@better-auth/oauth-provider 1.4.8-beta.7

package/LICENSE.md

@@ -0,0 +1,17 @@
+The MIT License (MIT)
+Copyright (c) 2024 - present, Bereket Engida
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software
+and associated documentation files (the "Software"), to deal in the Software without restriction,
+including without limitation the rights to use, copy, modify, merge, publish, distribute,
+sublicense, and/or sell copies of the Software, and to permit persons to whom the Software
+is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or
+substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING
+BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

package/dist/client-resource.d.mts

@@ -0,0 +1,81 @@
+import { a as ResourceServerMetadata } from "./oauth-kjs13QN6.mjs";
+import { JWTPayload, JWTVerifyOptions } from "jose";
+import { Auth } from "better-auth/types";
+
+//#region src/client-resource.d.ts
+declare const oauthProviderResourceClient: <T extends Auth | undefined>(auth?: T) => {
+  id: "oauth-provider-resource-client";
+  getActions(): {
+    /**
+     * Performs verification of an access token for your APIs. Can perform
+     * local verification using `jwksUrl` by default. Can also be configured
+     * for remote introspection using `remoteVerify` if a confidential client
+     * is set up for this API.
+     *
+     * The optional auth parameter can fill known values automatically.
+     */
+    verifyAccessToken: VerifyAccessTokenOutput<T>;
+    /**
+     * An authorization server does not typically publish
+     * the `/.well-known/oauth-protected-resource` themselves.
+     * Thus, we provide a client-only endpoint to help set up
+     * your protected resource metadata.
+     *
+     * The optional auth parameter can fill known values automatically.
+     *
+     * @see https://datatracker.ietf.org/doc/html/rfc8414#section-2
+     */
+    getProtectedResourceMetadata: ProtectedResourceMetadataOutput<T>;
+  };
+};
+interface VerifyAccessTokenRemote {
+  /** Full url of the introspect endpoint. Should end with `/oauth2/introspect` */
+  introspectUrl: string;
+  /** Client Secret */
+  clientId: string;
+  /** Client Secret */
+  clientSecret: string;
+  /**
+   * Forces remote verification of a token.
+   * This ensures attached session (if applicable)
+   * is also still active.
+   */
+  force?: boolean;
+}
+type VerifyAccessTokenOutput<T> = T extends Auth ? (token: string | undefined, opts?: VerifyAccessTokenAuthOpts) => Promise<JWTPayload> : (token: string | undefined, opts: VerifyAccessTokenNoAuthOpts) => Promise<JWTPayload>;
+type VerifyAccessTokenAuthOpts = {
+  verifyOptions?: JWTVerifyOptions & Required<Pick<JWTVerifyOptions, "audience">>;
+  scopes?: string[];
+  jwksUrl?: string;
+  remoteVerify?: VerifyAccessTokenRemote;
+  /** Maps non-url (ie urn, client) resources to resource_metadata */
+  resourceMetadataMappings?: Record<string, string>;
+};
+type VerifyAccessTokenNoAuthOpts = {
+  verifyOptions: JWTVerifyOptions & Required<Pick<JWTVerifyOptions, "audience" | "issuer">>;
+  scopes?: string[];
+  jwksUrl: string;
+  remoteVerify?: VerifyAccessTokenRemote;
+  /** Maps non-url (ie urn, client) resources to resource_metadata */
+  resourceMetadataMappings?: Record<string, string>;
+} | {
+  verifyOptions: JWTVerifyOptions & Required<Pick<JWTVerifyOptions, "audience" | "issuer">>;
+  scopes?: string[];
+  jwksUrl?: string;
+  remoteVerify: VerifyAccessTokenRemote;
+  /** Maps non-url (ie urn, client) resources to resource_metadata */
+  resourceMetadataMappings?: Record<string, string>;
+};
+type ProtectedResourceMetadataOutput<T> = T extends Auth ? (overrides?: Partial<ResourceServerMetadata>, opts?: {
+  silenceWarnings?: {
+    oidcScopes?: boolean;
+  };
+  externalScopes?: string[];
+}) => Promise<ResourceServerMetadata> : (overrides: ResourceServerMetadata, opts?: {
+  silenceWarnings?: {
+    oidcScopes?: boolean;
+  };
+  externalScopes?: string[];
+}) => Promise<ResourceServerMetadata>;
+//#endregion
+export { VerifyAccessTokenRemote, oauthProviderResourceClient };

package/dist/client-resource.mjs

@@ -0,0 +1,75 @@
+import { a as getJwtPlugin, f as handleMcpErrors, o as getOAuthProviderPlugin } from "./utils-CSiY9oUk.mjs";
+import { verifyAccessToken } from "better-auth/oauth2";
+import { APIError } from "better-call";
+import { BetterAuthError } from "@better-auth/core/error";
+import { logger } from "@better-auth/core/env";
+
+//#region src/client-resource.ts
+const oauthProviderResourceClient = (auth) => {
+	const oauthProviderOptions = (auth ? getOAuthProviderPlugin(auth) : void 0)?.options;
+	const jwtPluginOptions = (auth && !oauthProviderOptions?.disableJwtPlugin ? getJwtPlugin(auth) : void 0)?.options;
+	const authServerBaseUrl = auth?.options.baseURL;
+	const authServerBasePath = auth?.options.basePath;
+	const authorizationServer = jwtPluginOptions?.jwt?.issuer ?? authServerBaseUrl;
+	return {
+		id: "oauth-provider-resource-client",
+		getActions() {
+			return {
+				verifyAccessToken: (async (token, opts) => {
+					const audience = opts?.verifyOptions?.audience ?? authServerBaseUrl;
+					const issuer = opts?.verifyOptions?.issuer ?? jwtPluginOptions?.jwt?.issuer ?? authServerBaseUrl;
+					if (!audience) throw Error("please define opts.verifyOptions.audience");
+					if (!issuer) throw Error("please define opts.verifyOptions.issuer");
+					const jwksUrl = opts?.jwksUrl ?? jwtPluginOptions?.jwks?.remoteUrl ?? (authServerBaseUrl ? `${authServerBaseUrl + (authServerBasePath ?? "")}/jwks` : void 0);
+					const introspectUrl = opts?.remoteVerify?.introspectUrl ?? (authServerBaseUrl ? `${authServerBaseUrl}${authServerBasePath ?? ""}/oauth2/introspect` : void 0);
+					try {
+						if (!token?.length) throw new APIError("UNAUTHORIZED", { message: "missing authorization header" });
+						return await verifyAccessToken(token, {
+							...opts,
+							jwksUrl,
+							verifyOptions: {
+								...opts?.verifyOptions,
+								audience,
+								issuer
+							},
+							remoteVerify: opts?.remoteVerify && introspectUrl ? {
+								...opts.remoteVerify,
+								introspectUrl
+							} : void 0
+						});
+					} catch (error) {
+						throw handleMcpErrors(error, audience, { resourceMetadataMappings: opts?.resourceMetadataMappings });
+					}
+				}),
+				getProtectedResourceMetadata: (async (overrides, opts) => {
+					const resource = overrides?.resource ?? authServerBaseUrl;
+					if (!resource) throw Error("missing required resource");
+					if (oauthProviderOptions?.scopes && opts?.externalScopes && (overrides?.authorization_servers?.length ?? 0) <= 1) throw new BetterAuthError("external scopes should not be provided with one authorization server");
+					if (overrides?.scopes_supported) {
+						const allValidScopes = new Set([...oauthProviderOptions?.scopes ?? [], ...opts?.externalScopes ?? []]);
+						for (const sc of overrides.scopes_supported) {
+							if (sc === "openid") throw new BetterAuthError("Only the Auth Server should utilize the openid scope");
+							if ([
+								"profile",
+								"email",
+								"phone",
+								"address"
+							].includes(sc)) {
+								if (!opts?.silenceWarnings?.oidcScopes) logger.warn(`"${sc}" is typically restricted for the authorization server, a resource server typically shouldn't handle this scope`);
+							}
+							if (!allValidScopes.has(sc)) throw new BetterAuthError(`Unsupported scope ${sc}. If external, please add to "externalScopes"`);
+						}
+					}
+					return {
+						resource,
+						authorization_servers: authorizationServer ? [authorizationServer] : void 0,
+						...overrides
+					};
+				})
+			};
+		}
+	};
+};
+
+//#endregion
+export { oauthProviderResourceClient };

package/dist/client.d.mts

@@ -0,0 +1,19 @@
+import "./oauth-kjs13QN6.mjs";
+import { t as oauthProvider } from "./oauth-Cex7QJsW.mjs";
+import * as _better_fetch_fetch0 from "@better-fetch/fetch";
+
+//#region src/client.d.ts
+declare const oauthProviderClient: () => {
+  id: "oauth-provider-client";
+  fetchPlugins: {
+    id: string;
+    name: string;
+    description: string;
+    hooks: {
+      onRequest<T extends Record<string, any>>(ctx: _better_fetch_fetch0.RequestContext<T>): Promise<void>;
+    };
+  }[];
+  $InferServerPlugin: ReturnType<typeof oauthProvider>;
+};
+//#endregion
+export { oauthProviderClient };

package/dist/client.mjs

@@ -0,0 +1,38 @@
+import { safeJSONParse } from "@better-auth/core/utils";
+
+//#region src/client.ts
+function parseSignedQuery(search) {
+	const params = new URLSearchParams(search);
+	if (params.has("sig")) {
+		const signedParams = new URLSearchParams();
+		for (const [key, value] of params.entries()) {
+			signedParams.append(key, value);
+			if (key === "sig") break;
+		}
+		return signedParams.toString();
+	}
+}
+const oauthProviderClient = () => {
+	return {
+		id: "oauth-provider-client",
+		fetchPlugins: [{
+			id: "oauth-provider-signin",
+			name: "oauth-provider-signin",
+			description: "Adds the current page query to oauth requests",
+			hooks: { async onRequest(ctx) {
+				const headers = ctx.headers;
+				const body = typeof ctx.body === "string" ? headers.get("content-type") === "application/x-www-form-urlencoded" ? Object.fromEntries(new URLSearchParams(ctx.body)) : safeJSONParse(ctx.body ?? "{}") : ctx.body;
+				if (body?.oauth_query) return;
+				const pathname = typeof ctx.url === "string" ? new URL(ctx.url).pathname : ctx.url.pathname;
+				if (pathname.endsWith("/sign-in/email") || pathname.endsWith("/sign-in/social") || pathname.endsWith("/sign-in/oauth2") || pathname.endsWith("/oauth2/consent") || pathname.endsWith("/oauth2/continue")) ctx.body = JSON.stringify({
+					...body,
+					oauth_query: typeof window !== "undefined" ? parseSignedQuery(window?.location?.search) : void 0
+				});
+			} }
+		}],
+		$InferServerPlugin: {}
+	};
+};
+
+//#endregion
+export { oauthProviderClient };

package/dist/index.d.mts

@@ -0,0 +1,65 @@
+import { _ as Awaitable, a as ResourceServerMetadata, c as OAuthConsent, d as OAuthRefreshToken, f as Prompt, g as VerificationValue, h as StoreTokenType, i as OIDCMetadata, l as OAuthOpaqueAccessToken, m as Scope, n as GrantType, o as AuthorizePrompt, p as SchemaClient, r as OAuthClient, s as OAuthAuthorizationQuery, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-kjs13QN6.mjs";
+import { t as oauthProvider } from "./oauth-Cex7QJsW.mjs";
+import { verifyAccessToken } from "better-auth/oauth2";
+import { JWSAlgorithms, JwtOptions } from "better-auth/plugins/jwt";
+import { JWTPayload } from "jose";
+import { GenericEndpointContext } from "@better-auth/core";
+
+//#region src/mcp.d.ts
+
+/**
+ * A request middleware handler that checks and responds with
+ * a WWW-Authenticate header for unauthenticated responses.
+ *
+ * @external
+ */
+declare const mcpHandler: (/** Resource is the same url as the audience */
+verifyOptions: Parameters<typeof verifyAccessToken>[1], handler: (req: Request, jwt: JWTPayload) => Awaitable<Response>, opts?: {
+  /** Maps non-url (ie urn, client) resources to resource_metadata */
+  resourceMetadataMappings: Record<string, string>;
+}) => (req: Request) => Promise<Response>;
+//#endregion
+//#region src/metadata.d.ts
+declare function authServerMetadata(ctx: GenericEndpointContext, opts?: JwtOptions, overrides?: {
+  scopes_supported?: AuthServerMetadata["scopes_supported"];
+  public_client_supported?: boolean;
+  grant_types_supported?: GrantType[];
+  jwt_disabled?: boolean;
+}): AuthServerMetadata;
+declare function oidcServerMetadata(ctx: GenericEndpointContext, opts: OAuthOptions<Scope[]> & {
+  claims?: string[];
+}): Omit<OIDCMetadata, "id_token_signing_alg_values_supported"> & {
+  id_token_signing_alg_values_supported: JWSAlgorithms[] | ["HS256"];
+};
+/**
+ * Provides an exportable `/.well-known/oauth-authorization-server`.
+ *
+ * Useful when basePath prevents the endpoint from being located at the root
+ * and must be provided manually.
+ *
+ * @external
+ */
+declare const oauthProviderAuthServerMetadata: <Auth extends {
+  api: {
+    getOAuthServerConfig: (...args: any) => any;
+  };
+}>(auth: Auth, opts?: {
+  headers?: HeadersInit;
+}) => (_request: Request) => Promise<Response>;
+/**
+ * Provides an exportable `/.well-known/openid-configuration`.
+ *
+ * Useful when basePath prevents the endpoint from being located at the root
+ * and must be provided manually.
+ *
+ * @external
+ */
+declare const oauthProviderOpenIdConfigMetadata: <Auth extends {
+  api: {
+    getOpenIdConfig: (...args: any) => any;
+  };
+}>(auth: Auth, opts?: {
+  headers?: HeadersInit;
+}) => (_request: Request) => Promise<Response>;
+//#endregion
+export { AuthServerMetadata, AuthorizePrompt, OAuthAuthorizationQuery, OAuthClient, OAuthConsent, OAuthOpaqueAccessToken, OAuthOptions, OAuthRefreshToken, OIDCMetadata, Prompt, ResourceServerMetadata, SchemaClient, Scope, StoreTokenType, VerificationValue, authServerMetadata, mcpHandler, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oidcServerMetadata };