@better-auth/core 1.7.0-beta.6 → 1.7.0-beta.8

package/dist/social-providers/atlassian.mjs

@@ -1,29 +1,29 @@
 import { BetterAuthError } from "../error/index.mjs";
 import { logger } from "../env/logger.mjs";
-import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/atlassian.ts
-const ATLASSIAN_DEFAULT_SCOPES = ["read:jira-user", "offline_access"];
 const atlassian = (options) => {
 	const tokenEndpoint = "https://auth.atlassian.com/oauth/token";
 	return {
 		id: "atlassian",
 		name: "Atlassian",
-		callbackPath: "/callback/atlassian",
 		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, additionalParams }) {
 			if (!options.clientId || !options.clientSecret) {
 				logger.error("Client Id and Secret are required for Atlassian");
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
 			}
 			if (!codeVerifier) throw new BetterAuthError("codeVerifier is required for Atlassian");
+			const _scopes = options.disableDefaultScope ? [] : ["read:jira-user", "offline_access"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "atlassian",
 				options,
 				authorizationEndpoint: "https://auth.atlassian.com/authorize",
-				scopes: resolveRequestedScopes(options, ATLASSIAN_DEFAULT_SCOPES, scopes),
+				scopes: _scopes,
 				state,
 				codeVerifier,
 				redirectURI,

package/dist/social-providers/cognito.d.mts

@@ -49,7 +49,6 @@ interface CognitoOptions extends ProviderOptions<CognitoProfile> {
 declare const cognito: (options: CognitoOptions) => {
   id: "cognito";
   name: string;
-  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -63,11 +62,9 @@ declare const cognito: (options: CognitoOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<{
-    url: URL;
-    requestedScopes: string[];
-  }>;
+  }): Promise<URL>;
   validateAuthorizationCode: ({
     code,
     codeVerifier,
@@ -86,6 +83,7 @@ declare const cognito: (options: CognitoOptions) => {
     maxTokenAge: string;
   };
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/cognito.mjs

@@ -1,6 +1,5 @@
 import { APIError, BetterAuthError } from "../error/index.mjs";
 import { logger } from "../env/logger.mjs";
-import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { getPrimaryClientId } from "../oauth2/utils.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
@@ -8,11 +7,6 @@ import { validateAuthorizationCode } from "../oauth2/validate-authorization-code
 import { decodeJwt, importJWK } from "jose";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/cognito.ts
-const COGNITO_DEFAULT_SCOPES = [
-	"openid",
-	"profile",
-	"email"
-];
 const cognito = (options) => {
 	if (!options.domain || !options.region || !options.userPoolId) {
 		logger.error("Domain, region and userPoolId are required for Amazon Cognito. Make sure to provide them in the options.");
@@ -25,7 +19,6 @@ const cognito = (options) => {
 	return {
 		id: "cognito",
 		name: "Cognito",
-		callbackPath: "/callback/cognito",
 		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, additionalParams }) {
 			if (!getPrimaryClientId(options.clientId)) {
 				logger.error("ClientId is required for Amazon Cognito. Make sure to provide them in the options.");
@@ -35,12 +28,18 @@ const cognito = (options) => {
 				logger.error("Client Secret is required when requireClientSecret is true. Make sure to provide it in the options.");
 				throw new BetterAuthError("CLIENT_SECRET_REQUIRED");
 			}
-			const requestedScopes = resolveRequestedScopes(options, COGNITO_DEFAULT_SCOPES, scopes);
-			const { url } = await createAuthorizationURL({
+			const _scopes = options.disableDefaultScope ? [] : [
+				"openid",
+				"profile",
+				"email"
+			];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			const url = await createAuthorizationURL({
 				id: "cognito",
 				options: { ...options },
 				authorizationEndpoint,
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				codeVerifier,
 				redirectURI,
@@ -56,15 +55,9 @@ const cognito = (options) => {
 				const encodedScope = encodeURIComponent(scopeValue);
 				const urlString = url.toString();
 				const separator = urlString.includes("?") ? "&" : "?";
-				return {
-					url: new URL(`${urlString}${separator}scope=${encodedScope}`),
-					requestedScopes
-				};
+				return new URL(`${urlString}${separator}scope=${encodedScope}`);
 			}
-			return {
-				url,
-				requestedScopes
-			};
+			return url;
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
 			return validateAuthorizationCode({

package/dist/social-providers/discord.d.mts

@@ -77,7 +77,6 @@ interface DiscordOptions extends ProviderOptions<DiscordProfile> {
 declare const discord: (options: DiscordOptions) => {
   id: "discord";
   name: string;
-  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -90,11 +89,9 @@ declare const discord: (options: DiscordOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<{
-    url: URL;
-    requestedScopes: string[];
-  }>;
+  }): Promise<URL>;
   validateAuthorizationCode: ({
     code,
     redirectURI
@@ -106,6 +103,7 @@ declare const discord: (options: DiscordOptions) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/discord.mjs

@@ -1,24 +1,23 @@
-import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/discord.ts
-const DISCORD_DEFAULT_SCOPES = ["identify", "email"];
 const discord = (options) => {
 	const tokenEndpoint = "https://discord.com/api/oauth2/token";
 	return {
 		id: "discord",
 		name: "Discord",
-		callbackPath: "/callback/discord",
-		async createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
-			const requestedScopes = resolveRequestedScopes(options, DISCORD_DEFAULT_SCOPES, scopes);
-			const hasBotScope = requestedScopes.includes("bot");
+		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
+			const _scopes = options.disableDefaultScope ? [] : ["identify", "email"];
+			if (scopes) _scopes.push(...scopes);
+			if (options.scope) _scopes.push(...options.scope);
+			const hasBotScope = _scopes.includes("bot");
 			return createAuthorizationURL({
 				id: "discord",
 				options,
 				authorizationEndpoint: "https://discord.com/api/oauth2/authorize",
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				redirectURI,
 				prompt: options.prompt || "none",

package/dist/social-providers/dropbox.d.mts

@@ -20,7 +20,6 @@ interface DropboxOptions extends ProviderOptions<DropboxProfile> {
 declare const dropbox: (options: DropboxOptions) => {
   id: "dropbox";
   name: string;
-  callbackPath: string;
   createAuthorizationURL: ({
     state,
     scopes,
@@ -34,11 +33,9 @@ declare const dropbox: (options: DropboxOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }) => Promise<{
-    url: URL;
-    requestedScopes: string[];
-  }>;
+  }) => Promise<URL>;
   validateAuthorizationCode: ({
     code,
     codeVerifier,
@@ -51,6 +48,7 @@ declare const dropbox: (options: DropboxOptions) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/dropbox.mjs

@@ -1,22 +1,22 @@
-import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/dropbox.ts
-const DROPBOX_DEFAULT_SCOPES = ["account_info.read"];
 const dropbox = (options) => {
 	const tokenEndpoint = "https://api.dropboxapi.com/oauth2/token";
 	return {
 		id: "dropbox",
 		name: "Dropbox",
-		callbackPath: "/callback/dropbox",
 		createAuthorizationURL: async ({ state, scopes, codeVerifier, redirectURI, additionalParams }) => {
-			return createAuthorizationURL({
+			const _scopes = options.disableDefaultScope ? [] : ["account_info.read"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return await createAuthorizationURL({
 				id: "dropbox",
 				options,
 				authorizationEndpoint: "https://www.dropbox.com/oauth2/authorize",
-				scopes: resolveRequestedScopes(options, DROPBOX_DEFAULT_SCOPES, scopes),
+				scopes: _scopes,
 				state,
 				redirectURI,
 				codeVerifier,

package/dist/social-providers/facebook.d.mts

@@ -32,7 +32,6 @@ interface FacebookOptions extends ProviderOptions<FacebookProfile> {
 declare const facebook: (options: FacebookOptions) => {
   id: "facebook";
   name: string;
-  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -46,11 +45,9 @@ declare const facebook: (options: FacebookOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<{
-    url: URL;
-    requestedScopes: string[];
-  }>;
+  }): Promise<URL>;
   validateAuthorizationCode: ({
     code,
     redirectURI
@@ -76,6 +73,7 @@ declare const facebook: (options: FacebookOptions) => {
   };
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/facebook.mjs

@@ -1,6 +1,5 @@
 import { BetterAuthError } from "../error/index.mjs";
 import { logger } from "../env/logger.mjs";
-import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { getPrimaryClientId } from "../oauth2/utils.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
@@ -36,22 +35,23 @@ async function verifyFacebookAccessToken(accessToken, options) {
 	if (is_valid !== true || !app_id || !clientIds.includes(app_id) || !user_id) return null;
 	return user_id;
 }
-const FACEBOOK_DEFAULT_SCOPES = ["email", "public_profile"];
 const facebook = (options) => {
 	return {
 		id: "facebook",
 		name: "Facebook",
-		callbackPath: "/callback/facebook",
 		async createAuthorizationURL({ state, scopes, redirectURI, loginHint, additionalParams }) {
 			if (!getPrimaryClientId(options.clientId) || !options.clientSecret) {
 				logger.error("Client ID and client secret are required for Facebook. Make sure to provide them in the options.");
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
 			}
-			return createAuthorizationURL({
+			const _scopes = options.disableDefaultScope ? [] : ["email", "public_profile"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return await createAuthorizationURL({
 				id: "facebook",
 				options,
 				authorizationEndpoint: "https://www.facebook.com/v24.0/dialog/oauth",
-				scopes: resolveRequestedScopes(options, FACEBOOK_DEFAULT_SCOPES, scopes),
+				scopes: _scopes,
 				state,
 				redirectURI,
 				loginHint,

package/dist/social-providers/figma.d.mts

@@ -12,7 +12,6 @@ interface FigmaOptions extends ProviderOptions<FigmaProfile> {
 declare const figma: (options: FigmaOptions) => {
   id: "figma";
   name: string;
-  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -26,11 +25,9 @@ declare const figma: (options: FigmaOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<{
-    url: URL;
-    requestedScopes: string[];
-  }>;
+  }): Promise<URL>;
   validateAuthorizationCode: ({
     code,
     codeVerifier,
@@ -43,6 +40,7 @@ declare const figma: (options: FigmaOptions) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/figma.mjs

@@ -1,29 +1,29 @@
 import { BetterAuthError } from "../error/index.mjs";
 import { logger } from "../env/logger.mjs";
-import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/figma.ts
-const FIGMA_DEFAULT_SCOPES = ["current_user:read"];
 const figma = (options) => {
 	const tokenEndpoint = "https://api.figma.com/v1/oauth/token";
 	return {
 		id: "figma",
 		name: "Figma",
-		callbackPath: "/callback/figma",
 		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, additionalParams }) {
 			if (!options.clientId || !options.clientSecret) {
 				logger.error("Client Id and Client Secret are required for Figma. Make sure to provide them in the options.");
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
 			}
 			if (!codeVerifier) throw new BetterAuthError("codeVerifier is required for Figma");
-			return createAuthorizationURL({
+			const _scopes = options.disableDefaultScope ? [] : ["current_user:read"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return await createAuthorizationURL({
 				id: "figma",
 				options,
 				authorizationEndpoint: "https://www.figma.com/oauth",
-				scopes: resolveRequestedScopes(options, FIGMA_DEFAULT_SCOPES, scopes),
+				scopes: _scopes,
 				state,
 				codeVerifier,
 				redirectURI,

package/dist/social-providers/github.d.mts

@@ -52,7 +52,6 @@ interface GithubOptions extends ProviderOptions<GithubProfile> {
 declare const github: (options: GithubOptions) => {
   id: "github";
   name: string;
-  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -67,11 +66,9 @@ declare const github: (options: GithubOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<{
-    url: URL;
-    requestedScopes: string[];
-  }>;
+  }): Promise<URL>;
   validateAuthorizationCode: ({
     code,
     codeVerifier,
@@ -84,6 +81,7 @@ declare const github: (options: GithubOptions) => {
   }) => Promise<OAuth2Tokens | null>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/github.mjs

@@ -1,24 +1,24 @@
 import { logger } from "../env/logger.mjs";
-import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { getOAuth2Tokens } from "../oauth2/utils.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { authorizationCodeRequest } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/github.ts
-const GITHUB_DEFAULT_SCOPES = ["read:user", "user:email"];
 const github = (options) => {
 	const tokenEndpoint = "https://github.com/login/oauth/access_token";
 	return {
 		id: "github",
 		name: "GitHub",
-		callbackPath: "/callback/github",
 		createAuthorizationURL({ state, scopes, loginHint, codeVerifier, redirectURI, additionalParams }) {
+			const _scopes = options.disableDefaultScope ? [] : ["read:user", "user:email"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "github",
 				options,
 				authorizationEndpoint: "https://github.com/login/oauth/authorize",
-				scopes: resolveRequestedScopes(options, GITHUB_DEFAULT_SCOPES, scopes),
+				scopes: _scopes,
 				state,
 				codeVerifier,
 				redirectURI,

package/dist/social-providers/gitlab.d.mts

@@ -52,7 +52,6 @@ interface GitlabOptions extends ProviderOptions<GitlabProfile> {
 declare const gitlab: (options: GitlabOptions) => {
   id: "gitlab";
   name: string;
-  callbackPath: string;
   createAuthorizationURL: ({
     state,
     scopes,
@@ -67,11 +66,9 @@ declare const gitlab: (options: GitlabOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }) => Promise<{
-    url: URL;
-    requestedScopes: string[];
-  }>;
+  }) => Promise<URL>;
   validateAuthorizationCode: ({
     code,
     redirectURI,
@@ -84,6 +81,7 @@ declare const gitlab: (options: GitlabOptions) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/gitlab.mjs

@@ -1,4 +1,3 @@
-import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
@@ -15,20 +14,21 @@ const issuerToEndpoints = (issuer) => {
 		userinfoEndpoint: cleanDoubleSlashes(`${baseUrl}/api/v4/user`)
 	};
 };
-const GITLAB_DEFAULT_SCOPES = ["read_user"];
 const gitlab = (options) => {
 	const { authorizationEndpoint, tokenEndpoint, userinfoEndpoint } = issuerToEndpoints(options.issuer);
 	const issuerId = "gitlab";
 	return {
 		id: issuerId,
 		name: "Gitlab",
-		callbackPath: "/callback/gitlab",
-		createAuthorizationURL: ({ state, scopes, codeVerifier, loginHint, redirectURI, additionalParams }) => {
-			return createAuthorizationURL({
+		createAuthorizationURL: async ({ state, scopes, codeVerifier, loginHint, redirectURI, additionalParams }) => {
+			const _scopes = options.disableDefaultScope ? [] : ["read_user"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return await createAuthorizationURL({
 				id: issuerId,
 				options,
 				authorizationEndpoint,
-				scopes: resolveRequestedScopes(options, GITLAB_DEFAULT_SCOPES, scopes),
+				scopes: _scopes,
 				state,
 				redirectURI,
 				codeVerifier,

package/dist/social-providers/google.d.mts

@@ -48,19 +48,20 @@ interface GoogleOptions extends ProviderOptions<GoogleProfile> {
    */
   hd?: string | undefined;
   /**
-   * Enable incremental authorization via Google's `include_granted_scopes`
-   * parameter. When enabled, Google reports the user's full granted scope set
-   * in the token response.
+   * Whether to send `include_granted_scopes=true` to Google's authorization
+   * endpoint, which lets new access tokens cover scopes from prior grants
+   * in addition to the ones requested for this flow. Set to `false` when
+   * each OAuth flow should request only its own scopes.
    *
-   * @default true
+   * Defaults to `true`.
+   *
+   * @see https://developers.google.com/identity/protocols/oauth2/web-server#incrementalAuth
    */
   includeGrantedScopes?: boolean | undefined;
 }
 declare const google: (options: GoogleOptions) => {
   id: "google";
   name: string;
-  callbackPath: string;
-  grantAuthority: "full-grant" | "projection";
   createAuthorizationURL({
     state,
     scopes,
@@ -76,11 +77,9 @@ declare const google: (options: GoogleOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<{
-    url: URL;
-    requestedScopes: string[];
-  }>;
+  }): Promise<URL>;
   validateAuthorizationCode: ({
     code,
     codeVerifier,
@@ -100,6 +99,7 @@ declare const google: (options: GoogleOptions) => {
     verifyClaims: ((claims: Record<string, unknown>) => boolean) | undefined;
   };
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/google.mjs

@@ -1,6 +1,5 @@
 import { APIError, BetterAuthError } from "../error/index.mjs";
 import { logger } from "../env/logger.mjs";
-import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { getPrimaryClientId } from "../oauth2/utils.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
@@ -8,28 +7,28 @@ import { validateAuthorizationCode } from "../oauth2/validate-authorization-code
 import { decodeJwt, importJWK } from "jose";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/google.ts
-const GOOGLE_DEFAULT_SCOPES = [
-	"email",
-	"profile",
-	"openid"
-];
 const google = (options) => {
 	return {
 		id: "google",
 		name: "Google",
-		callbackPath: "/callback/google",
-		grantAuthority: options.includeGrantedScopes !== false ? "full-grant" : "projection",
 		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, loginHint, display, additionalParams }) {
 			if (!getPrimaryClientId(options.clientId) || !options.clientSecret) {
 				logger.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options.");
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
 			}
 			if (!codeVerifier) throw new BetterAuthError("codeVerifier is required for Google");
-			return createAuthorizationURL({
+			const _scopes = options.disableDefaultScope ? [] : [
+				"email",
+				"profile",
+				"openid"
+			];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return await createAuthorizationURL({
 				id: "google",
 				options,
 				authorizationEndpoint: "https://accounts.google.com/o/oauth2/v2/auth",
-				scopes: resolveRequestedScopes(options, GOOGLE_DEFAULT_SCOPES, scopes),
+				scopes: _scopes,
 				state,
 				codeVerifier,
 				redirectURI,
@@ -38,9 +37,9 @@ const google = (options) => {
 				display: display || options.display,
 				loginHint,
 				hd: options.hd,
-				additionalParams: options.includeGrantedScopes === false ? { ...additionalParams ?? {} } : {
-					...additionalParams ?? {},
-					include_granted_scopes: "true"
+				additionalParams: {
+					...options.includeGrantedScopes === false ? {} : { include_granted_scopes: "true" },
+					...additionalParams ?? {}
 				}
 			});
 		},

package/dist/social-providers/huggingface.d.mts

@@ -34,7 +34,6 @@ interface HuggingFaceOptions extends ProviderOptions<HuggingFaceProfile> {
 declare const huggingface: (options: HuggingFaceOptions) => {
   id: "huggingface";
   name: string;
-  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -48,11 +47,9 @@ declare const huggingface: (options: HuggingFaceOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<{
-    url: URL;
-    requestedScopes: string[];
-  }>;
+  }): Promise<URL>;
   validateAuthorizationCode: ({
     code,
     codeVerifier,
@@ -65,6 +62,7 @@ declare const huggingface: (options: HuggingFaceOptions) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;