant (never narrows on a normal write) and is normalized per
- * {@link normalizeScopes}.
- *
- * @see https://www.rfc-editor.org/rfc/rfc6749#section-3.3
- * @see https://www.rfc-editor.org/rfc/rfc6749#section-5.1
- */
-declare function unionGrantedScopes(stored: string[] | null | undefined, echoed: string[] | undefined, requested: string[] | undefined): string[];
-/**
- * Coerce a stored granted-scope value into a usable array.
- *
- * `account.grantedScopes` is nullable (legacy rows and non-OAuth accounts read
- * as unset), and on dialects that store the array as a JSON string a malformed
- * operator backfill could deserialize to a non-array. Both collapse to `[]`
- * here so every reader works against a real `string[]` without re-deriving the
- * guard.
- */
-declare function readGrantedScopes(stored: string[] | null | undefined): string[];
-/**
- * Test whether a normalized granted-scope set contains a specific scope.
- *
- * Matching is exact and case-sensitive per RFC 6749 §3.3. The argument is the
- * normalized `account.grantedScopes` array; a raw provider `scope` string must
- * be run through {@link parseScopeField} first.
- *
- * @see https://www.rfc-editor.org/rfc/rfc6749#section-3.3
- */
-declare function includesGrantedScope(granted: string[] | null | undefined, scope: string): boolean;
-/**
- * Compose the effective scope set to encode in a single authorization URL.
- *
- * Precedence: the provider's built-in defaults (unless `disableDefaultScope`),
- * then the integrator's configured `options.scope`, then the per-request
- * `scopes`. The result is the value persisted into OAuth state as the RFC 6749
- * §5.1 fallback, so it is preserved verbatim (not normalized) to match what is
- * sent to the provider.
- *
- * `defaultScopes` is a parameter rather than a provider-contract field so the
- * runtime-synthesized generic OAuth provider, which has no static default set,
- * can pass its configured scopes here.
- *
- * @see https://www.rfc-editor.org/rfc/rfc6749#section-5.1
- */
-declare function resolveRequestedScopes(options: Pick<ProviderOptions, "scope" | "disableDefaultScope"> | undefined, defaultScopes: string[], perRequestScopes: string[] | undefined): string[];
-//#endregion
-export { includesGrantedScope, normalizeScopes, parseScopeField, readGrantedScopes, resolveRequestedScopes, unionGrantedScopes };

package/dist/oauth2/scopes.mjs

@@ -1,96 +0,0 @@
-//#region src/oauth2/scopes.ts
-/**
-* Parse a provider's `scope` token-response field into a string array.
-*
-* RFC 6749 §3.3 defines `scope` as a space-delimited string, but providers
-* vary: some (e.g. Twitch) return an already-split array. Accept both, plus the
-* omitted/empty case, without ever calling `.split` on a non-string. Returns
-* `[]` when no scope is present.
-*
-* @see https://github.com/better-auth/better-auth/issues/9076
-*/
-function parseScopeField(scope) {
-	if (Array.isArray(scope)) return scope.filter((s) => typeof s === "string" && s !== "");
-	if (typeof scope === "string") return scope.split(" ").filter(Boolean);
-	return [];
-}
-/**
-* Normalize a scope set into a single deduped, sorted array.
-*
-* Scope order is insignificant per RFC 6749 §3.3, so normalize for idempotent
-* writes and trivial comparisons: trim each token, drop empties, dedupe, and
-* sort ascending. Returns `[]` when the union is empty.
-*
-* @see https://www.rfc-editor.org/rfc/rfc6749#section-3.3
-*/
-function normalizeScopes(stored, incoming) {
-	const normalized = /* @__PURE__ */ new Set();
-	for (const scope of [...stored ?? [], ...incoming ?? []]) {
-		const trimmed = scope.trim();
-		if (trimmed) normalized.add(trimmed);
-	}
-	return [...normalized].sort();
-}
-/**
-* Union the stored granted-scope set with the scopes observed on an
-* authorization or token exchange.
-*
-* The provider's echoed `scope` is authoritative when present. RFC 6749 §3.3
-* and §5.1 say an omitted or empty echo means the grant equals what was
-* requested, so fall back to `requested` in that case. The result unions onto
-* the stored grant (never narrows on a normal write) and is normalized per
-* {@link normalizeScopes}.
-*
-* @see https://www.rfc-editor.org/rfc/rfc6749#section-3.3
-* @see https://www.rfc-editor.org/rfc/rfc6749#section-5.1
-*/
-function unionGrantedScopes(stored, echoed, requested) {
-	return normalizeScopes(stored, echoed?.length ? echoed : requested);
-}
-/**
-* Coerce a stored granted-scope value into a usable array.
-*
-* `account.grantedScopes` is nullable (legacy rows and non-OAuth accounts read
-* as unset), and on dialects that store the array as a JSON string a malformed
-* operator backfill could deserialize to a non-array. Both collapse to `[]`
-* here so every reader works against a real `string[]` without re-deriving the
-* guard.
-*/
-function readGrantedScopes(stored) {
-	return Array.isArray(stored) ? stored : [];
-}
-/**
-* Test whether a normalized granted-scope set contains a specific scope.
-*
-* Matching is exact and case-sensitive per RFC 6749 §3.3. The argument is the
-* normalized `account.grantedScopes` array; a raw provider `scope` string must
-* be run through {@link parseScopeField} first.
-*
-* @see https://www.rfc-editor.org/rfc/rfc6749#section-3.3
-*/
-function includesGrantedScope(granted, scope) {
-	return granted?.includes(scope) ?? false;
-}
-/**
-* Compose the effective scope set to encode in a single authorization URL.
-*
-* Precedence: the provider's built-in defaults (unless `disableDefaultScope`),
-* then the integrator's configured `options.scope`, then the per-request
-* `scopes`. The result is the value persisted into OAuth state as the RFC 6749
-* §5.1 fallback, so it is preserved verbatim (not normalized) to match what is
-* sent to the provider.
-*
-* `defaultScopes` is a parameter rather than a provider-contract field so the
-* runtime-synthesized generic OAuth provider, which has no static default set,
-* can pass its configured scopes here.
-*
-* @see https://www.rfc-editor.org/rfc/rfc6749#section-5.1
-*/
-function resolveRequestedScopes(options, defaultScopes, perRequestScopes) {
-	const scopes = options?.disableDefaultScope ? [] : [...defaultScopes];
-	if (options?.scope) scopes.push(...options.scope);
-	if (perRequestScopes) scopes.push(...perRequestScopes);
-	return scopes;
-}
-//#endregion
-export { includesGrantedScope, normalizeScopes, parseScopeField, readGrantedScopes, resolveRequestedScopes, unionGrantedScopes };

package/src/oauth2/scopes.ts

@@ -1,118 +0,0 @@
-import type { ProviderOptions } from "./oauth-provider";
-
-/**
- * Parse a provider's `scope` token-response field into a string array.
- *
- * RFC 6749 §3.3 defines `scope` as a space-delimited string, but providers
- * vary: some (e.g. Twitch) return an already-split array. Accept both, plus the
- * omitted/empty case, without ever calling `.split` on a non-string. Returns
- * `[]` when no scope is present.
- *
- * @see https://github.com/better-auth/better-auth/issues/9076
- */
-export function parseScopeField(scope: unknown): string[] {
-	if (Array.isArray(scope))
-		return scope.filter((s): s is string => typeof s === "string" && s !== "");
-	if (typeof scope === "string") return scope.split(" ").filter(Boolean);
-	return [];
-}
-
-/**
- * Normalize a scope set into a single deduped, sorted array.
- *
- * Scope order is insignificant per RFC 6749 §3.3, so normalize for idempotent
- * writes and trivial comparisons: trim each token, drop empties, dedupe, and
- * sort ascending. Returns `[]` when the union is empty.
- *
- * @see https://www.rfc-editor.org/rfc/rfc6749#section-3.3
- */
-export function normalizeScopes(
-	stored: string[] | null | undefined,
-	incoming?: string[] | undefined,
-): string[] {
-	const normalized = new Set<string>();
-	for (const scope of [...(stored ?? []), ...(incoming ?? [])]) {
-		const trimmed = scope.trim();
-		if (trimmed) normalized.add(trimmed);
-	}
-	return [...normalized].sort();
-}
-
-/**
- * Union the stored granted-scope set with the scopes observed on an
- * authorization or token exchange.
- *
- * The provider's echoed `scope` is authoritative when present. RFC 6749 §3.3
- * and §5.1 say an omitted or empty echo means the grant equals what was
- * requested, so fall back to `requested` in that case. The result unions onto
- * the stored grant (never narrows on a normal write) and is normalized per
- * {@link normalizeScopes}.
- *
- * @see https://www.rfc-editor.org/rfc/rfc6749#section-3.3
- * @see https://www.rfc-editor.org/rfc/rfc6749#section-5.1
- */
-export function unionGrantedScopes(
-	stored: string[] | null | undefined,
-	echoed: string[] | undefined,
-	requested: string[] | undefined,
-): string[] {
-	const granted = echoed?.length ? echoed : requested;
-	return normalizeScopes(stored, granted);
-}
-
-/**
- * Coerce a stored granted-scope value into a usable array.
- *
- * `account.grantedScopes` is nullable (legacy rows and non-OAuth accounts read
- * as unset), and on dialects that store the array as a JSON string a malformed
- * operator backfill could deserialize to a non-array. Both collapse to `[]`
- * here so every reader works against a real `string[]` without re-deriving the
- * guard.
- */
-export function readGrantedScopes(
-	stored: string[] | null | undefined,
-): string[] {
-	return Array.isArray(stored) ? stored : [];
-}
-
-/**
- * Test whether a normalized granted-scope set contains a specific scope.
- *
- * Matching is exact and case-sensitive per RFC 6749 §3.3. The argument is the
- * normalized `account.grantedScopes` array; a raw provider `scope` string must
- * be run through {@link parseScopeField} first.
- *
- * @see https://www.rfc-editor.org/rfc/rfc6749#section-3.3
- */
-export function includesGrantedScope(
-	granted: string[] | null | undefined,
-	scope: string,
-): boolean {
-	return granted?.includes(scope) ?? false;
-}
-
-/**
- * Compose the effective scope set to encode in a single authorization URL.
- *
- * Precedence: the provider's built-in defaults (unless `disableDefaultScope`),
- * then the integrator's configured `options.scope`, then the per-request
- * `scopes`. The result is the value persisted into OAuth state as the RFC 6749
- * §5.1 fallback, so it is preserved verbatim (not normalized) to match what is
- * sent to the provider.
- *
- * `defaultScopes` is a parameter rather than a provider-contract field so the
- * runtime-synthesized generic OAuth provider, which has no static default set,
- * can pass its configured scopes here.
- *
- * @see https://www.rfc-editor.org/rfc/rfc6749#section-5.1
- */
-export function resolveRequestedScopes(
-	options: Pick<ProviderOptions, "scope" | "disableDefaultScope"> | undefined,
-	defaultScopes: string[],
-	perRequestScopes: string[] | undefined,
-): string[] {
-	const scopes = options?.disableDefaultScope ? [] : [...defaultScopes];
-	if (options?.scope) scopes.push(...options.scope);
-	if (perRequestScopes) scopes.push(...perRequestScopes);
-	return scopes;
-}