@better-auth/core 1.7.0-beta.6 → 1.7.0-beta.8

package/src/oauth2/refresh-access-token.ts

@@ -6,6 +6,7 @@ import type {
 	TokenEndpointSecretAuthentication,
 } from "./token-endpoint-auth";
 import { applyTokenEndpointAuth } from "./token-endpoint-auth";
+import { parseScopeField } from "./utils";
 
 interface RefreshAccessTokenRequestInput {
 	refreshToken: string;
@@ -29,6 +30,21 @@ interface RefreshAccessTokenInput extends RefreshAccessTokenRequestInput {
 	tokenEndpoint: string;
 }
 
+/**
+ * Body keys owned by the refresh-token flow or unsafe to copy from caller input.
+ */
+const BLOCKED_REFRESH_TOKEN_PARAMS = [
+	"grant_type",
+	"refresh_token",
+	"__proto__",
+	"constructor",
+	"prototype",
+] as const;
+
+const BLOCKED_REFRESH_TOKEN_PARAMS_SET: ReadonlySet<string> = new Set(
+	BLOCKED_REFRESH_TOKEN_PARAMS,
+);
+
 export async function refreshAccessTokenRequest({
 	refreshToken,
 	options,
@@ -59,6 +75,17 @@ export async function refreshAccessTokenRequest({
 	return request;
 }
 
+function applyRefreshExtraParams(
+	body: URLSearchParams,
+	extraParams: Record<string, string> | undefined,
+) {
+	if (!extraParams) return;
+	for (const [key, value] of Object.entries(extraParams)) {
+		if (BLOCKED_REFRESH_TOKEN_PARAMS_SET.has(key)) continue;
+		body.set(key, value);
+	}
+}
+
 function buildRefreshAccessTokenRequest({
 	refreshToken,
 	options,
@@ -83,9 +110,7 @@ function buildRefreshAccessTokenRequest({
 		}
 	}
 	if (extraParams) {
-		for (const [key, value] of Object.entries(extraParams)) {
-			body.set(key, value);
-		}
+		applyRefreshExtraParams(body, extraParams);
 	}
 
 	return {
@@ -119,7 +144,7 @@ export async function refreshAccessToken({
 		expires_in?: number | undefined;
 		refresh_token_expires_in?: number | undefined;
 		token_type?: string | undefined;
-		scope?: (string | string[]) | undefined;
+		scope?: unknown;
 		id_token?: string | undefined;
 	}>(tokenEndpoint, {
 		method: "POST",
@@ -133,7 +158,7 @@ export async function refreshAccessToken({
 		accessToken: data.access_token,
 		refreshToken: data.refresh_token,
 		tokenType: data.token_type,
-		scopes: Array.isArray(data.scope) ? data.scope : data.scope?.split(" "),
+		scopes: parseScopeField(data.scope),
 		idToken: data.id_token,
 	};
 

package/src/oauth2/utils.ts

@@ -1,6 +1,26 @@
 import { base64Url } from "@better-auth/utils/base64";
 import type { OAuth2Tokens } from "./oauth-provider";
-import { parseScopeField } from "./scopes";
+
+/**
+ * Parse a provider's `scope` token-response field into a string array.
+ *
+ * RFC 6749 Section 3.3 defines `scope` as a space-delimited string, but
+ * providers vary: some return an already-split array. Accept both forms and
+ * drop empty or non-string entries.
+ *
+ * @see https://github.com/better-auth/better-auth/issues/9076
+ */
+export function parseScopeField(scope: unknown): string[] {
+	if (Array.isArray(scope)) {
+		return scope
+			.map((s) => (typeof s === "string" ? s.trim() : ""))
+			.filter(Boolean);
+	}
+	if (typeof scope === "string") {
+		return scope.trim().split(/\s+/).filter(Boolean);
+	}
+	return [];
+}
 
 export function getOAuth2Tokens(data: Record<string, any>): OAuth2Tokens {
 	const getDate = (seconds: number) => {
@@ -44,6 +64,24 @@ export function applyDefaultAccessTokenExpiry(
 	return tokens;
 }
 
+/**
+ * Compute the union of stored and incoming OAuth scopes, preserving
+ * stored insertion order and dropping duplicates.
+ */
+export function mergeScopes(
+	stored: string | null | undefined,
+	incoming: string[] | undefined,
+): string {
+	const existing = stored
+		? stored
+				.split(",")
+				.map((scope) => scope.trim())
+				.filter(Boolean)
+		: [];
+	const next = (incoming ?? []).map((scope) => scope.trim()).filter(Boolean);
+	return [...new Set([...existing, ...next])].join(",");
+}
+
 /**
  * Return the provider's primary Client ID: the single string, or the entry at
  * array index 0 for the cross-platform form used by ID token audience

package/src/oauth2/verify-id-token.ts

@@ -1,5 +1,7 @@
 import { decodeProtectedHeader, jwtVerify } from "jose";
-import type { ProviderOptions, UpstreamProvider } from "./oauth-provider";
+import type { OAuthProvider, ProviderOptions } from "./oauth-provider";
+
+type ProviderWithIdTokenConfig = Pick<OAuthProvider, "idToken" | "options">;
 
 async function sha256Hex(value: string) {
 	const data = new TextEncoder().encode(value);
@@ -29,12 +31,12 @@ async function nonceMatches(
 /**
  * Whether a provider can verify a client-submitted id_token.
  *
- * A provider supports id_token sign-in when it declares an {@link UpstreamProvider.idToken}
+ * A provider supports id_token sign-in when it declares an {@link OAuthProvider.idToken}
  * verification config, or when the integrator supplies a `verifyIdToken` override on the
  * provider options. A provider whose options set `disableIdTokenSignIn`, or that declares
  * neither, rejects the client id_token sign-in path with `ID_TOKEN_NOT_SUPPORTED`.
  */
-export function supportsIdTokenSignIn(provider: UpstreamProvider<any, any>) {
+export function supportsIdTokenSignIn(provider: ProviderWithIdTokenConfig) {
 	const options = (provider.options ?? {}) as Partial<ProviderOptions>;
 	if (options.disableIdTokenSignIn) {
 		return false;
@@ -46,7 +48,7 @@ export function supportsIdTokenSignIn(provider: UpstreamProvider<any, any>) {
  * Verify a client-submitted id_token against a provider's verification config.
  *
  * This is the single id_token verifier for every social provider. Providers no longer
- * implement their own boolean `verifyIdToken`; they declare an {@link UpstreamProvider.idToken}
+ * implement their own boolean `verifyIdToken`; they declare an {@link OAuthProvider.idToken}
  * config and this function performs the cryptographic check. The contract is fail-closed: a
  * provider without a config (and without an integrator `verifyIdToken` override) returns
  * `false`, so a forged token can never be accepted by omission.
@@ -54,7 +56,7 @@ export function supportsIdTokenSignIn(provider: UpstreamProvider<any, any>) {
  * @returns `true` only when the token is authentic for the provider.
  */
 export async function verifyProviderIdToken(
-	provider: UpstreamProvider<any, any>,
+	provider: ProviderWithIdTokenConfig,
 	token: string,
 	nonce?: string,
 ): Promise<boolean> {
@@ -79,6 +81,8 @@ export async function verifyProviderIdToken(
 		// Opaque (non-JWS) tokens carry no signature to check. They are accepted only when the
 		// provider opts in, in which case getUserInfo resolves identity from the access token via
 		// the provider's userinfo endpoint, which validates it (e.g. Facebook Graph access tokens).
+		// An expected `nonce` is not enforced here: an opaque token carries no `nonce` claim, and the
+		// access-token-backed userinfo exchange (not the token itself) is the identity source.
 		if (token.split(".").length !== 3) {
 			return config.allowOpaqueToken === true;
 		}

package/src/social-providers/apple.ts

@@ -3,12 +3,11 @@ import { betterFetch } from "@better-fetch/fetch";
 import { decodeJwt, importJWK } from "jose";
 import { logger } from "../env";
 import { APIError, BetterAuthError } from "../error";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	getPrimaryClientId,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 export interface AppleProfile {
@@ -78,14 +77,11 @@ export interface AppleOptions extends ProviderOptions<AppleProfile> {
 	audience?: (string | string[]) | undefined;
 }
 
-const APPLE_DEFAULT_SCOPES = ["email", "name"];
-
 export const apple = (options: AppleOptions) => {
 	const tokenEndpoint = "https://appleid.apple.com/auth/token";
 	return {
 		id: "apple",
 		name: "Apple",
-		callbackPath: "/callback/apple",
 		async createAuthorizationURL({
 			state,
 			scopes,
@@ -98,22 +94,21 @@ export const apple = (options: AppleOptions) => {
 				);
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
 			}
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				APPLE_DEFAULT_SCOPES,
-				scopes,
-			);
-			return createAuthorizationURL({
+			const _scope = options.disableDefaultScope ? [] : ["email", "name"];
+			if (options.scope) _scope.push(...options.scope);
+			if (scopes) _scope.push(...scopes);
+			const url = await createAuthorizationURL({
 				id: "apple",
 				options,
 				authorizationEndpoint: "https://appleid.apple.com/auth/authorize",
-				scopes: requestedScopes,
+				scopes: _scope,
 				state,
 				redirectURI,
 				responseMode: "form_post",
 				responseType: "code id_token",
 				additionalParams,
 			});
+			return url;
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
 			return validateAuthorizationCode({
@@ -189,7 +184,7 @@ export const apple = (options: AppleOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<AppleProfile>;
+	} satisfies OAuthProvider<AppleProfile>;
 };
 
 export const getApplePublicKey = async (kid: string) => {

package/src/social-providers/atlassian.ts

@@ -1,11 +1,10 @@
 import { betterFetch } from "@better-fetch/fetch";
 import { logger } from "../env";
 import { BetterAuthError } from "../error";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -30,14 +29,11 @@ export interface AtlassianOptions extends ProviderOptions<AtlassianProfile> {
 	clientId: string;
 }
 
-const ATLASSIAN_DEFAULT_SCOPES = ["read:jira-user", "offline_access"];
-
 export const atlassian = (options: AtlassianOptions) => {
 	const tokenEndpoint = "https://auth.atlassian.com/oauth/token";
 	return {
 		id: "atlassian",
 		name: "Atlassian",
-		callbackPath: "/callback/atlassian",
 
 		async createAuthorizationURL({
 			state,
@@ -54,17 +50,17 @@ export const atlassian = (options: AtlassianOptions) => {
 				throw new BetterAuthError("codeVerifier is required for Atlassian");
 			}
 
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				ATLASSIAN_DEFAULT_SCOPES,
-				scopes,
-			);
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["read:jira-user", "offline_access"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 
 			return createAuthorizationURL({
 				id: "atlassian",
 				options,
 				authorizationEndpoint: "https://auth.atlassian.com/authorize",
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				codeVerifier,
 				redirectURI,
@@ -140,5 +136,5 @@ export const atlassian = (options: AtlassianOptions) => {
 		},
 
 		options,
-	} satisfies UpstreamProvider<AtlassianProfile>;
+	} satisfies OAuthProvider<AtlassianProfile>;
 };

package/src/social-providers/cognito.ts

@@ -2,12 +2,11 @@ import { betterFetch } from "@better-fetch/fetch";
 import { decodeJwt, importJWK } from "jose";
 import { logger } from "../env";
 import { APIError, BetterAuthError } from "../error";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	getPrimaryClientId,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -58,8 +57,6 @@ export interface CognitoOptions extends ProviderOptions<CognitoProfile> {
 	identityProvider?: string | undefined;
 }
 
-const COGNITO_DEFAULT_SCOPES = ["openid", "profile", "email"];
-
 export const cognito = (options: CognitoOptions) => {
 	if (!options.domain || !options.region || !options.userPoolId) {
 		logger.error(
@@ -76,7 +73,6 @@ export const cognito = (options: CognitoOptions) => {
 	return {
 		id: "cognito",
 		name: "Cognito",
-		callbackPath: "/callback/cognito",
 		async createAuthorizationURL({
 			state,
 			scopes,
@@ -97,19 +93,19 @@ export const cognito = (options: CognitoOptions) => {
 				);
 				throw new BetterAuthError("CLIENT_SECRET_REQUIRED");
 			}
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				COGNITO_DEFAULT_SCOPES,
-				scopes,
-			);
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["openid", "profile", "email"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 
-			const { url } = await createAuthorizationURL({
+			const url = await createAuthorizationURL({
 				id: "cognito",
 				options: {
 					...options,
 				},
 				authorizationEndpoint,
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				codeVerifier,
 				redirectURI,
@@ -130,12 +126,9 @@ export const cognito = (options: CognitoOptions) => {
 				// Manually append the scope with proper encoding to the URL
 				const urlString = url.toString();
 				const separator = urlString.includes("?") ? "&" : "?";
-				return {
-					url: new URL(`${urlString}${separator}scope=${encodedScope}`),
-					requestedScopes,
-				};
+				return new URL(`${urlString}${separator}scope=${encodedScope}`);
 			}
-			return { url, requestedScopes };
+			return url;
 		},
 
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
@@ -243,7 +236,7 @@ export const cognito = (options: CognitoOptions) => {
 		},
 
 		options,
-	} satisfies UpstreamProvider<CognitoProfile>;
+	} satisfies OAuthProvider<CognitoProfile>;
 };
 
 export const getCognitoPublicKey = async (

package/src/social-providers/discord.ts

@@ -1,9 +1,8 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 export interface DiscordProfile extends Record<string, any> {
@@ -84,31 +83,21 @@ export interface DiscordOptions extends ProviderOptions<DiscordProfile> {
 	permissions?: number | undefined;
 }
 
-const DISCORD_DEFAULT_SCOPES = ["identify", "email"];
-
 export const discord = (options: DiscordOptions) => {
 	const tokenEndpoint = "https://discord.com/api/oauth2/token";
 	return {
 		id: "discord",
 		name: "Discord",
-		callbackPath: "/callback/discord",
-		async createAuthorizationURL({
-			state,
-			scopes,
-			redirectURI,
-			additionalParams,
-		}) {
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				DISCORD_DEFAULT_SCOPES,
-				scopes,
-			);
-			const hasBotScope = requestedScopes.includes("bot");
+		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
+			const _scopes = options.disableDefaultScope ? [] : ["identify", "email"];
+			if (scopes) _scopes.push(...scopes);
+			if (options.scope) _scopes.push(...options.scope);
+			const hasBotScope = _scopes.includes("bot");
 			return createAuthorizationURL({
 				id: "discord",
 				options,
 				authorizationEndpoint: "https://discord.com/api/oauth2/authorize",
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				redirectURI,
 				prompt: options.prompt || "none",
@@ -181,5 +170,5 @@ export const discord = (options: DiscordOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<DiscordProfile>;
+	} satisfies OAuthProvider<DiscordProfile>;
 };

package/src/social-providers/dropbox.ts

@@ -1,9 +1,8 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -26,15 +25,12 @@ export interface DropboxOptions extends ProviderOptions<DropboxProfile> {
 	accessType?: ("offline" | "online" | "legacy") | undefined;
 }
 
-const DROPBOX_DEFAULT_SCOPES = ["account_info.read"];
-
 export const dropbox = (options: DropboxOptions) => {
 	const tokenEndpoint = "https://api.dropboxapi.com/oauth2/token";
 
 	return {
 		id: "dropbox",
 		name: "Dropbox",
-		callbackPath: "/callback/dropbox",
 		createAuthorizationURL: async ({
 			state,
 			scopes,
@@ -42,16 +38,14 @@ export const dropbox = (options: DropboxOptions) => {
 			redirectURI,
 			additionalParams,
 		}) => {
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				DROPBOX_DEFAULT_SCOPES,
-				scopes,
-			);
-			return createAuthorizationURL({
+			const _scopes = options.disableDefaultScope ? [] : ["account_info.read"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return await createAuthorizationURL({
 				id: "dropbox",
 				options,
 				authorizationEndpoint: "https://www.dropbox.com/oauth2/authorize",
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				redirectURI,
 				codeVerifier,
@@ -116,5 +110,5 @@ export const dropbox = (options: DropboxOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<DropboxProfile>;
+	} satisfies OAuthProvider<DropboxProfile>;
 };

package/src/social-providers/facebook.ts

@@ -2,12 +2,11 @@ import { betterFetch } from "@better-fetch/fetch";
 import { createRemoteJWKSet, decodeJwt } from "jose";
 import { logger } from "../env";
 import { BetterAuthError } from "../error";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	getPrimaryClientId,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 export interface FacebookProfile {
@@ -92,13 +91,10 @@ export interface FacebookOptions extends ProviderOptions<FacebookProfile> {
 	configId?: string | undefined;
 }
 
-const FACEBOOK_DEFAULT_SCOPES = ["email", "public_profile"];
-
 export const facebook = (options: FacebookOptions) => {
 	return {
 		id: "facebook",
 		name: "Facebook",
-		callbackPath: "/callback/facebook",
 		async createAuthorizationURL({
 			state,
 			scopes,
@@ -112,16 +108,16 @@ export const facebook = (options: FacebookOptions) => {
 				);
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
 			}
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				FACEBOOK_DEFAULT_SCOPES,
-				scopes,
-			);
-			return createAuthorizationURL({
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["email", "public_profile"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return await createAuthorizationURL({
 				id: "facebook",
 				options,
 				authorizationEndpoint: "https://www.facebook.com/v24.0/dialog/oauth",
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				redirectURI,
 				loginHint,
@@ -262,5 +258,5 @@ export const facebook = (options: FacebookOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<FacebookProfile>;
+	} satisfies OAuthProvider<FacebookProfile>;
 };

package/src/social-providers/figma.ts

@@ -1,11 +1,10 @@
 import { betterFetch } from "@better-fetch/fetch";
 import { logger } from "../env";
 import { BetterAuthError } from "../error";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -20,14 +19,11 @@ export interface FigmaOptions extends ProviderOptions<FigmaProfile> {
 	clientId: string;
 }
 
-const FIGMA_DEFAULT_SCOPES = ["current_user:read"];
-
 export const figma = (options: FigmaOptions) => {
 	const tokenEndpoint = "https://api.figma.com/v1/oauth/token";
 	return {
 		id: "figma",
 		name: "Figma",
-		callbackPath: "/callback/figma",
 		async createAuthorizationURL({
 			state,
 			scopes,
@@ -45,22 +41,22 @@ export const figma = (options: FigmaOptions) => {
 				throw new BetterAuthError("codeVerifier is required for Figma");
 			}
 
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				FIGMA_DEFAULT_SCOPES,
-				scopes,
-			);
+			const _scopes = options.disableDefaultScope ? [] : ["current_user:read"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 
-			return createAuthorizationURL({
+			const url = await createAuthorizationURL({
 				id: "figma",
 				options,
 				authorizationEndpoint: "https://www.figma.com/oauth",
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				codeVerifier,
 				redirectURI,
 				additionalParams,
 			});
+
+			return url;
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
 			return validateAuthorizationCode({
@@ -125,5 +121,5 @@ export const figma = (options: FigmaOptions) => {
 			}
 		},
 		options,
-	} satisfies UpstreamProvider<FigmaProfile>;
+	} satisfies OAuthProvider<FigmaProfile>;
 };

package/src/social-providers/github.ts

@@ -1,11 +1,10 @@
 import { betterFetch } from "@better-fetch/fetch";
 import { logger } from "../env";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	getOAuth2Tokens,
 	refreshAccessToken,
-	resolveRequestedScopes,
 } from "../oauth2";
 import { authorizationCodeRequest } from "../oauth2/validate-authorization-code";
 
@@ -59,14 +58,11 @@ export interface GithubProfile {
 export interface GithubOptions extends ProviderOptions<GithubProfile> {
 	clientId: string;
 }
-const GITHUB_DEFAULT_SCOPES = ["read:user", "user:email"];
-
 export const github = (options: GithubOptions) => {
 	const tokenEndpoint = "https://github.com/login/oauth/access_token";
 	return {
 		id: "github",
 		name: "GitHub",
-		callbackPath: "/callback/github",
 		createAuthorizationURL({
 			state,
 			scopes,
@@ -75,16 +71,16 @@ export const github = (options: GithubOptions) => {
 			redirectURI,
 			additionalParams,
 		}) {
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				GITHUB_DEFAULT_SCOPES,
-				scopes,
-			);
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["read:user", "user:email"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "github",
 				options,
 				authorizationEndpoint: "https://github.com/login/oauth/authorize",
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				codeVerifier,
 				redirectURI,
@@ -186,5 +182,5 @@ export const github = (options: GithubOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<GithubProfile>;
+	} satisfies OAuthProvider<GithubProfile>;
 };