@better-auth/core 1.7.0-beta.7 → 1.7.0-beta.9

package/src/social-providers/slack.ts

@@ -1,9 +1,8 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -42,30 +41,22 @@ export interface SlackOptions extends ProviderOptions<SlackProfile> {
 	clientId: string;
 }
 
-const SLACK_DEFAULT_SCOPES = ["openid", "profile", "email"];
-
 export const slack = (options: SlackOptions) => {
 	const tokenEndpoint = "https://slack.com/api/openid.connect.token";
 	return {
 		id: "slack",
 		name: "Slack",
-		callbackPath: "/callback/slack",
-		async createAuthorizationURL({
-			state,
-			scopes,
-			redirectURI,
-			additionalParams,
-		}) {
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				SLACK_DEFAULT_SCOPES,
-				scopes,
-			);
+		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["openid", "profile", "email"];
+			if (scopes) _scopes.push(...scopes);
+			if (options.scope) _scopes.push(...options.scope);
 			return createAuthorizationURL({
 				id: "slack",
 				options,
 				authorizationEndpoint: "https://slack.com/openid/connect/authorize",
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				redirectURI,
 				additionalParams,
@@ -123,5 +114,5 @@ export const slack = (options: SlackOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<SlackProfile>;
+	} satisfies OAuthProvider<SlackProfile>;
 };

package/src/social-providers/spotify.ts

@@ -1,9 +1,8 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -20,31 +19,26 @@ export interface SpotifyOptions extends ProviderOptions<SpotifyProfile> {
 	clientId: string;
 }
 
-const SPOTIFY_DEFAULT_SCOPES = ["user-read-email"];
-
 export const spotify = (options: SpotifyOptions) => {
 	const tokenEndpoint = "https://accounts.spotify.com/api/token";
 	return {
 		id: "spotify",
 		name: "Spotify",
-		callbackPath: "/callback/spotify",
-		async createAuthorizationURL({
+		createAuthorizationURL({
 			state,
 			scopes,
 			codeVerifier,
 			redirectURI,
 			additionalParams,
 		}) {
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				SPOTIFY_DEFAULT_SCOPES,
-				scopes,
-			);
+			const _scopes = options.disableDefaultScope ? [] : ["user-read-email"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "spotify",
 				options,
 				authorizationEndpoint: "https://accounts.spotify.com/authorize",
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				codeVerifier,
 				redirectURI,
@@ -103,5 +97,5 @@ export const spotify = (options: SpotifyOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<SpotifyProfile>;
+	} satisfies OAuthProvider<SpotifyProfile>;
 };

package/src/social-providers/tiktok.ts

@@ -1,9 +1,8 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	RESERVED_AUTHORIZATION_PARAMS_SET,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -131,24 +130,19 @@ export interface TiktokOptions extends ProviderOptions {
 	clientKey: string;
 }
 
-const TIKTOK_DEFAULT_SCOPES = ["user.info.profile"];
-
 export const tiktok = (options: TiktokOptions) => {
 	const tokenEndpoint = "https://open.tiktokapis.com/v2/oauth/token/";
 	return {
 		id: "tiktok",
 		name: "TikTok",
-		callbackPath: "/callback/tiktok",
 		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				TIKTOK_DEFAULT_SCOPES,
-				scopes,
-			);
+			const _scopes = options.disableDefaultScope ? [] : ["user.info.profile"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			// TikTok uses `client_key` instead of the standard `client_id`, so the
 			// shared createAuthorizationURL helper cannot be used directly.
 			const url = new URL("https://www.tiktok.com/v2/auth/authorize");
-			url.searchParams.set("scope", requestedScopes.join(","));
+			url.searchParams.set("scope", _scopes.join(","));
 			url.searchParams.set("response_type", "code");
 			url.searchParams.set("client_key", options.clientKey);
 			url.searchParams.set("redirect_uri", options.redirectURI || redirectURI);
@@ -160,7 +154,7 @@ export const tiktok = (options: TiktokOptions) => {
 					url.searchParams.set(key, value);
 				}
 			}
-			return { url, requestedScopes };
+			return url;
 		},
 
 		validateAuthorizationCode: async ({ code, redirectURI }) => {
@@ -226,5 +220,5 @@ export const tiktok = (options: TiktokOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<TiktokProfile, TiktokOptions>;
+	} satisfies OAuthProvider<TiktokProfile, TiktokOptions>;
 };

package/src/social-providers/twitch.ts

@@ -1,10 +1,9 @@
 import { decodeJwt } from "jose";
 import { logger } from "../env";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -38,26 +37,23 @@ export interface TwitchOptions extends ProviderOptions<TwitchProfile> {
 	clientId: string;
 	claims?: string[] | undefined;
 }
-const TWITCH_DEFAULT_SCOPES = ["user:read:email", "openid"];
-
 export const twitch = (options: TwitchOptions) => {
 	const tokenEndpoint = "https://id.twitch.tv/oauth2/token";
 	return {
 		id: "twitch",
 		name: "Twitch",
-		callbackPath: "/callback/twitch",
 		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				TWITCH_DEFAULT_SCOPES,
-				scopes,
-			);
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["user:read:email", "openid"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "twitch",
 				redirectURI,
 				options,
 				authorizationEndpoint: "https://id.twitch.tv/oauth2/authorize",
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				claims: options.claims || [
 					"email",
@@ -113,5 +109,5 @@ export const twitch = (options: TwitchOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<TwitchProfile>;
+	} satisfies OAuthProvider<TwitchProfile>;
 };

package/src/social-providers/twitter.ts

@@ -1,9 +1,8 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -104,30 +103,22 @@ export interface TwitterOption extends ProviderOptions<TwitterProfile> {
 	clientId: string;
 }
 
-const TWITTER_DEFAULT_SCOPES = [
-	"users.read",
-	"tweet.read",
-	"offline.access",
-	"users.email",
-];
-
 export const twitter = (options: TwitterOption) => {
 	const tokenEndpoint = "https://api.x.com/2/oauth2/token";
 	return {
 		id: "twitter",
 		name: "Twitter",
-		callbackPath: "/callback/twitter",
 		createAuthorizationURL(data) {
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				TWITTER_DEFAULT_SCOPES,
-				data.scopes,
-			);
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["users.read", "tweet.read", "offline.access", "users.email"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (data.scopes) _scopes.push(...data.scopes);
 			return createAuthorizationURL({
 				id: "twitter",
 				options,
 				authorizationEndpoint: "https://x.com/i/oauth2/authorize",
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state: data.state,
 				codeVerifier: data.codeVerifier,
 				redirectURI: data.redirectURI,
@@ -205,5 +196,5 @@ export const twitter = (options: TwitterOption) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<TwitterProfile>;
+	} satisfies OAuthProvider<TwitterProfile>;
 };

package/src/social-providers/vercel.ts

@@ -1,11 +1,7 @@
 import { betterFetch } from "@better-fetch/fetch";
 import { BetterAuthError } from "../error";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
-import {
-	createAuthorizationURL,
-	resolveRequestedScopes,
-	validateAuthorizationCode,
-} from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import { createAuthorizationURL, validateAuthorizationCode } from "../oauth2";
 
 export interface VercelProfile {
 	sub: string;
@@ -20,13 +16,10 @@ export interface VercelOptions extends ProviderOptions<VercelProfile> {
 	clientId: string;
 }
 
-const VERCEL_DEFAULT_SCOPES: string[] = [];
-
 export const vercel = (options: VercelOptions) => {
 	return {
 		id: "vercel",
 		name: "Vercel",
-		callbackPath: "/callback/vercel",
 		createAuthorizationURL({
 			state,
 			scopes,
@@ -38,17 +31,18 @@ export const vercel = (options: VercelOptions) => {
 				throw new BetterAuthError("codeVerifier is required for Vercel");
 			}
 
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				VERCEL_DEFAULT_SCOPES,
-				scopes,
-			);
+			let _scopes: string[] | undefined = undefined;
+			if (options.scope !== undefined || scopes !== undefined) {
+				_scopes = [];
+				if (options.scope) _scopes.push(...options.scope);
+				if (scopes) _scopes.push(...scopes);
+			}
 
 			return createAuthorizationURL({
 				id: "vercel",
 				options,
 				authorizationEndpoint: "https://vercel.com/oauth/authorize",
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				codeVerifier,
 				redirectURI,
@@ -96,5 +90,5 @@ export const vercel = (options: VercelOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<VercelProfile>;
+	} satisfies OAuthProvider<VercelProfile>;
 };

package/src/social-providers/vk.ts

@@ -1,9 +1,8 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -26,33 +25,28 @@ export interface VkOption extends ProviderOptions {
 	scheme?: ("light" | "dark") | undefined;
 }
 
-const VK_DEFAULT_SCOPES = ["email", "phone"];
-
 export const vk = (options: VkOption) => {
 	const tokenEndpoint = "https://id.vk.com/oauth2/auth";
 	return {
 		id: "vk",
 		name: "VK",
-		callbackPath: "/callback/vk",
-		createAuthorizationURL({
+		async createAuthorizationURL({
 			state,
 			scopes,
 			codeVerifier,
 			redirectURI,
 			additionalParams,
 		}) {
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				VK_DEFAULT_SCOPES,
-				scopes,
-			);
+			const _scopes = options.disableDefaultScope ? [] : ["email", "phone"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			const authorizationEndpoint = "https://id.vk.com/authorize";
 
 			return createAuthorizationURL({
 				id: "vk",
 				options,
 				authorizationEndpoint,
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				redirectURI,
 				codeVerifier,
@@ -134,5 +128,5 @@ export const vk = (options: VkOption) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<VkProfile>;
+	} satisfies OAuthProvider<VkProfile>;
 };

package/src/social-providers/wechat.ts

@@ -1,13 +1,6 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type {
-	OAuth2Tokens,
-	ProviderOptions,
-	UpstreamProvider,
-} from "../oauth2";
-import {
-	RESERVED_AUTHORIZATION_PARAMS_SET,
-	resolveRequestedScopes,
-} from "../oauth2";
+import type { OAuth2Tokens, OAuthProvider, ProviderOptions } from "../oauth2";
+import { RESERVED_AUTHORIZATION_PARAMS_SET } from "../oauth2";
 
 /**
  * WeChat user profile information
@@ -62,24 +55,19 @@ export interface WeChatOptions extends ProviderOptions<WeChatProfile> {
 	lang?: "cn" | "en";
 }
 
-const WECHAT_DEFAULT_SCOPES = ["snsapi_login"];
-
 export const wechat = (options: WeChatOptions) => {
 	return {
 		id: "wechat",
 		name: "WeChat",
-		callbackPath: "/callback/wechat",
 		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				WECHAT_DEFAULT_SCOPES,
-				scopes,
-			);
+			const _scopes = options.disableDefaultScope ? [] : ["snsapi_login"];
+			options.scope && _scopes.push(...options.scope);
+			scopes && _scopes.push(...scopes);
 
 			// WeChat uses non-standard OAuth2 parameters (appid instead of client_id)
 			// and requires a fragment (#wechat_redirect), so we construct the URL manually.
 			const url = new URL("https://open.weixin.qq.com/connect/qrconnect");
-			url.searchParams.set("scope", requestedScopes.join(","));
+			url.searchParams.set("scope", _scopes.join(","));
 			url.searchParams.set("response_type", "code");
 			url.searchParams.set("appid", options.clientId);
 			url.searchParams.set("redirect_uri", options.redirectURI || redirectURI);
@@ -94,7 +82,7 @@ export const wechat = (options: WeChatOptions) => {
 			}
 			url.hash = "wechat_redirect";
 
-			return { url, requestedScopes };
+			return url;
 		},
 
 		// WeChat uses non-standard token exchange (appid/secret instead of
@@ -236,5 +224,5 @@ export const wechat = (options: WeChatOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<WeChatProfile, WeChatOptions>;
+	} satisfies OAuthProvider<WeChatProfile, WeChatOptions>;
 };

package/src/social-providers/zoom.ts

@@ -1,9 +1,8 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -144,8 +143,6 @@ export interface ZoomOptions extends ProviderOptions<ZoomProfile> {
 	pkce?: boolean | undefined;
 }
 
-const ZOOM_DEFAULT_SCOPES: string[] = [];
-
 export const zoom = (userOptions: ZoomOptions) => {
 	const options = {
 		pkce: true,
@@ -155,31 +152,21 @@ export const zoom = (userOptions: ZoomOptions) => {
 	return {
 		id: "zoom",
 		name: "Zoom",
-		callbackPath: "/callback/zoom",
-		createAuthorizationURL: ({
+		createAuthorizationURL: async ({
 			state,
-			scopes,
 			redirectURI,
 			codeVerifier,
 			additionalParams,
-		}) => {
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				ZOOM_DEFAULT_SCOPES,
-				scopes,
-			);
-
-			return createAuthorizationURL({
+		}) =>
+			createAuthorizationURL({
 				id: "zoom",
 				options,
 				authorizationEndpoint: "https://zoom.us/oauth/authorize",
-				scopes: requestedScopes,
 				state,
 				redirectURI,
 				codeVerifier: options.pkce ? codeVerifier : undefined,
 				additionalParams,
-			});
-		},
+			}),
 		validateAuthorizationCode: async ({ code, redirectURI, codeVerifier }) => {
 			return validateAuthorizationCode({
 				code,
@@ -235,5 +222,5 @@ export const zoom = (userOptions: ZoomOptions) => {
 				},
 			};
 		},
-	} satisfies UpstreamProvider<ZoomProfile>;
+	} satisfies OAuthProvider<ZoomProfile>;
 };

package/src/types/context.ts

@@ -10,7 +10,7 @@ import type {
 } from "../db";
 import type { DBAdapter, Where } from "../db/adapter";
 import type { createLogger } from "../env";
-import type { UpstreamProvider } from "../oauth2";
+import type { OAuthProvider } from "../oauth2";
 import type { BetterAuthCookie, BetterAuthCookies } from "./cookie";
 import type { Awaitable, LiteralString } from "./helper";
 import type {
@@ -88,6 +88,12 @@ export type GenericEndpointContext<
 export interface InternalAdapter<
 	_Options extends BetterAuthOptions = BetterAuthOptions,
 > {
+	createOAuthUser(
+		user: Omit<User, "id" | "createdAt" | "updatedAt">,
+		account: Omit<Account, "userId" | "id" | "createdAt" | "updatedAt"> &
+			Partial<Account>,
+	): Promise<{ user: User; account: Account }>;
+
 	createUser<T extends Record<string, any>>(
 		user: Omit<User, "id" | "createdAt" | "updatedAt" | "emailVerified"> &
 			Partial<User> &
@@ -369,7 +375,7 @@ export type AuthContext<Options extends BetterAuthOptions = BetterAuthOptions> =
 					user: User & Record<string, any>;
 				} | null,
 			) => void;
-			socialProviders: UpstreamProvider[];
+			socialProviders: OAuthProvider[];
 			authCookies: BetterAuthCookies;
 			logger: ReturnType<typeof createLogger>;
 			rateLimit: {

package/dist/oauth2/scopes.d.mts

@@ -1,76 +0,0 @@
-import { ProviderOptions } from "./oauth-provider.mjs";
-
-//#region src/oauth2/scopes.d.ts
-/**
- * Parse a provider's `scope` token-response field into a string array.
- *
- * RFC 6749 §3.3 defines `scope` as a space-delimited string, but providers
- * vary: some (e.g. Twitch) return an already-split array. Accept both, plus the
- * omitted/empty case, without ever calling `.split` on a non-string. Returns
- * `[]` when no scope is present.
- *
- * @see https://github.com/better-auth/better-auth/issues/9076
- */
-declare function parseScopeField(scope: unknown): string[];
-/**
- * Normalize a scope set into a single deduped, sorted array.
- *
- * Scope order is insignificant per RFC 6749 §3.3, so normalize for idempotent
- * writes and trivial comparisons: trim each token, drop empties, dedupe, and
- * sort ascending. Returns `[]` when the union is empty.
- *
- * @see https://www.rfc-editor.org/rfc/rfc6749#section-3.3
- */
-declare function normalizeScopes(stored: string[] | null | undefined, incoming?: string[] | undefined): string[];
-/**
- * Union the stored granted-scope set with the scopes observed on an
- * authorization or token exchange.
- *
- * The provider's echoed `scope` is authoritative when present. RFC 6749 §3.3
- * and §5.1 say an omitted or empty echo means the grant equals what was
- * requested, so fall back to `requested` in that case. The result unions onto
- * the stored grant (never narrows on a normal write) and is normalized per
- * {@link normalizeScopes}.
- *
- * @see https://www.rfc-editor.org/rfc/rfc6749#section-3.3
- * @see https://www.rfc-editor.org/rfc/rfc6749#section-5.1
- */
-declare function unionGrantedScopes(stored: string[] | null | undefined, echoed: string[] | undefined, requested: string[] | undefined): string[];
-/**
- * Coerce a stored granted-scope value into a usable array.
- *
- * `account.grantedScopes` is nullable (legacy rows and non-OAuth accounts read
- * as unset), and on dialects that store the array as a JSON string a malformed
- * operator backfill could deserialize to a non-array. Both collapse to `[]`
- * here so every reader works against a real `string[]` without re-deriving the
- * guard.
- */
-declare function readGrantedScopes(stored: string[] | null | undefined): string[];
-/**
- * Test whether a normalized granted-scope set contains a specific scope.
- *
- * Matching is exact and case-sensitive per RFC 6749 §3.3. The argument is the
- * normalized `account.grantedScopes` array; a raw provider `scope` string must
- * be run through {@link parseScopeField} first.
- *
- * @see https://www.rfc-editor.org/rfc/rfc6749#section-3.3
- */
-declare function includesGrantedScope(granted: string[] | null | undefined, scope: string): boolean;
-/**
- * Compose the effective scope set to encode in a single authorization URL.
- *
- * Precedence: the provider's built-in defaults (unless `disableDefaultScope`),
- * then the integrator's configured `options.scope`, then the per-request
- * `scopes`. The result is the value persisted into OAuth state as the RFC 6749
- * §5.1 fallback, so it is preserved verbatim (not normalized) to match what is
- * sent to the provider.
- *
- * `defaultScopes` is a parameter rather than a provider-contract field so the
- * runtime-synthesized generic OAuth provider, which has no static default set,
- * can pass its configured scopes here.
- *
- * @see https://www.rfc-editor.org/rfc/rfc6749#section-5.1
- */
-declare function resolveRequestedScopes(options: Pick<ProviderOptions, "scope" | "disableDefaultScope"> | undefined, defaultScopes: string[], perRequestScopes: string[] | undefined): string[];
-//#endregion
-export { includesGrantedScope, normalizeScopes, parseScopeField, readGrantedScopes, resolveRequestedScopes, unionGrantedScopes };