@better-auth/oauth-provider 1.5.0-beta.1 → 1.5.0-beta.2

package/dist/client-resource.d.mts

@@ -1,4 +1,4 @@
-import { a as ResourceServerMetadata } from "./oauth-kjs13QN6.mjs";
+import { a as ResourceServerMetadata } from "./oauth-BrFoF22H.mjs";
 import { JWTPayload, JWTVerifyOptions } from "jose";
 import { Auth } from "better-auth/types";
 

package/dist/client-resource.mjs

@@ -20,7 +20,7 @@ const oauthProviderResourceClient = (auth) => {
 					const issuer = opts?.verifyOptions?.issuer ?? jwtPluginOptions?.jwt?.issuer ?? authServerBaseUrl;
 					if (!audience) throw Error("please define opts.verifyOptions.audience");
 					if (!issuer) throw Error("please define opts.verifyOptions.issuer");
-					const jwksUrl = opts?.jwksUrl ?? jwtPluginOptions?.jwks?.remoteUrl ?? (authServerBaseUrl ? `${authServerBaseUrl + (authServerBasePath ?? "")}/jwks` : void 0);
+					const jwksUrl = opts?.jwksUrl ?? jwtPluginOptions?.jwks?.remoteUrl ?? (authServerBaseUrl ? `${authServerBaseUrl + (authServerBasePath ?? "")}${jwtPluginOptions?.jwks?.jwksPath ?? "/jwks"}` : void 0);
 					const introspectUrl = opts?.remoteVerify?.introspectUrl ?? (authServerBaseUrl ? `${authServerBaseUrl}${authServerBasePath ?? ""}/oauth2/introspect` : void 0);
 					try {
 						if (!token?.length) throw new APIError("UNAUTHORIZED", { message: "missing authorization header" });

package/dist/client.d.mts

@@ -1,5 +1,5 @@
-import "./oauth-kjs13QN6.mjs";
-import { t as oauthProvider } from "./oauth-Cex7QJsW.mjs";
+import "./oauth-BrFoF22H.mjs";
+import { t as oauthProvider } from "./oauth-C1OnEiU-.mjs";
 import * as _better_fetch_fetch0 from "@better-fetch/fetch";
 
 //#region src/client.d.ts

package/dist/index.d.mts

@@ -1,7 +1,7 @@
-import { _ as Awaitable, a as ResourceServerMetadata, c as OAuthConsent, d as OAuthRefreshToken, f as Prompt, g as VerificationValue, h as StoreTokenType, i as OIDCMetadata, l as OAuthOpaqueAccessToken, m as Scope, n as GrantType, o as AuthorizePrompt, p as SchemaClient, r as OAuthClient, s as OAuthAuthorizationQuery, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-kjs13QN6.mjs";
-import { t as oauthProvider } from "./oauth-Cex7QJsW.mjs";
+import { _ as Awaitable, a as ResourceServerMetadata, c as OAuthConsent, d as OAuthRefreshToken, f as Prompt, g as VerificationValue, h as StoreTokenType, i as OIDCMetadata, l as OAuthOpaqueAccessToken, m as Scope, n as GrantType, o as AuthorizePrompt, p as SchemaClient, r as OAuthClient, s as OAuthAuthorizationQuery, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-BrFoF22H.mjs";
+import { t as oauthProvider } from "./oauth-C1OnEiU-.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
-import { JWSAlgorithms, JwtOptions } from "better-auth/plugins/jwt";
+import { JWSAlgorithms, JwtOptions } from "better-auth/plugins";
 import { JWTPayload } from "jose";
 import { GenericEndpointContext } from "@better-auth/core";
 

package/dist/index.mjs

@@ -2,7 +2,6 @@ import { a as getJwtPlugin, c as parsePrompt, d as validateClientCredentials, i
 import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
 import { APIError } from "better-call";
 import { BetterAuthError } from "@better-auth/core/error";
-import { createHash } from "@better-auth/utils/hash";
 import { constantTimeEqual, generateRandomString, makeSignature } from "better-auth/crypto";
 import { defineRequestState } from "@better-auth/core/context";
 import { logger } from "@better-auth/core/env";
@@ -10,11 +9,8 @@ import { APIError as APIError$1, createAuthEndpoint, createAuthMiddleware, getOA
 import { parseSetCookieHeader } from "better-auth/cookies";
 import { mergeSchema } from "better-auth/db";
 import * as z from "zod";
-import { signJWT, toExpJWT } from "better-auth/plugins/jwt";
+import { signJWT, toExpJWT } from "better-auth/plugins";
 import { SignJWT, compactVerify, createLocalJWKSet, decodeJwt } from "jose";
-import "@better-auth/utils";
-import "@better-auth/utils/hex";
-import { createRandomStringGenerator } from "@better-auth/utils/random";
 
 //#region src/metadata.ts
 function authServerMetadata(ctx, opts, overrides) {
@@ -24,7 +20,7 @@ function authServerMetadata(ctx, opts, overrides) {
 		issuer: opts?.jwt?.issuer ?? baseURL,
 		authorization_endpoint: `${baseURL}/oauth2/authorize`,
 		token_endpoint: `${baseURL}/oauth2/token`,
-		jwks_uri: overrides?.jwt_disabled ? void 0 : opts?.jwks?.remoteUrl ?? `${baseURL}/jwks`,
+		jwks_uri: overrides?.jwt_disabled ? void 0 : opts?.jwks?.remoteUrl ?? `${baseURL}${opts?.jwks?.jwksPath ?? "/jwks"}`,
 		registration_endpoint: `${baseURL}/oauth2/register`,
 		introspection_endpoint: `${baseURL}/oauth2/introspect`,
 		revocation_endpoint: `${baseURL}/oauth2/revoke`,
@@ -1223,7 +1219,7 @@ async function rpInitiatedLogoutEndpoint(ctx, opts) {
 	const { id_token_hint, client_id, post_logout_redirect_uri, state } = ctx.query;
 	const baseURL = ctx.context.baseURL;
 	const jwtPluginOptions = (opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context))?.options;
-	const jwksUrl = jwtPluginOptions?.jwks?.remoteUrl ?? `${baseURL}/jwks`;
+	const jwksUrl = jwtPluginOptions?.jwks?.remoteUrl ?? `${baseURL}${jwtPluginOptions?.jwks?.jwksPath ?? "/jwks"}`;
 	let clientId = client_id;
 	if (!clientId) {
 		let decoded;
@@ -1323,152 +1319,6 @@ async function rpInitiatedLogoutEndpoint(ctx, opts) {
 	}
 }
 
-//#endregion
-//#region ../better-auth/src/crypto/jwt.ts
-const info = new Uint8Array([
-	66,
-	101,
-	116,
-	116,
-	101,
-	114,
-	65,
-	117,
-	116,
-	104,
-	46,
-	106,
-	115,
-	32,
-	71,
-	101,
-	110,
-	101,
-	114,
-	97,
-	116,
-	101,
-	100,
-	32,
-	69,
-	110,
-	99,
-	114,
-	121,
-	112,
-	116,
-	105,
-	111,
-	110,
-	32,
-	75,
-	101,
-	121
-]);
-
-//#endregion
-//#region ../better-auth/src/crypto/random.ts
-const generateRandomString$1 = createRandomStringGenerator("a-z", "0-9", "A-Z", "-_");
-
-//#endregion
-//#region ../better-auth/src/utils/time.ts
-const SEC = 1e3;
-const MIN = SEC * 60;
-const HOUR = MIN * 60;
-const DAY = HOUR * 24;
-const WEEK = DAY * 7;
-const MONTH = DAY * 30;
-const YEAR = DAY * 365.25;
-const REGEX = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|months?|mo|years?|yrs?|y)(?: (ago|from now))?$/i;
-function parse(value) {
-	const match = REGEX.exec(value);
-	if (!match || match[4] && match[1]) throw new TypeError(`Invalid time string format: "${value}". Use formats like "7d", "30m", "1 hour", etc.`);
-	const n = parseFloat(match[2]);
-	const unit = match[3].toLowerCase();
-	let result;
-	switch (unit) {
-		case "years":
-		case "year":
-		case "yrs":
-		case "yr":
-		case "y":
-			result = n * YEAR;
-			break;
-		case "months":
-		case "month":
-		case "mo":
-			result = n * MONTH;
-			break;
-		case "weeks":
-		case "week":
-		case "w":
-			result = n * WEEK;
-			break;
-		case "days":
-		case "day":
-		case "d":
-			result = n * DAY;
-			break;
-		case "hours":
-		case "hour":
-		case "hrs":
-		case "hr":
-		case "h":
-			result = n * HOUR;
-			break;
-		case "minutes":
-		case "minute":
-		case "mins":
-		case "min":
-		case "m":
-			result = n * MIN;
-			break;
-		case "seconds":
-		case "second":
-		case "secs":
-		case "sec":
-		case "s":
-			result = n * SEC;
-			break;
-		default: throw new TypeError(`Unknown time unit: "${unit}"`);
-	}
-	if (match[1] === "-" || match[4] === "ago") return -result;
-	return result;
-}
-/**
-* Parse a time string and return the value in seconds.
-*
-* @param value - A time string like "7d", "30m", "1 hour", "2 hours ago"
-* @returns The parsed value in seconds (rounded)
-* @throws TypeError if the string format is invalid
-*
-* @example
-* sec("1d")          // 86400
-* sec("2 hours")     // 7200
-* sec("-30s")        // -30
-* sec("2 hours ago") // -7200
-*/
-function sec(value) {
-	return Math.round(parse(value) / 1e3);
-}
-
-//#endregion
-//#region ../better-auth/src/plugins/jwt/utils.ts
-/**
-* Converts an expirationTime to ISO seconds expiration time (the format of JWT exp)
-*
-* See https://github.com/panva/jose/blob/main/src/lib/jwt_claims_set.ts#L245
-*
-* @param expirationTime - see options.jwt.expirationTime
-* @param iat - the iat time to consolidate on
-* @returns
-*/
-function toExpJWT$1(expirationTime, iat) {
-	if (typeof expirationTime === "number") return expirationTime;
-	else if (expirationTime instanceof Date) return Math.floor(expirationTime.getTime() / 1e3);
-	else return iat + sec(expirationTime);
-}
-
 //#endregion
 //#region src/register.ts
 async function registerEndpoint(ctx, opts) {
@@ -1540,7 +1390,7 @@ async function createOAuthClientEndpoint(ctx, opts, settings) {
 		disabled: void 0,
 		jwks: void 0,
 		jwks_uri: void 0,
-		client_secret_expires_at: storedClientSecret ? settings.isRegister && opts?.clientRegistrationClientSecretExpiration ? toExpJWT$1(opts.clientRegistrationClientSecretExpiration, iat) : 0 : void 0,
+		client_secret_expires_at: storedClientSecret ? settings.isRegister && opts?.clientRegistrationClientSecretExpiration ? toExpJWT(opts.clientRegistrationClientSecretExpiration, iat) : 0 : void 0,
 		client_id: clientId,
 		client_secret: storedClientSecret,
 		client_id_issued_at: iat,
@@ -3010,6 +2860,7 @@ const oauthProvider = (options) => {
 		id: "oauthProvider",
 		options: opts,
 		init: (ctx) => {
+			if (ctx.options.session && !ctx.options.session.storeSessionInDatabase) throw new BetterAuthError("OAuth Provider requires `session.storeSessionInDatabase: true` when using secondaryStorage");
 			if (!opts.disableJwtPlugin) {
 				const issuer = getJwtPlugin(ctx).options?.jwt?.issuer ?? ctx.baseURL;
 				const issuerPath = new URL(issuer).pathname;

package/dist/{oauth-kjs13QN6.d.mts → oauth-BrFoF22H.d.mts}

@@ -1,4 +1,4 @@
-import { JWSAlgorithms } from "better-auth/plugins/jwt";
+import { JWSAlgorithms } from "better-auth/plugins";
 import { JWTPayload } from "jose";
 import { InferOptionSchema, Session, User } from "better-auth/types";
 import { LiteralString } from "@better-auth/core";

package/dist/{oauth-Cex7QJsW.d.mts → oauth-C1OnEiU-.d.mts}

@@ -1,10 +1,10 @@
-import { c as OAuthConsent, i as OIDCMetadata, m as Scope, r as OAuthClient, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-kjs13QN6.mjs";
+import { c as OAuthConsent, i as OIDCMetadata, m as Scope, r as OAuthClient, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-BrFoF22H.mjs";
 import * as better_call0 from "better-call";
 import "@better-auth/core/context";
 import * as z from "zod";
+import * as better_auth_plugins0 from "better-auth/plugins";
 import * as jose0 from "jose";
 import * as better_auth0 from "better-auth";
-import * as better_auth_plugins0 from "better-auth/plugins";
 
 //#region src/oauth.d.ts
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/oauth-provider",
-  "version": "1.5.0-beta.1",
+  "version": "1.5.0-beta.2",
   "type": "module",
   "description": "An oauth provider plugin for Better Auth",
   "main": "dist/index.mjs",
@@ -42,8 +42,8 @@
     "@modelcontextprotocol/sdk": "^1.24.2",
     "listhen": "^1.9.0",
     "tsdown": "^0.17.2",
-    "@better-auth/core": "1.5.0-beta.1",
-    "better-auth": "1.5.0-beta.1"
+    "@better-auth/core": "1.5.0-beta.2",
+    "better-auth": "1.5.0-beta.2"
   },
   "dependencies": {
     "jose": "^6.1.0",
@@ -53,8 +53,8 @@
     "@better-auth/utils": "0.3.0",
     "@better-fetch/fetch": "1.1.21",
     "better-call": "1.1.7",
-    "@better-auth/core": "1.5.0-beta.1",
-    "better-auth": "1.5.0-beta.1"
+    "@better-auth/core": "1.5.0-beta.2",
+    "better-auth": "1.5.0-beta.2"
   },
   "files": [
     "dist"