@better-auth/core 1.7.0-beta.7 → 1.7.0-beta.9

package/src/social-providers/dropbox.ts

@@ -1,9 +1,8 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -26,15 +25,12 @@ export interface DropboxOptions extends ProviderOptions<DropboxProfile> {
 	accessType?: ("offline" | "online" | "legacy") | undefined;
 }
 
-const DROPBOX_DEFAULT_SCOPES = ["account_info.read"];
-
 export const dropbox = (options: DropboxOptions) => {
 	const tokenEndpoint = "https://api.dropboxapi.com/oauth2/token";
 
 	return {
 		id: "dropbox",
 		name: "Dropbox",
-		callbackPath: "/callback/dropbox",
 		createAuthorizationURL: async ({
 			state,
 			scopes,
@@ -42,16 +38,14 @@ export const dropbox = (options: DropboxOptions) => {
 			redirectURI,
 			additionalParams,
 		}) => {
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				DROPBOX_DEFAULT_SCOPES,
-				scopes,
-			);
-			return createAuthorizationURL({
+			const _scopes = options.disableDefaultScope ? [] : ["account_info.read"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return await createAuthorizationURL({
 				id: "dropbox",
 				options,
 				authorizationEndpoint: "https://www.dropbox.com/oauth2/authorize",
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				redirectURI,
 				codeVerifier,
@@ -116,5 +110,5 @@ export const dropbox = (options: DropboxOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<DropboxProfile>;
+	} satisfies OAuthProvider<DropboxProfile>;
 };

package/src/social-providers/facebook.ts

@@ -2,12 +2,11 @@ import { betterFetch } from "@better-fetch/fetch";
 import { createRemoteJWKSet, decodeJwt } from "jose";
 import { logger } from "../env";
 import { BetterAuthError } from "../error";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	getPrimaryClientId,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 export interface FacebookProfile {
@@ -92,13 +91,10 @@ export interface FacebookOptions extends ProviderOptions<FacebookProfile> {
 	configId?: string | undefined;
 }
 
-const FACEBOOK_DEFAULT_SCOPES = ["email", "public_profile"];
-
 export const facebook = (options: FacebookOptions) => {
 	return {
 		id: "facebook",
 		name: "Facebook",
-		callbackPath: "/callback/facebook",
 		async createAuthorizationURL({
 			state,
 			scopes,
@@ -112,16 +108,16 @@ export const facebook = (options: FacebookOptions) => {
 				);
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
 			}
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				FACEBOOK_DEFAULT_SCOPES,
-				scopes,
-			);
-			return createAuthorizationURL({
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["email", "public_profile"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return await createAuthorizationURL({
 				id: "facebook",
 				options,
 				authorizationEndpoint: "https://www.facebook.com/v24.0/dialog/oauth",
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				redirectURI,
 				loginHint,
@@ -262,5 +258,5 @@ export const facebook = (options: FacebookOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<FacebookProfile>;
+	} satisfies OAuthProvider<FacebookProfile>;
 };

package/src/social-providers/figma.ts

@@ -1,11 +1,10 @@
 import { betterFetch } from "@better-fetch/fetch";
 import { logger } from "../env";
 import { BetterAuthError } from "../error";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -20,14 +19,11 @@ export interface FigmaOptions extends ProviderOptions<FigmaProfile> {
 	clientId: string;
 }
 
-const FIGMA_DEFAULT_SCOPES = ["current_user:read"];
-
 export const figma = (options: FigmaOptions) => {
 	const tokenEndpoint = "https://api.figma.com/v1/oauth/token";
 	return {
 		id: "figma",
 		name: "Figma",
-		callbackPath: "/callback/figma",
 		async createAuthorizationURL({
 			state,
 			scopes,
@@ -45,22 +41,22 @@ export const figma = (options: FigmaOptions) => {
 				throw new BetterAuthError("codeVerifier is required for Figma");
 			}
 
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				FIGMA_DEFAULT_SCOPES,
-				scopes,
-			);
+			const _scopes = options.disableDefaultScope ? [] : ["current_user:read"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 
-			return createAuthorizationURL({
+			const url = await createAuthorizationURL({
 				id: "figma",
 				options,
 				authorizationEndpoint: "https://www.figma.com/oauth",
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				codeVerifier,
 				redirectURI,
 				additionalParams,
 			});
+
+			return url;
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
 			return validateAuthorizationCode({
@@ -125,5 +121,5 @@ export const figma = (options: FigmaOptions) => {
 			}
 		},
 		options,
-	} satisfies UpstreamProvider<FigmaProfile>;
+	} satisfies OAuthProvider<FigmaProfile>;
 };

package/src/social-providers/github.ts

@@ -1,11 +1,10 @@
 import { betterFetch } from "@better-fetch/fetch";
 import { logger } from "../env";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	getOAuth2Tokens,
 	refreshAccessToken,
-	resolveRequestedScopes,
 } from "../oauth2";
 import { authorizationCodeRequest } from "../oauth2/validate-authorization-code";
 
@@ -59,14 +58,11 @@ export interface GithubProfile {
 export interface GithubOptions extends ProviderOptions<GithubProfile> {
 	clientId: string;
 }
-const GITHUB_DEFAULT_SCOPES = ["read:user", "user:email"];
-
 export const github = (options: GithubOptions) => {
 	const tokenEndpoint = "https://github.com/login/oauth/access_token";
 	return {
 		id: "github",
 		name: "GitHub",
-		callbackPath: "/callback/github",
 		createAuthorizationURL({
 			state,
 			scopes,
@@ -75,16 +71,16 @@ export const github = (options: GithubOptions) => {
 			redirectURI,
 			additionalParams,
 		}) {
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				GITHUB_DEFAULT_SCOPES,
-				scopes,
-			);
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["read:user", "user:email"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "github",
 				options,
 				authorizationEndpoint: "https://github.com/login/oauth/authorize",
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				codeVerifier,
 				redirectURI,
@@ -186,5 +182,5 @@ export const github = (options: GithubOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<GithubProfile>;
+	} satisfies OAuthProvider<GithubProfile>;
 };

package/src/social-providers/gitlab.ts

@@ -1,9 +1,8 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -74,8 +73,6 @@ const issuerToEndpoints = (issuer?: string | undefined) => {
 	};
 };
 
-const GITLAB_DEFAULT_SCOPES = ["read_user"];
-
 export const gitlab = (options: GitlabOptions) => {
 	const { authorizationEndpoint, tokenEndpoint, userinfoEndpoint } =
 		issuerToEndpoints(options.issuer);
@@ -84,8 +81,7 @@ export const gitlab = (options: GitlabOptions) => {
 	return {
 		id: issuerId,
 		name: issuerName,
-		callbackPath: "/callback/gitlab",
-		createAuthorizationURL: ({
+		createAuthorizationURL: async ({
 			state,
 			scopes,
 			codeVerifier,
@@ -93,16 +89,14 @@ export const gitlab = (options: GitlabOptions) => {
 			redirectURI,
 			additionalParams,
 		}) => {
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				GITLAB_DEFAULT_SCOPES,
-				scopes,
-			);
-			return createAuthorizationURL({
+			const _scopes = options.disableDefaultScope ? [] : ["read_user"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return await createAuthorizationURL({
 				id: issuerId,
 				options,
 				authorizationEndpoint,
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				redirectURI,
 				codeVerifier,
@@ -159,5 +153,5 @@ export const gitlab = (options: GitlabOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<GitlabProfile>;
+	} satisfies OAuthProvider<GitlabProfile>;
 };

package/src/social-providers/google.ts

@@ -2,12 +2,11 @@ import { betterFetch } from "@better-fetch/fetch";
 import { decodeJwt, importJWK } from "jose";
 import { logger } from "../env";
 import { APIError, BetterAuthError } from "../error";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	getPrimaryClientId,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -58,24 +57,22 @@ export interface GoogleOptions extends ProviderOptions<GoogleProfile> {
 	 */
 	hd?: string | undefined;
 	/**
-	 * Enable incremental authorization via Google's `include_granted_scopes`
-	 * parameter. When enabled, Google reports the user's full granted scope set
-	 * in the token response.
+	 * Whether to send `include_granted_scopes=true` to Google's authorization
+	 * endpoint, which lets new access tokens cover scopes from prior grants
+	 * in addition to the ones requested for this flow. Set to `false` when
+	 * each OAuth flow should request only its own scopes.
 	 *
-	 * @default true
+	 * Defaults to `true`.
+	 *
+	 * @see https://developers.google.com/identity/protocols/oauth2/web-server#incrementalAuth
 	 */
 	includeGrantedScopes?: boolean | undefined;
 }
 
-const GOOGLE_DEFAULT_SCOPES = ["email", "profile", "openid"];
-
 export const google = (options: GoogleOptions) => {
 	return {
 		id: "google",
 		name: "Google",
-		callbackPath: "/callback/google",
-		grantAuthority:
-			options.includeGrantedScopes !== false ? "full-grant" : "projection",
 		async createAuthorizationURL({
 			state,
 			scopes,
@@ -94,16 +91,16 @@ export const google = (options: GoogleOptions) => {
 			if (!codeVerifier) {
 				throw new BetterAuthError("codeVerifier is required for Google");
 			}
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				GOOGLE_DEFAULT_SCOPES,
-				scopes,
-			);
-			return createAuthorizationURL({
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["email", "profile", "openid"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			const url = await createAuthorizationURL({
 				id: "google",
 				options,
 				authorizationEndpoint: "https://accounts.google.com/o/oauth2/v2/auth",
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				codeVerifier,
 				redirectURI,
@@ -112,17 +109,14 @@ export const google = (options: GoogleOptions) => {
 				display: display || options.display,
 				loginHint,
 				hd: options.hd,
-				additionalParams:
-					options.includeGrantedScopes === false
-						? { ...(additionalParams ?? {}) }
-						: {
-								...(additionalParams ?? {}),
-								// Not caller-overridable: the emitted param must stay in
-								// lockstep with `grantAuthority` (driven by the option), or
-								// the callback would treat a non-authoritative grant as full.
-								include_granted_scopes: "true",
-							},
+				additionalParams: {
+					...(options.includeGrantedScopes === false
+						? {}
+						: { include_granted_scopes: "true" }),
+					...(additionalParams ?? {}),
+				},
 			});
+			return url;
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
 			return validateAuthorizationCode({
@@ -195,7 +189,7 @@ export const google = (options: GoogleOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<GoogleProfile>;
+	} satisfies OAuthProvider<GoogleProfile>;
 };
 
 export const getGooglePublicKey = async (kid: string) => {

package/src/social-providers/huggingface.ts

@@ -1,9 +1,8 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -43,14 +42,11 @@ export interface HuggingFaceOptions
 	clientId: string;
 }
 
-const HUGGINGFACE_DEFAULT_SCOPES = ["openid", "profile", "email"];
-
 export const huggingface = (options: HuggingFaceOptions) => {
 	const tokenEndpoint = "https://huggingface.co/oauth/token";
 	return {
 		id: "huggingface",
 		name: "Hugging Face",
-		callbackPath: "/callback/huggingface",
 		createAuthorizationURL({
 			state,
 			scopes,
@@ -58,16 +54,16 @@ export const huggingface = (options: HuggingFaceOptions) => {
 			redirectURI,
 			additionalParams,
 		}) {
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				HUGGINGFACE_DEFAULT_SCOPES,
-				scopes,
-			);
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["openid", "profile", "email"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "huggingface",
 				options,
 				authorizationEndpoint: "https://huggingface.co/oauth/authorize",
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				codeVerifier,
 				redirectURI,
@@ -126,5 +122,5 @@ export const huggingface = (options: HuggingFaceOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<HuggingFaceProfile>;
+	} satisfies OAuthProvider<HuggingFaceProfile>;
 };

package/src/social-providers/kakao.ts

@@ -1,9 +1,8 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -102,29 +101,22 @@ export interface KakaoOptions extends ProviderOptions<KakaoProfile> {
 	clientId: string;
 }
 
-const KAKAO_DEFAULT_SCOPES = [
-	"account_email",
-	"profile_image",
-	"profile_nickname",
-];
-
 export const kakao = (options: KakaoOptions) => {
 	const tokenEndpoint = "https://kauth.kakao.com/oauth/token";
 	return {
 		id: "kakao",
 		name: "Kakao",
-		callbackPath: "/callback/kakao",
 		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				KAKAO_DEFAULT_SCOPES,
-				scopes,
-			);
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["account_email", "profile_image", "profile_nickname"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "kakao",
 				options,
 				authorizationEndpoint: "https://kauth.kakao.com/oauth/authorize",
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				redirectURI,
 				additionalParams,
@@ -184,5 +176,5 @@ export const kakao = (options: KakaoOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<KakaoProfile>;
+	} satisfies OAuthProvider<KakaoProfile>;
 };

package/src/social-providers/kick.ts

@@ -1,9 +1,8 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -30,13 +29,10 @@ export interface KickOptions extends ProviderOptions<KickProfile> {
 	clientId: string;
 }
 
-const KICK_DEFAULT_SCOPES = ["user:read"];
-
 export const kick = (options: KickOptions) => {
 	return {
 		id: "kick",
 		name: "Kick",
-		callbackPath: "/callback/kick",
 		createAuthorizationURL({
 			state,
 			scopes,
@@ -44,17 +40,16 @@ export const kick = (options: KickOptions) => {
 			codeVerifier,
 			additionalParams,
 		}) {
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				KICK_DEFAULT_SCOPES,
-				scopes,
-			);
+			const _scopes = options.disableDefaultScope ? [] : ["user:read"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+
 			return createAuthorizationURL({
 				id: "kick",
 				redirectURI,
 				options,
 				authorizationEndpoint: "https://id.kick.com/oauth/authorize",
-				scopes: requestedScopes,
+				scopes: _scopes,
 				codeVerifier,
 				state,
 				additionalParams,
@@ -117,5 +112,5 @@ export const kick = (options: KickOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<KickProfile>;
+	} satisfies OAuthProvider<KickProfile>;
 };

package/src/social-providers/line.ts

@@ -1,10 +1,9 @@
 import { betterFetch } from "@better-fetch/fetch";
 import { decodeJwt } from "jose";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -33,8 +32,6 @@ export interface LineOptions
 	clientId: string;
 }
 
-const LINE_DEFAULT_SCOPES = ["openid", "profile", "email"];
-
 /**
  * LINE Login v2.1
  * - Authorization endpoint: https://access.line.me/oauth2/v2.1/authorize
@@ -53,8 +50,7 @@ export const line = (options: LineOptions) => {
 	return {
 		id: "line",
 		name: "LINE",
-		callbackPath: "/callback/line",
-		createAuthorizationURL({
+		async createAuthorizationURL({
 			state,
 			scopes,
 			codeVerifier,
@@ -62,16 +58,16 @@ export const line = (options: LineOptions) => {
 			loginHint,
 			additionalParams,
 		}) {
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				LINE_DEFAULT_SCOPES,
-				scopes,
-			);
-			return createAuthorizationURL({
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["openid", "profile", "email"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return await createAuthorizationURL({
 				id: "line",
 				options,
 				authorizationEndpoint,
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				codeVerifier,
 				redirectURI,
@@ -167,5 +163,5 @@ export const line = (options: LineOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<LineUserInfo | LineIdTokenPayload, LineOptions>;
+	} satisfies OAuthProvider<LineUserInfo | LineIdTokenPayload, LineOptions>;
 };

package/src/social-providers/linear.ts

@@ -1,9 +1,8 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -27,14 +26,11 @@ export interface LinearOptions extends ProviderOptions<LinearUser> {
 	clientId: string;
 }
 
-const LINEAR_DEFAULT_SCOPES = ["read"];
-
 export const linear = (options: LinearOptions) => {
 	const tokenEndpoint = "https://api.linear.app/oauth/token";
 	return {
 		id: "linear",
 		name: "Linear",
-		callbackPath: "/callback/linear",
 		createAuthorizationURL({
 			state,
 			scopes,
@@ -42,16 +38,14 @@ export const linear = (options: LinearOptions) => {
 			redirectURI,
 			additionalParams,
 		}) {
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				LINEAR_DEFAULT_SCOPES,
-				scopes,
-			);
+			const _scopes = options.disableDefaultScope ? [] : ["read"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "linear",
 				options,
 				authorizationEndpoint: "https://linear.app/oauth/authorize",
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				redirectURI,
 				loginHint,
@@ -130,5 +124,5 @@ export const linear = (options: LinearOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<LinearUser>;
+	} satisfies OAuthProvider<LinearUser>;
 };