@better-auth/oauth-provider 1.4.17 → 1.4.19

package/dist/index.mjs

@@ -1,124 +1,28 @@
-import { a as getJwtPlugin, c as parsePrompt, d as validateClientCredentials, i as getClient, l as storeClientSecret, n as decryptStoredClientSecret, p as mcpHandler, r as deleteFromPrompt, s as getStoredToken, t as basicToClientCredentials, u as storeToken } from "./utils-LksXOM6z.mjs";
+import { a as getJwtPlugin, c as parseClientMetadata, d as storeToken, f as validateClientCredentials, i as getClient, l as parsePrompt, m as mcpHandler, n as decryptStoredClientSecret, r as deleteFromPrompt, s as getStoredToken, t as basicToClientCredentials, u as storeClientSecret } from "./utils-CThxvHKd.mjs";
 import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
 import { APIError } from "better-call";
-import { BetterAuthError } from "@better-auth/core/error";
+import { APIError as APIError$1, createAuthEndpoint, createAuthMiddleware, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { constantTimeEqual, generateRandomString, makeSignature } from "better-auth/crypto";
+import { BetterAuthError } from "@better-auth/core/error";
 import { defineRequestState } from "@better-auth/core/context";
 import { logger } from "@better-auth/core/env";
-import { APIError as APIError$1, createAuthEndpoint, createAuthMiddleware, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { parseSetCookieHeader } from "better-auth/cookies";
 import { mergeSchema } from "better-auth/db";
 import * as z from "zod";
 import { signJWT, toExpJWT } from "better-auth/plugins";
 import { SignJWT, compactVerify, createLocalJWKSet, decodeJwt } from "jose";
 
-//#region src/metadata.ts
-function authServerMetadata(ctx, opts, overrides) {
-	const baseURL = ctx.context.baseURL;
-	return {
-		scopes_supported: overrides?.scopes_supported,
-		issuer: opts?.jwt?.issuer ?? baseURL,
-		authorization_endpoint: `${baseURL}/oauth2/authorize`,
-		token_endpoint: `${baseURL}/oauth2/token`,
-		jwks_uri: overrides?.jwt_disabled ? void 0 : opts?.jwks?.remoteUrl ?? `${baseURL}${opts?.jwks?.jwksPath ?? "/jwks"}`,
-		registration_endpoint: `${baseURL}/oauth2/register`,
-		introspection_endpoint: `${baseURL}/oauth2/introspect`,
-		revocation_endpoint: `${baseURL}/oauth2/revoke`,
-		response_types_supported: overrides?.grant_types_supported && !overrides.grant_types_supported.includes("authorization_code") ? [] : ["code"],
-		response_modes_supported: ["query"],
-		grant_types_supported: overrides?.grant_types_supported ?? [
-			"authorization_code",
-			"client_credentials",
-			"refresh_token"
-		],
-		token_endpoint_auth_methods_supported: [
-			...overrides?.public_client_supported ? ["none"] : [],
-			"client_secret_basic",
-			"client_secret_post"
-		],
-		introspection_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"],
-		revocation_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"],
-		code_challenge_methods_supported: ["S256"]
-	};
-}
-function oidcServerMetadata(ctx, opts) {
-	const baseURL = ctx.context.baseURL;
-	const jwtPluginOptions = opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context).options;
-	return {
-		...authServerMetadata(ctx, jwtPluginOptions, {
-			scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
-			public_client_supported: opts.allowUnauthenticatedClientRegistration,
-			grant_types_supported: opts.grantTypes,
-			jwt_disabled: opts.disableJwtPlugin
-		}),
-		claims_supported: opts?.advertisedMetadata?.claims_supported ?? opts?.claims ?? [],
-		userinfo_endpoint: `${baseURL}/oauth2/userinfo`,
-		subject_types_supported: ["public"],
-		id_token_signing_alg_values_supported: jwtPluginOptions?.jwks?.keyPairConfig?.alg ? [jwtPluginOptions?.jwks?.keyPairConfig?.alg] : opts.disableJwtPlugin ? ["HS256"] : ["EdDSA"],
-		end_session_endpoint: `${baseURL}/oauth2/end-session`,
-		acr_values_supported: ["urn:mace:incommon:iap:bronze"],
-		prompt_values_supported: [
-			"login",
-			"consent",
-			"create",
-			"select_account"
-		]
-	};
-}
-/**
-* Provides an exportable `/.well-known/oauth-authorization-server`.
-*
-* Useful when basePath prevents the endpoint from being located at the root
-* and must be provided manually.
-*
-* @external
-*/
-const oauthProviderAuthServerMetadata = (auth, opts) => {
-	return async (_request) => {
-		const res = await auth.api.getOAuthServerConfig();
-		return new Response(JSON.stringify(res), {
-			status: 200,
-			headers: {
-				"Cache-Control": "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400",
-				...opts?.headers,
-				"Content-Type": "application/json"
-			}
-		});
-	};
-};
-/**
-* Provides an exportable `/.well-known/openid-configuration`.
-*
-* Useful when basePath prevents the endpoint from being located at the root
-* and must be provided manually.
-*
-* @external
-*/
-const oauthProviderOpenIdConfigMetadata = (auth, opts) => {
-	return async (_request) => {
-		const res = await auth.api.getOpenIdConfig();
-		return new Response(JSON.stringify(res), {
-			status: 200,
-			headers: {
-				"Cache-Control": "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400",
-				...opts?.headers,
-				"Content-Type": "application/json"
-			}
-		});
-	};
-};
-
-//#endregion
 //#region src/authorize.ts
 /**
 * Formats an error url
 */
-function formatErrorURL(url, error, description, state) {
+function formatErrorURL(url, error, description, state, iss) {
 	const searchParams = new URLSearchParams({
 		error,
 		error_description: description
 	});
 	state && searchParams.append("state", state);
+	iss && searchParams.append("iss", iss);
 	return `${url}${url.includes("?") ? "&" : "?"}${searchParams.toString()}`;
 }
 const handleRedirect = (ctx, uri) => {
@@ -129,6 +33,39 @@ const handleRedirect = (ctx, uri) => {
 	else throw ctx.redirect(uri);
 };
 /**
+* Validates that the issuer URL
+* - MUST use HTTPS scheme (HTTP allowed for localhost in dev)
+* - MUST NOT contain query components
+* - MUST NOT contain fragment components
+*
+* @returns The validated issuer URL, or a sanitized version if invalid
+*/
+function validateIssuerUrl(issuer) {
+	try {
+		const url = new URL(issuer);
+		const isLocalhost$1 = url.hostname === "localhost" || url.hostname === "127.0.0.1";
+		if (url.protocol !== "https:" && !isLocalhost$1) url.protocol = "https:";
+		url.search = "";
+		url.hash = "";
+		return url.toString().replace(/\/$/, "");
+	} catch {
+		return issuer;
+	}
+}
+/**
+* Gets the issuer identifier
+*/
+function getIssuer(ctx, opts) {
+	let issuer;
+	if (opts.disableJwtPlugin) issuer = ctx.context.baseURL;
+	else try {
+		issuer = getJwtPlugin(ctx.context).options?.jwt?.issuer ?? ctx.context.baseURL;
+	} catch {
+		issuer = ctx.context.baseURL;
+	}
+	return validateIssuerUrl(issuer);
+}
+/**
 * Error page url if redirect_uri has not been verified yet
 * Generates Url for custom error page
 */
@@ -157,14 +94,14 @@ async function authorizeEndpoint(ctx, opts, settings) {
 		const invalidScopes = requestedScopes.filter((scope) => {
 			return !validScopes?.has(scope) || scope === "offline_access" && (query.code_challenge_method !== "S256" || !query.code_challenge);
 		});
-		if (invalidScopes.length) throw ctx.redirect(formatErrorURL(query.redirect_uri, "invalid_scope", `The following scopes are invalid: ${invalidScopes.join(", ")}`, query.state));
+		if (invalidScopes.length) throw ctx.redirect(formatErrorURL(query.redirect_uri, "invalid_scope", `The following scopes are invalid: ${invalidScopes.join(", ")}`, query.state, getIssuer(ctx, opts)));
 	}
 	if (!requestedScopes) {
 		requestedScopes = client.scopes ?? opts.scopes ?? [];
 		query.scope = requestedScopes.join(" ");
 	}
-	if (!query.code_challenge || !query.code_challenge_method) throw ctx.redirect(formatErrorURL(query.redirect_uri, "invalid_request", "pkce is required", query.state));
-	if (!["S256"].includes(query.code_challenge_method)) throw ctx.redirect(formatErrorURL(query.redirect_uri, "invalid_request", "invalid code_challenge method", query.state));
+	if (!query.code_challenge || !query.code_challenge_method) throw ctx.redirect(formatErrorURL(query.redirect_uri, "invalid_request", "pkce is required", query.state, getIssuer(ctx, opts)));
+	if (!["S256"].includes(query.code_challenge_method)) throw ctx.redirect(formatErrorURL(query.redirect_uri, "invalid_request", "invalid code_challenge method", query.state, getIssuer(ctx, opts)));
 	const session = await getSessionFromCtx(ctx);
 	if (!session || promptSet?.has("login") || promptSet?.has("create")) return redirectWithPromptCode(ctx, opts, promptSet?.has("create") ? "create" : "login");
 	if (settings?.isAuthorize && promptSet?.has("select_account")) return redirectWithPromptCode(ctx, opts, "select_account");
@@ -255,6 +192,7 @@ async function redirectWithAuthorizationCode(ctx, opts, verificationValue) {
 	const redirectUriWithCode = new URL(verificationValue.query.redirect_uri);
 	redirectUriWithCode.searchParams.set("code", code);
 	if (verificationValue.query.state) redirectUriWithCode.searchParams.set("state", verificationValue.query.state);
+	redirectUriWithCode.searchParams.set("iss", getIssuer(ctx, opts));
 	return handleRedirect(ctx, redirectUriWithCode.toString());
 }
 async function redirectWithPromptCode(ctx, opts, type, page) {
@@ -277,6 +215,104 @@ async function signParams(ctx, opts) {
 	return params.toString();
 }
 
+//#endregion
+//#region src/metadata.ts
+function authServerMetadata(ctx, opts, overrides) {
+	const baseURL = ctx.context.baseURL;
+	return {
+		scopes_supported: overrides?.scopes_supported,
+		issuer: validateIssuerUrl(opts?.jwt?.issuer ?? baseURL),
+		authorization_endpoint: `${baseURL}/oauth2/authorize`,
+		token_endpoint: `${baseURL}/oauth2/token`,
+		jwks_uri: overrides?.jwt_disabled ? void 0 : opts?.jwks?.remoteUrl ?? `${baseURL}${opts?.jwks?.jwksPath ?? "/jwks"}`,
+		registration_endpoint: `${baseURL}/oauth2/register`,
+		introspection_endpoint: `${baseURL}/oauth2/introspect`,
+		revocation_endpoint: `${baseURL}/oauth2/revoke`,
+		response_types_supported: overrides?.grant_types_supported && !overrides.grant_types_supported.includes("authorization_code") ? [] : ["code"],
+		response_modes_supported: ["query"],
+		grant_types_supported: overrides?.grant_types_supported ?? [
+			"authorization_code",
+			"client_credentials",
+			"refresh_token"
+		],
+		token_endpoint_auth_methods_supported: [
+			...overrides?.public_client_supported ? ["none"] : [],
+			"client_secret_basic",
+			"client_secret_post"
+		],
+		introspection_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"],
+		revocation_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"],
+		code_challenge_methods_supported: ["S256"],
+		authorization_response_iss_parameter_supported: true
+	};
+}
+function oidcServerMetadata(ctx, opts) {
+	const baseURL = ctx.context.baseURL;
+	const jwtPluginOptions = opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context).options;
+	return {
+		...authServerMetadata(ctx, jwtPluginOptions, {
+			scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
+			public_client_supported: opts.allowUnauthenticatedClientRegistration,
+			grant_types_supported: opts.grantTypes,
+			jwt_disabled: opts.disableJwtPlugin
+		}),
+		claims_supported: opts?.advertisedMetadata?.claims_supported ?? opts?.claims ?? [],
+		userinfo_endpoint: `${baseURL}/oauth2/userinfo`,
+		subject_types_supported: ["public"],
+		id_token_signing_alg_values_supported: jwtPluginOptions?.jwks?.keyPairConfig?.alg ? [jwtPluginOptions?.jwks?.keyPairConfig?.alg] : opts.disableJwtPlugin ? ["HS256"] : ["EdDSA"],
+		end_session_endpoint: `${baseURL}/oauth2/end-session`,
+		acr_values_supported: ["urn:mace:incommon:iap:bronze"],
+		prompt_values_supported: [
+			"login",
+			"consent",
+			"create",
+			"select_account"
+		]
+	};
+}
+/**
+* Provides an exportable `/.well-known/oauth-authorization-server`.
+*
+* Useful when basePath prevents the endpoint from being located at the root
+* and must be provided manually.
+*
+* @external
+*/
+const oauthProviderAuthServerMetadata = (auth, opts) => {
+	return async (_request) => {
+		const res = await auth.api.getOAuthServerConfig();
+		return new Response(JSON.stringify(res), {
+			status: 200,
+			headers: {
+				"Cache-Control": "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400",
+				...opts?.headers,
+				"Content-Type": "application/json"
+			}
+		});
+	};
+};
+/**
+* Provides an exportable `/.well-known/openid-configuration`.
+*
+* Useful when basePath prevents the endpoint from being located at the root
+* and must be provided manually.
+*
+* @external
+*/
+const oauthProviderOpenIdConfigMetadata = (auth, opts) => {
+	return async (_request) => {
+		const res = await auth.api.getOpenIdConfig();
+		return new Response(JSON.stringify(res), {
+			status: 200,
+			headers: {
+				"Cache-Control": "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400",
+				...opts?.headers,
+				"Content-Type": "application/json"
+			}
+		});
+	};
+};
+
 //#endregion
 //#region src/consent.ts
 async function consentEndpoint(ctx, opts) {
@@ -301,7 +337,7 @@ async function consentEndpoint(ctx, opts) {
 	}
 	if (!(ctx.body.accept === true)) return {
 		redirect: true,
-		uri: formatErrorURL(query.get("redirect_uri") ?? "", "access_denied", "User denied access", query.get("state") ?? void 0)
+		url: formatErrorURL(query.get("redirect_uri") ?? "", "access_denied", "User denied access", query.get("state") ?? void 0, getIssuer(ctx, opts))
 	};
 	const session = await getSessionFromCtx(ctx);
 	const referenceId = await opts.postLogin?.consentReferenceId?.({
@@ -358,7 +394,7 @@ async function consentEndpoint(ctx, opts) {
 	const { url } = await authorizeEndpoint(ctx, opts);
 	return {
 		redirect: true,
-		uri: url
+		url
 	};
 }
 
@@ -384,7 +420,7 @@ async function selected(ctx, opts) {
 	const { url } = await authorizeEndpoint(ctx, opts);
 	return {
 		redirect: true,
-		uri: url
+		url
 	};
 }
 async function created(ctx, opts) {
@@ -397,7 +433,7 @@ async function created(ctx, opts) {
 	const { url } = await authorizeEndpoint(ctx, opts);
 	return {
 		redirect: true,
-		uri: url
+		url
 	};
 }
 async function postLogin(ctx, opts) {
@@ -412,7 +448,7 @@ async function postLogin(ctx, opts) {
 	const { url } = await authorizeEndpoint(ctx, opts, { postLogin: true });
 	return {
 		redirect: true,
-		uri: url
+		url
 	};
 }
 
@@ -516,7 +552,7 @@ async function createJwtAccessToken(ctx, opts, user, client, audience, scopes, r
 		scopes,
 		resource: ctx.body.resource,
 		referenceId,
-		metadata: client.metadata ? JSON.parse(client.metadata) : void 0
+		metadata: parseClientMetadata(client.metadata)
 	}) : {};
 	const jwtPluginOptions = getJwtPlugin(ctx.context).options;
 	return signJWT(ctx, {
@@ -547,7 +583,7 @@ async function createIdToken(ctx, opts, user, client, scopes, nonce, sessionId)
 	const customClaims = opts.customIdTokenClaims ? await opts.customIdTokenClaims({
 		user,
 		scopes,
-		metadata: client.metadata ? JSON.parse(client.metadata) : void 0
+		metadata: parseClientMetadata(client.metadata)
 	}) : {};
 	const jwtPluginOptions = opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context).options;
 	const payload = {
@@ -857,7 +893,7 @@ async function handleClientCredentialsGrant(ctx, opts) {
 	const customClaims = opts.customAccessTokenClaims ? await opts.customAccessTokenClaims({
 		scopes: requestedScopes,
 		resource: ctx.body.resource,
-		metadata: client.metadata ? JSON.parse(client.metadata) : void 0
+		metadata: parseClientMetadata(client.metadata)
 	}) : {};
 	const accessToken = audience && !opts.disableJwtPlugin ? await signJWT(ctx, {
 		options: jwtPluginOptions,
@@ -1069,7 +1105,7 @@ async function validateOpaqueAccessToken(ctx, opts, token, clientId) {
 		user,
 		scopes: accessToken.scopes,
 		referenceId: accessToken?.referenceId,
-		metadata: client?.metadata ? JSON.parse(client.metadata) : void 0
+		metadata: parseClientMetadata(client?.metadata)
 	}) : {};
 	const jwtPluginOptions = (opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context))?.options;
 	return {
@@ -1079,8 +1115,8 @@ async function validateOpaqueAccessToken(ctx, opts, token, clientId) {
 		client_id: accessToken.clientId,
 		sub: user?.id,
 		sid: sessionId,
-		exp: Math.floor(accessToken.expiresAt.getTime() / 1e3),
-		iat: Math.floor(accessToken.createdAt.getTime() / 1e3),
+		exp: Math.floor(new Date(accessToken.expiresAt).getTime() / 1e3),
+		iat: Math.floor(new Date(accessToken.createdAt).getTime() / 1e3),
 		scope: accessToken.scopes?.join(" ")
 	};
 }
@@ -1123,8 +1159,8 @@ async function validateRefreshToken(ctx, opts, token, clientId) {
 		iss: ((opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context))?.options)?.jwt?.issuer ?? ctx.context.baseURL,
 		sub: user?.id,
 		sid: sessionId,
-		exp: Math.floor(refreshToken.expiresAt.getTime() / 1e3),
-		iat: Math.floor(refreshToken.createdAt.getTime() / 1e3),
+		exp: Math.floor(new Date(refreshToken.expiresAt).getTime() / 1e3),
+		iat: Math.floor(new Date(refreshToken.createdAt).getTime() / 1e3),
 		scope: refreshToken.scopes?.join(" ")
 	};
 }
@@ -1400,7 +1436,11 @@ async function createOAuthClientEndpoint(ctx, opts, settings) {
 	});
 	const client = await ctx.context.adapter.create({
 		model: "oauthClient",
-		data: schema$1
+		data: {
+			...schema$1,
+			createdAt: /* @__PURE__ */ new Date(iat * 1e3),
+			updatedAt: /* @__PURE__ */ new Date(iat * 1e3)
+		}
 	});
 	return ctx.json(schemaToOAuth({
 		...client,
@@ -1420,14 +1460,19 @@ async function createOAuthClientEndpoint(ctx, opts, settings) {
 * @returns
 */
 function oauthToSchema(input) {
-	const { client_id: clientId, client_secret: clientSecret, client_secret_expires_at: _expiresAt, scope: _scope, user_id: userId, client_id_issued_at: _createdAt, client_name: name, client_uri: uri, logo_uri: icon, contacts, tos_uri: tos, policy_uri: policy, jwks: _jwks, jwks_uri: _jwksUri, software_id: softwareId, software_version: softwareVersion, software_statement: softwareStatement, redirect_uris: redirectUris, post_logout_redirect_uris: postLogoutRedirectUris, token_endpoint_auth_method: tokenEndpointAuthMethod, grant_types: grantTypes, response_types: responseTypes, public: _public, type, disabled, skip_consent: skipConsent, enable_end_session: enableEndSession, reference_id: referenceId, ...rest } = input;
+	const { client_id: clientId, client_secret: clientSecret, client_secret_expires_at: _expiresAt, scope: _scope, user_id: userId, client_id_issued_at: _createdAt, client_name: name, client_uri: uri, logo_uri: icon, contacts, tos_uri: tos, policy_uri: policy, jwks: _jwks, jwks_uri: _jwksUri, software_id: softwareId, software_version: softwareVersion, software_statement: softwareStatement, redirect_uris: redirectUris, post_logout_redirect_uris: postLogoutRedirectUris, token_endpoint_auth_method: tokenEndpointAuthMethod, grant_types: grantTypes, response_types: responseTypes, public: _public, type, disabled, skip_consent: skipConsent, enable_end_session: enableEndSession, reference_id: referenceId, metadata: inputMetadata, ...rest } = input;
 	const expiresAt = _expiresAt ? /* @__PURE__ */ new Date(_expiresAt * 1e3) : void 0;
 	const createdAt = _createdAt ? /* @__PURE__ */ new Date(_createdAt * 1e3) : void 0;
+	const scopes = _scope?.split(" ");
+	const metadataObj = {
+		...rest && Object.keys(rest).length ? rest : {},
+		...inputMetadata && typeof inputMetadata === "object" ? inputMetadata : {}
+	};
 	return {
 		clientId,
 		clientSecret,
 		disabled,
-		scopes: _scope?.split(" "),
+		scopes,
 		userId,
 		createdAt,
 		expiresAt,
@@ -1450,7 +1495,7 @@ function oauthToSchema(input) {
 		skipConsent,
 		enableEndSession,
 		referenceId,
-		metadata: rest && Object.keys(rest).length ? JSON.stringify(rest) : void 0
+		metadata: Object.keys(metadataObj).length ? JSON.stringify(metadataObj) : void 0
 	};
 }
 /**
@@ -1461,11 +1506,11 @@ function oauthToSchema(input) {
 */
 function schemaToOAuth(input) {
 	const { clientId, clientSecret, disabled, scopes, userId, createdAt, updatedAt: _updatedAt, expiresAt, name, uri, icon, contacts, tos, policy, softwareId, softwareVersion, softwareStatement, redirectUris, postLogoutRedirectUris, tokenEndpointAuthMethod, grantTypes, responseTypes, public: _public, type, skipConsent, enableEndSession, referenceId, metadata } = input;
-	const _expiresAt = expiresAt ? Math.round(expiresAt.getTime() / 1e3) : void 0;
-	const _createdAt = createdAt ? Math.round(createdAt.getTime() / 1e3) : void 0;
+	const _expiresAt = expiresAt ? Math.round(new Date(expiresAt).getTime() / 1e3) : void 0;
+	const _createdAt = createdAt ? Math.round(new Date(createdAt).getTime() / 1e3) : void 0;
 	const _scopes = scopes?.join(" ");
 	return {
-		...metadata ? JSON.parse(metadata) : void 0,
+		...parseClientMetadata(metadata),
 		client_id: clientId,
 		client_secret: clientSecret ?? void 0,
 		client_secret_expires_at: clientSecret ? _expiresAt ?? 0 : void 0,
@@ -1497,8 +1542,19 @@ function schemaToOAuth(input) {
 
 //#endregion
 //#region src/types/zod.ts
+const DANGEROUS_SCHEMES = [
+	"javascript:",
+	"data:",
+	"vbscript:"
+];
+function isLocalhost(hostname) {
+	return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "[::1]";
+}
 /**
-* Reusable URL validation that disallows javascript: scheme
+* Reusable URL validation for OAuth redirect URIs.
+* - Blocks dangerous schemes (javascript:, data:, vbscript:)
+* - For http/https: requires HTTPS (HTTP allowed only for localhost)
+* - Allows custom schemes for mobile apps (e.g., myapp://callback)
 */
 const SafeUrlSchema = z.url().superRefine((val, ctx) => {
 	if (!URL.canParse(val)) {
@@ -1509,19 +1565,30 @@ const SafeUrlSchema = z.url().superRefine((val, ctx) => {
 		});
 		return z.NEVER;
 	}
-}).refine((url) => {
-	const u = new URL(url);
-	return u.protocol !== "javascript:" && u.protocol !== "data:" && u.protocol !== "vbscript:";
-}, { message: "URL cannot use javascript:, data:, or vbscript: scheme" });
+	const u = new URL(val);
+	if (DANGEROUS_SCHEMES.includes(u.protocol)) {
+		ctx.addIssue({
+			code: "custom",
+			message: "URL cannot use javascript:, data:, or vbscript: scheme"
+		});
+		return;
+	}
+	if (u.protocol === "http:" || u.protocol === "https:") {
+		if (u.protocol === "http:" && !isLocalhost(u.hostname)) ctx.addIssue({
+			code: "custom",
+			message: "Redirect URI must use HTTPS (HTTP allowed only for localhost)"
+		});
+	}
+});
 
 //#endregion
 //#region src/oauthClient/endpoints.ts
 async function getClientEndpoint(ctx, opts) {
 	const session = await getSessionFromCtx(ctx);
 	if (!session) throw new APIError$1("UNAUTHORIZED");
-	if (!ctx.request) throw new APIError$1("BAD_REQUEST");
+	if (!ctx.headers) throw new APIError$1("BAD_REQUEST");
 	if (opts.clientPrivileges && !await opts.clientPrivileges({
-		headers: ctx.request.headers,
+		headers: ctx.headers,
 		action: "read",
 		session: session.session,
 		user: session.user
@@ -1567,9 +1634,9 @@ async function getClientPublicEndpoint(ctx, opts) {
 async function getClientsEndpoint(ctx, opts) {
 	const session = await getSessionFromCtx(ctx);
 	if (!session) throw new APIError$1("UNAUTHORIZED");
-	if (!ctx.request) throw new APIError$1("BAD_REQUEST");
+	if (!ctx.headers) throw new APIError$1("BAD_REQUEST");
 	if (opts.clientPrivileges && !await opts.clientPrivileges({
-		headers: ctx.request.headers,
+		headers: ctx.headers,
 		action: "list",
 		session: session.session,
 		user: session.user
@@ -1608,9 +1675,9 @@ async function getClientsEndpoint(ctx, opts) {
 async function deleteClientEndpoint(ctx, opts) {
 	const session = await getSessionFromCtx(ctx);
 	if (!session) throw new APIError$1("UNAUTHORIZED");
-	if (!ctx.request) throw new APIError$1("BAD_REQUEST");
+	if (!ctx.headers) throw new APIError$1("BAD_REQUEST");
 	if (opts.clientPrivileges && !await opts.clientPrivileges({
-		headers: ctx.request.headers,
+		headers: ctx.headers,
 		action: "delete",
 		session: session.session,
 		user: session.user
@@ -1641,9 +1708,9 @@ async function deleteClientEndpoint(ctx, opts) {
 async function updateClientEndpoint(ctx, opts) {
 	const session = await getSessionFromCtx(ctx);
 	if (!session) throw new APIError$1("UNAUTHORIZED");
-	if (!ctx.request) throw new APIError$1("BAD_REQUEST");
+	if (!ctx.headers) throw new APIError$1("BAD_REQUEST");
 	if (opts.clientPrivileges && !await opts.clientPrivileges({
-		headers: ctx.request.headers,
+		headers: ctx.headers,
 		action: "update",
 		session: session.session,
 		user: session.user
@@ -1679,7 +1746,10 @@ async function updateClientEndpoint(ctx, opts) {
 			field: "clientId",
 			value: clientId
 		}],
-		update: oauthToSchema(updates)
+		update: {
+			...oauthToSchema(updates),
+			updatedAt: /* @__PURE__ */ new Date(Math.floor(Date.now() / 1e3) * 1e3)
+		}
 	});
 	if (!updatedClient) throw new APIError$1("INTERNAL_SERVER_ERROR", {
 		error_description: "unable to update client",
@@ -1692,9 +1762,9 @@ async function updateClientEndpoint(ctx, opts) {
 async function rotateClientSecretEndpoint(ctx, opts) {
 	const session = await getSessionFromCtx(ctx);
 	if (!session) throw new APIError$1("UNAUTHORIZED");
-	if (!ctx.request) throw new APIError$1("BAD_REQUEST");
+	if (!ctx.headers) throw new APIError$1("BAD_REQUEST");
 	if (opts.clientPrivileges && !await opts.clientPrivileges({
-		headers: ctx.request.headers,
+		headers: ctx.headers,
 		action: "rotate",
 		session: session.session,
 		user: session.user
@@ -1727,8 +1797,8 @@ async function rotateClientSecretEndpoint(ctx, opts) {
 			value: clientId
 		}],
 		update: {
-			...schemaToOAuth(client),
-			clientSecret: storedClientSecret
+			clientSecret: storedClientSecret,
+			updatedAt: /* @__PURE__ */ new Date(Math.floor(Date.now() / 1e3) * 1e3)
 		}
 	});
 	if (!updatedClient) throw new APIError$1("INTERNAL_SERVER_ERROR", {
@@ -2915,7 +2985,12 @@ const oauthProvider = (options) => {
 				metadata: { SERVER_ONLY: true }
 			}, async (ctx) => {
 				if (opts.scopes && opts.scopes.includes("openid")) return oidcServerMetadata(ctx, opts);
-				else return authServerMetadata(ctx, opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context).options, { scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes });
+				else return authServerMetadata(ctx, opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context).options, {
+					scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
+					public_client_supported: opts.allowUnauthenticatedClientRegistration,
+					grant_types_supported: opts.grantTypes,
+					jwt_disabled: opts.disableJwtPlugin
+				});
 			}),
 			getOpenIdConfig: createAuthEndpoint("/.well-known/openid-configuration", {
 				method: "GET",
@@ -3710,9 +3785,42 @@ const oauthProvider = (options) => {
 			updateOAuthConsent: updateOAuthConsent(opts),
 			deleteOAuthConsent: deleteOAuthConsent(opts)
 		},
-		schema: mergeSchema(schema, opts?.schema)
+		schema: mergeSchema(schema, opts?.schema),
+		rateLimit: [
+			...opts.rateLimit?.token !== false ? [{
+				pathMatcher: (path) => path === "/oauth2/token",
+				window: opts.rateLimit?.token?.window ?? 60,
+				max: opts.rateLimit?.token?.max ?? 20
+			}] : [],
+			...opts.rateLimit?.authorize !== false ? [{
+				pathMatcher: (path) => path === "/oauth2/authorize",
+				window: opts.rateLimit?.authorize?.window ?? 60,
+				max: opts.rateLimit?.authorize?.max ?? 30
+			}] : [],
+			...opts.rateLimit?.introspect !== false ? [{
+				pathMatcher: (path) => path === "/oauth2/introspect",
+				window: opts.rateLimit?.introspect?.window ?? 60,
+				max: opts.rateLimit?.introspect?.max ?? 100
+			}] : [],
+			...opts.rateLimit?.revoke !== false ? [{
+				pathMatcher: (path) => path === "/oauth2/revoke",
+				window: opts.rateLimit?.revoke?.window ?? 60,
+				max: opts.rateLimit?.revoke?.max ?? 30
+			}] : [],
+			...opts.rateLimit?.register !== false ? [{
+				pathMatcher: (path) => path === "/oauth2/register",
+				window: opts.rateLimit?.register?.window ?? 60,
+				max: opts.rateLimit?.register?.max ?? 5
+			}] : [],
+			...opts.rateLimit?.userinfo !== false ? [{
+				pathMatcher: (path) => path === "/oauth2/userinfo",
+				window: opts.rateLimit?.userinfo?.window ?? 60,
+				max: opts.rateLimit?.userinfo?.max ?? 60
+			}] : []
+		]
 	};
 };
 
 //#endregion
-export { authServerMetadata, mcpHandler, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oidcServerMetadata };
+export { authServerMetadata, mcpHandler, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oidcServerMetadata };
+//# sourceMappingURL=index.mjs.map