@better-auth/core 1.7.0-beta.6 → 1.7.0-beta.8

package/src/social-providers/gitlab.ts

@@ -1,9 +1,8 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -74,8 +73,6 @@ const issuerToEndpoints = (issuer?: string | undefined) => {
 	};
 };
 
-const GITLAB_DEFAULT_SCOPES = ["read_user"];
-
 export const gitlab = (options: GitlabOptions) => {
 	const { authorizationEndpoint, tokenEndpoint, userinfoEndpoint } =
 		issuerToEndpoints(options.issuer);
@@ -84,8 +81,7 @@ export const gitlab = (options: GitlabOptions) => {
 	return {
 		id: issuerId,
 		name: issuerName,
-		callbackPath: "/callback/gitlab",
-		createAuthorizationURL: ({
+		createAuthorizationURL: async ({
 			state,
 			scopes,
 			codeVerifier,
@@ -93,16 +89,14 @@ export const gitlab = (options: GitlabOptions) => {
 			redirectURI,
 			additionalParams,
 		}) => {
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				GITLAB_DEFAULT_SCOPES,
-				scopes,
-			);
-			return createAuthorizationURL({
+			const _scopes = options.disableDefaultScope ? [] : ["read_user"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return await createAuthorizationURL({
 				id: issuerId,
 				options,
 				authorizationEndpoint,
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				redirectURI,
 				codeVerifier,
@@ -159,5 +153,5 @@ export const gitlab = (options: GitlabOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<GitlabProfile>;
+	} satisfies OAuthProvider<GitlabProfile>;
 };

package/src/social-providers/google.ts

@@ -2,12 +2,11 @@ import { betterFetch } from "@better-fetch/fetch";
 import { decodeJwt, importJWK } from "jose";
 import { logger } from "../env";
 import { APIError, BetterAuthError } from "../error";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	getPrimaryClientId,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -58,24 +57,22 @@ export interface GoogleOptions extends ProviderOptions<GoogleProfile> {
 	 */
 	hd?: string | undefined;
 	/**
-	 * Enable incremental authorization via Google's `include_granted_scopes`
-	 * parameter. When enabled, Google reports the user's full granted scope set
-	 * in the token response.
+	 * Whether to send `include_granted_scopes=true` to Google's authorization
+	 * endpoint, which lets new access tokens cover scopes from prior grants
+	 * in addition to the ones requested for this flow. Set to `false` when
+	 * each OAuth flow should request only its own scopes.
 	 *
-	 * @default true
+	 * Defaults to `true`.
+	 *
+	 * @see https://developers.google.com/identity/protocols/oauth2/web-server#incrementalAuth
 	 */
 	includeGrantedScopes?: boolean | undefined;
 }
 
-const GOOGLE_DEFAULT_SCOPES = ["email", "profile", "openid"];
-
 export const google = (options: GoogleOptions) => {
 	return {
 		id: "google",
 		name: "Google",
-		callbackPath: "/callback/google",
-		grantAuthority:
-			options.includeGrantedScopes !== false ? "full-grant" : "projection",
 		async createAuthorizationURL({
 			state,
 			scopes,
@@ -94,16 +91,16 @@ export const google = (options: GoogleOptions) => {
 			if (!codeVerifier) {
 				throw new BetterAuthError("codeVerifier is required for Google");
 			}
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				GOOGLE_DEFAULT_SCOPES,
-				scopes,
-			);
-			return createAuthorizationURL({
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["email", "profile", "openid"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			const url = await createAuthorizationURL({
 				id: "google",
 				options,
 				authorizationEndpoint: "https://accounts.google.com/o/oauth2/v2/auth",
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				codeVerifier,
 				redirectURI,
@@ -112,17 +109,14 @@ export const google = (options: GoogleOptions) => {
 				display: display || options.display,
 				loginHint,
 				hd: options.hd,
-				additionalParams:
-					options.includeGrantedScopes === false
-						? { ...(additionalParams ?? {}) }
-						: {
-								...(additionalParams ?? {}),
-								// Not caller-overridable: the emitted param must stay in
-								// lockstep with `grantAuthority` (driven by the option), or
-								// the callback would treat a non-authoritative grant as full.
-								include_granted_scopes: "true",
-							},
+				additionalParams: {
+					...(options.includeGrantedScopes === false
+						? {}
+						: { include_granted_scopes: "true" }),
+					...(additionalParams ?? {}),
+				},
 			});
+			return url;
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
 			return validateAuthorizationCode({
@@ -195,7 +189,7 @@ export const google = (options: GoogleOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<GoogleProfile>;
+	} satisfies OAuthProvider<GoogleProfile>;
 };
 
 export const getGooglePublicKey = async (kid: string) => {

package/src/social-providers/huggingface.ts

@@ -1,9 +1,8 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -43,14 +42,11 @@ export interface HuggingFaceOptions
 	clientId: string;
 }
 
-const HUGGINGFACE_DEFAULT_SCOPES = ["openid", "profile", "email"];
-
 export const huggingface = (options: HuggingFaceOptions) => {
 	const tokenEndpoint = "https://huggingface.co/oauth/token";
 	return {
 		id: "huggingface",
 		name: "Hugging Face",
-		callbackPath: "/callback/huggingface",
 		createAuthorizationURL({
 			state,
 			scopes,
@@ -58,16 +54,16 @@ export const huggingface = (options: HuggingFaceOptions) => {
 			redirectURI,
 			additionalParams,
 		}) {
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				HUGGINGFACE_DEFAULT_SCOPES,
-				scopes,
-			);
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["openid", "profile", "email"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "huggingface",
 				options,
 				authorizationEndpoint: "https://huggingface.co/oauth/authorize",
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				codeVerifier,
 				redirectURI,
@@ -126,5 +122,5 @@ export const huggingface = (options: HuggingFaceOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<HuggingFaceProfile>;
+	} satisfies OAuthProvider<HuggingFaceProfile>;
 };

package/src/social-providers/kakao.ts

@@ -1,9 +1,8 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -102,29 +101,22 @@ export interface KakaoOptions extends ProviderOptions<KakaoProfile> {
 	clientId: string;
 }
 
-const KAKAO_DEFAULT_SCOPES = [
-	"account_email",
-	"profile_image",
-	"profile_nickname",
-];
-
 export const kakao = (options: KakaoOptions) => {
 	const tokenEndpoint = "https://kauth.kakao.com/oauth/token";
 	return {
 		id: "kakao",
 		name: "Kakao",
-		callbackPath: "/callback/kakao",
 		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				KAKAO_DEFAULT_SCOPES,
-				scopes,
-			);
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["account_email", "profile_image", "profile_nickname"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "kakao",
 				options,
 				authorizationEndpoint: "https://kauth.kakao.com/oauth/authorize",
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				redirectURI,
 				additionalParams,
@@ -184,5 +176,5 @@ export const kakao = (options: KakaoOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<KakaoProfile>;
+	} satisfies OAuthProvider<KakaoProfile>;
 };

package/src/social-providers/kick.ts

@@ -1,9 +1,8 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -30,13 +29,10 @@ export interface KickOptions extends ProviderOptions<KickProfile> {
 	clientId: string;
 }
 
-const KICK_DEFAULT_SCOPES = ["user:read"];
-
 export const kick = (options: KickOptions) => {
 	return {
 		id: "kick",
 		name: "Kick",
-		callbackPath: "/callback/kick",
 		createAuthorizationURL({
 			state,
 			scopes,
@@ -44,17 +40,16 @@ export const kick = (options: KickOptions) => {
 			codeVerifier,
 			additionalParams,
 		}) {
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				KICK_DEFAULT_SCOPES,
-				scopes,
-			);
+			const _scopes = options.disableDefaultScope ? [] : ["user:read"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+
 			return createAuthorizationURL({
 				id: "kick",
 				redirectURI,
 				options,
 				authorizationEndpoint: "https://id.kick.com/oauth/authorize",
-				scopes: requestedScopes,
+				scopes: _scopes,
 				codeVerifier,
 				state,
 				additionalParams,
@@ -117,5 +112,5 @@ export const kick = (options: KickOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<KickProfile>;
+	} satisfies OAuthProvider<KickProfile>;
 };

package/src/social-providers/line.ts

@@ -1,10 +1,9 @@
 import { betterFetch } from "@better-fetch/fetch";
 import { decodeJwt } from "jose";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -33,8 +32,6 @@ export interface LineOptions
 	clientId: string;
 }
 
-const LINE_DEFAULT_SCOPES = ["openid", "profile", "email"];
-
 /**
  * LINE Login v2.1
  * - Authorization endpoint: https://access.line.me/oauth2/v2.1/authorize
@@ -53,8 +50,7 @@ export const line = (options: LineOptions) => {
 	return {
 		id: "line",
 		name: "LINE",
-		callbackPath: "/callback/line",
-		createAuthorizationURL({
+		async createAuthorizationURL({
 			state,
 			scopes,
 			codeVerifier,
@@ -62,16 +58,16 @@ export const line = (options: LineOptions) => {
 			loginHint,
 			additionalParams,
 		}) {
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				LINE_DEFAULT_SCOPES,
-				scopes,
-			);
-			return createAuthorizationURL({
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["openid", "profile", "email"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return await createAuthorizationURL({
 				id: "line",
 				options,
 				authorizationEndpoint,
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				codeVerifier,
 				redirectURI,
@@ -167,5 +163,5 @@ export const line = (options: LineOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<LineUserInfo | LineIdTokenPayload, LineOptions>;
+	} satisfies OAuthProvider<LineUserInfo | LineIdTokenPayload, LineOptions>;
 };

package/src/social-providers/linear.ts

@@ -1,9 +1,8 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -27,14 +26,11 @@ export interface LinearOptions extends ProviderOptions<LinearUser> {
 	clientId: string;
 }
 
-const LINEAR_DEFAULT_SCOPES = ["read"];
-
 export const linear = (options: LinearOptions) => {
 	const tokenEndpoint = "https://api.linear.app/oauth/token";
 	return {
 		id: "linear",
 		name: "Linear",
-		callbackPath: "/callback/linear",
 		createAuthorizationURL({
 			state,
 			scopes,
@@ -42,16 +38,14 @@ export const linear = (options: LinearOptions) => {
 			redirectURI,
 			additionalParams,
 		}) {
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				LINEAR_DEFAULT_SCOPES,
-				scopes,
-			);
+			const _scopes = options.disableDefaultScope ? [] : ["read"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "linear",
 				options,
 				authorizationEndpoint: "https://linear.app/oauth/authorize",
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				redirectURI,
 				loginHint,
@@ -130,5 +124,5 @@ export const linear = (options: LinearOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<LinearUser>;
+	} satisfies OAuthProvider<LinearUser>;
 };

package/src/social-providers/linkedin.ts

@@ -1,9 +1,8 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -25,8 +24,6 @@ export interface LinkedInOptions extends ProviderOptions<LinkedInProfile> {
 	clientId: string;
 }
 
-const LINKEDIN_DEFAULT_SCOPES = ["profile", "email", "openid"];
-
 export const linkedin = (options: LinkedInOptions) => {
 	const authorizationEndpoint =
 		"https://www.linkedin.com/oauth/v2/authorization";
@@ -35,24 +32,23 @@ export const linkedin = (options: LinkedInOptions) => {
 	return {
 		id: "linkedin",
 		name: "Linkedin",
-		callbackPath: "/callback/linkedin",
-		createAuthorizationURL: ({
+		createAuthorizationURL: async ({
 			state,
 			scopes,
 			redirectURI,
 			loginHint,
 			additionalParams,
 		}) => {
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				LINKEDIN_DEFAULT_SCOPES,
-				scopes,
-			);
-			return createAuthorizationURL({
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["profile", "email", "openid"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return await createAuthorizationURL({
 				id: "linkedin",
 				options,
 				authorizationEndpoint,
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				loginHint,
 				redirectURI,
@@ -112,5 +108,5 @@ export const linkedin = (options: LinkedInOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<LinkedInProfile>;
+	} satisfies OAuthProvider<LinkedInProfile>;
 };

package/src/social-providers/microsoft-entra-id.ts

@@ -5,15 +5,14 @@ import { logger } from "../env";
 import { APIError, BetterAuthError } from "../error";
 import type {
 	ClientAssertionGetter,
+	OAuthProvider,
 	ProviderOptions,
 	TokenEndpointAuth,
-	UpstreamProvider,
 } from "../oauth2";
 import {
 	createAuthorizationURL,
 	getPrimaryClientId,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -161,14 +160,6 @@ export interface MicrosoftOptions
 	disableProfilePhoto?: boolean;
 }
 
-const MICROSOFT_ENTRA_ID_DEFAULT_SCOPES = [
-	"openid",
-	"profile",
-	"email",
-	"User.Read",
-	"offline_access",
-];
-
 export const microsoft = (options: MicrosoftOptions) => {
 	const tenant = options.tenantId || "common";
 	// Trim any trailing slash so endpoint URLs and the issuer comparison below
@@ -196,7 +187,6 @@ export const microsoft = (options: MicrosoftOptions) => {
 	return {
 		id: "microsoft",
 		name: "Microsoft EntraID",
-		callbackPath: "/callback/microsoft",
 		createAuthorizationURL(data) {
 			// Microsoft Entra supports public clients (SPA / native apps with
 			// PKCE only), so clientSecret is intentionally not required here.
@@ -207,18 +197,18 @@ export const microsoft = (options: MicrosoftOptions) => {
 				);
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
 			}
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				MICROSOFT_ENTRA_ID_DEFAULT_SCOPES,
-				data.scopes,
-			);
+			const scopes = options.disableDefaultScope
+				? []
+				: ["openid", "profile", "email", "User.Read", "offline_access"];
+			if (options.scope) scopes.push(...options.scope);
+			if (data.scopes) scopes.push(...data.scopes);
 			return createAuthorizationURL({
 				id: "microsoft",
 				options,
 				authorizationEndpoint,
 				state: data.state,
 				codeVerifier: data.codeVerifier,
-				scopes: requestedScopes,
+				scopes,
 				redirectURI: data.redirectURI,
 				prompt: options.prompt,
 				loginHint: data.loginHint,
@@ -361,7 +351,7 @@ export const microsoft = (options: MicrosoftOptions) => {
 					});
 				},
 		options,
-	} satisfies UpstreamProvider;
+	} satisfies OAuthProvider;
 };
 
 export const getMicrosoftPublicKey = async (

package/src/social-providers/naver.ts

@@ -1,9 +1,8 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -40,25 +39,20 @@ export interface NaverOptions extends ProviderOptions<NaverProfile> {
 	clientId: string;
 }
 
-const NAVER_DEFAULT_SCOPES = ["profile", "email"];
-
 export const naver = (options: NaverOptions) => {
 	const tokenEndpoint = "https://nid.naver.com/oauth2.0/token";
 	return {
 		id: "naver",
 		name: "Naver",
-		callbackPath: "/callback/naver",
 		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				NAVER_DEFAULT_SCOPES,
-				scopes,
-			);
+			const _scopes = options.disableDefaultScope ? [] : ["profile", "email"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "naver",
 				options,
 				authorizationEndpoint: "https://nid.naver.com/oauth2.0/authorize",
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				redirectURI,
 				additionalParams,
@@ -116,5 +110,5 @@ export const naver = (options: NaverOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<NaverProfile>;
+	} satisfies OAuthProvider<NaverProfile>;
 };

package/src/social-providers/notion.ts

@@ -1,9 +1,8 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -24,14 +23,11 @@ export interface NotionOptions extends ProviderOptions<NotionProfile> {
 	clientId: string;
 }
 
-const NOTION_DEFAULT_SCOPES: string[] = [];
-
 export const notion = (options: NotionOptions) => {
 	const tokenEndpoint = "https://api.notion.com/v1/oauth/token";
 	return {
 		id: "notion",
 		name: "Notion",
-		callbackPath: "/callback/notion",
 		createAuthorizationURL({
 			state,
 			scopes,
@@ -39,16 +35,14 @@ export const notion = (options: NotionOptions) => {
 			redirectURI,
 			additionalParams,
 		}) {
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				NOTION_DEFAULT_SCOPES,
-				scopes,
-			);
+			const _scopes: string[] = options.disableDefaultScope ? [] : [];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "notion",
 				options,
 				authorizationEndpoint: "https://api.notion.com/v1/oauth/authorize",
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				redirectURI,
 				loginHint,
@@ -117,5 +111,5 @@ export const notion = (options: NotionOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<NotionProfile>;
+	} satisfies OAuthProvider<NotionProfile>;
 };