@better-auth/oauth-provider 1.5.0-beta.13 → 1.5.0-beta.15

package/dist/index.mjs

@@ -1,158 +1,58 @@
-import { a as getJwtPlugin, c as parseClientMetadata, d as storeToken, f as validateClientCredentials, i as getClient, l as parsePrompt, m as mcpHandler, n as decryptStoredClientSecret, r as deleteFromPrompt, s as getStoredToken, t as basicToClientCredentials, u as storeClientSecret } from "./utils-DWE-cPWY.mjs";
+import { a as getJwtPlugin, c as isPKCERequired, d as storeClientSecret, f as storeToken, h as mcpHandler, i as getClient, l as parseClientMetadata, n as decryptStoredClientSecret, p as validateClientCredentials, r as deleteFromPrompt, s as getStoredToken, t as basicToClientCredentials, u as parsePrompt } from "./utils-fj4yCZS4.mjs";
 import { APIError, createAuthEndpoint, createAuthMiddleware, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
 import { APIError as APIError$1 } from "better-call";
 import { constantTimeEqual, generateRandomString, makeSignature } from "better-auth/crypto";
-import { BetterAuthError } from "@better-auth/core/error";
 import { defineRequestState } from "@better-auth/core/context";
 import { logger } from "@better-auth/core/env";
+import { BetterAuthError } from "@better-auth/core/error";
 import { parseSetCookieHeader } from "better-auth/cookies";
 import { mergeSchema } from "better-auth/db";
 import * as z from "zod";
 import { signJWT, toExpJWT } from "better-auth/plugins";
 import { SignJWT, compactVerify, createLocalJWKSet, decodeJwt } from "jose";
 
-//#region src/authorize.ts
-/**
-* Formats an error url
-*/
-function formatErrorURL(url, error, description, state, iss) {
-	const searchParams = new URLSearchParams({
-		error,
-		error_description: description
-	});
-	state && searchParams.append("state", state);
-	iss && searchParams.append("iss", iss);
-	return `${url}${url.includes("?") ? "&" : "?"}${searchParams.toString()}`;
-}
-const handleRedirect = (ctx, uri) => {
-	if (ctx.headers?.get("accept")?.includes("application/json")) return {
-		redirect: true,
-		url: uri.toString()
-	};
-	else throw ctx.redirect(uri);
-};
-/**
-* Validates that the issuer URL
-* - MUST use HTTPS scheme (HTTP allowed for localhost in dev)
-* - MUST NOT contain query components
-* - MUST NOT contain fragment components
-*
-* @returns The validated issuer URL, or a sanitized version if invalid
-*/
-function validateIssuerUrl(issuer) {
-	try {
-		const url = new URL(issuer);
-		const isLocalhost = url.hostname === "localhost" || url.hostname === "127.0.0.1";
-		if (url.protocol !== "https:" && !isLocalhost) url.protocol = "https:";
-		url.search = "";
-		url.hash = "";
-		return url.toString().replace(/\/$/, "");
-	} catch {
-		return issuer;
-	}
-}
-/**
-* Gets the issuer identifier
-*/
-function getIssuer(ctx, opts) {
-	let issuer;
-	if (opts.disableJwtPlugin) issuer = ctx.context.baseURL;
-	else try {
-		issuer = getJwtPlugin(ctx.context).options?.jwt?.issuer ?? ctx.context.baseURL;
-	} catch {
-		issuer = ctx.context.baseURL;
-	}
-	return validateIssuerUrl(issuer);
-}
-/**
-* Error page url if redirect_uri has not been verified yet
-* Generates Url for custom error page
-*/
-function getErrorURL(ctx, error, description) {
-	return formatErrorURL(ctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`, error, description);
-}
-async function authorizeEndpoint(ctx, opts, settings) {
-	if (opts.grantTypes && !opts.grantTypes.includes("authorization_code")) throw new APIError$1("NOT_FOUND");
-	if (!ctx.request) throw new APIError$1("UNAUTHORIZED", {
-		error_description: "request not found",
+//#region src/consent.ts
+async function consentEndpoint(ctx, opts) {
+	const _query = (await oAuthState.get())?.query;
+	if (!_query) throw new APIError("BAD_REQUEST", {
+		error_description: "missing oauth query",
 		error: "invalid_request"
 	});
-	const query = ctx.query;
-	if (!query.client_id) throw ctx.redirect(getErrorURL(ctx, "invalid_client", "client_id is required"));
-	if (!query.response_type) throw ctx.redirect(getErrorURL(ctx, "invalid_request", "response_type is required"));
-	const promptSet = ctx.query?.prompt ? parsePrompt(ctx.query?.prompt) : void 0;
-	if (promptSet?.has("select_account") && !opts.selectAccount?.page) throw ctx.redirect(getErrorURL(ctx, `unsupported_prompt_select_account`, "unsupported prompt type"));
-	if (!(query.response_type === "code")) throw ctx.redirect(getErrorURL(ctx, "unsupported_response_type", "unsupported response type"));
-	const client = await getClient(ctx, opts, query.client_id);
-	if (!client) throw ctx.redirect(getErrorURL(ctx, "invalid_client", "client_id is required"));
-	if (client.disabled) throw ctx.redirect(getErrorURL(ctx, "client_disabled", "client is disabled"));
-	if (!client.redirectUris?.find((url) => url === query.redirect_uri) || !query.redirect_uri) throw ctx.redirect(getErrorURL(ctx, "invalid_redirect", "invalid redirect uri"));
-	let requestedScopes = query.scope?.split(" ").filter((s) => s);
+	const query = new URLSearchParams(_query);
+	const originalRequestedScopes = query.get("scope")?.split(" ") ?? [];
+	const clientId = query.get("client_id");
+	if (!clientId) throw new APIError("BAD_REQUEST", {
+		error_description: "client_id is required",
+		error: "invalid_client"
+	});
+	const requestedScopes = ctx.body.scope?.split(" ");
 	if (requestedScopes) {
-		const validScopes = new Set(client.scopes ?? opts.scopes);
-		const invalidScopes = requestedScopes.filter((scope) => {
-			return !validScopes?.has(scope) || scope === "offline_access" && (query.code_challenge_method !== "S256" || !query.code_challenge);
+		if (!requestedScopes.every((sc) => originalRequestedScopes?.includes(sc))) throw new APIError("BAD_REQUEST", {
+			error_description: "Scope not originally requested",
+			error: "invalid_request"
 		});
-		if (invalidScopes.length) throw ctx.redirect(formatErrorURL(query.redirect_uri, "invalid_scope", `The following scopes are invalid: ${invalidScopes.join(", ")}`, query.state, getIssuer(ctx, opts)));
 	}
-	if (!requestedScopes) {
-		requestedScopes = client.scopes ?? opts.scopes ?? [];
-		query.scope = requestedScopes.join(" ");
-	}
-	if (!query.code_challenge || !query.code_challenge_method) throw ctx.redirect(formatErrorURL(query.redirect_uri, "invalid_request", "pkce is required", query.state, getIssuer(ctx, opts)));
-	if (!["S256"].includes(query.code_challenge_method)) throw ctx.redirect(formatErrorURL(query.redirect_uri, "invalid_request", "invalid code_challenge method", query.state, getIssuer(ctx, opts)));
+	if (!(ctx.body.accept === true)) return {
+		redirect: true,
+		uri: formatErrorURL(query.get("redirect_uri") ?? "", "access_denied", "User denied access", query.get("state") ?? void 0, getIssuer(ctx, opts))
+	};
 	const session = await getSessionFromCtx(ctx);
-	if (!session || promptSet?.has("login") || promptSet?.has("create")) return redirectWithPromptCode(ctx, opts, promptSet?.has("create") ? "create" : "login");
-	if (settings?.isAuthorize && promptSet?.has("select_account")) return redirectWithPromptCode(ctx, opts, "select_account");
-	if (settings?.isAuthorize && opts.selectAccount) {
-		if (await opts.selectAccount.shouldRedirect({
-			headers: ctx.request.headers,
-			user: session.user,
-			session: session.session,
-			scopes: requestedScopes
-		})) return redirectWithPromptCode(ctx, opts, "select_account");
-	}
-	if (opts.signup?.shouldRedirect) {
-		const signupRedirect = await opts.signup.shouldRedirect({
-			headers: ctx.request.headers,
-			user: session.user,
-			session: session.session,
-			scopes: requestedScopes
-		});
-		if (signupRedirect) return redirectWithPromptCode(ctx, opts, "create", typeof signupRedirect === "string" ? signupRedirect : void 0);
-	}
-	if (!settings?.postLogin && opts.postLogin) {
-		if (await opts.postLogin.shouldRedirect({
-			headers: ctx.request.headers,
-			user: session.user,
-			session: session.session,
-			scopes: requestedScopes
-		})) return redirectWithPromptCode(ctx, opts, "post_login");
-	}
-	if (promptSet?.has("consent")) return redirectWithPromptCode(ctx, opts, "consent");
 	const referenceId = await opts.postLogin?.consentReferenceId?.({
-		user: session.user,
-		session: session.session,
-		scopes: requestedScopes
-	});
-	if (client.skipConsent) return redirectWithAuthorizationCode(ctx, opts, {
-		query,
-		clientId: client.clientId,
-		userId: session.user.id,
-		sessionId: session.session.id,
-		referenceId
+		user: session?.user,
+		session: session?.session,
+		scopes: requestedScopes ?? originalRequestedScopes
 	});
-	const consent = await ctx.context.adapter.findOne({
+	const foundConsent = await ctx.context.adapter.findOne({
 		model: "oauthConsent",
 		where: [
 			{
 				field: "clientId",
-				value: client.clientId
+				value: clientId
 			},
 			{
 				field: "userId",
-				value: session.user.id
+				value: session?.user.id
 			},
 			...referenceId ? [{
 				field: "referenceId",
@@ -160,264 +60,63 @@ async function authorizeEndpoint(ctx, opts, settings) {
 			}] : []
 		]
 	});
-	if (!consent || !requestedScopes.every((val) => consent.scopes.includes(val))) return redirectWithPromptCode(ctx, opts, "consent");
-	return redirectWithAuthorizationCode(ctx, opts, {
-		query,
-		clientId: client.clientId,
-		userId: session.user.id,
-		sessionId: session.session.id,
-		referenceId
-	});
-}
-async function redirectWithAuthorizationCode(ctx, opts, verificationValue) {
-	const code = generateRandomString(32, "a-z", "A-Z", "0-9");
 	const iat = Math.floor(Date.now() / 1e3);
-	const exp = iat + (opts.codeExpiresIn ?? 600);
-	const data = {
-		identifier: await storeToken(opts.storeTokens, code, "authorization_code"),
+	const consent = {
+		clientId,
+		userId: session?.user.id,
+		scopes: requestedScopes ?? originalRequestedScopes,
+		createdAt: /* @__PURE__ */ new Date(iat * 1e3),
 		updatedAt: /* @__PURE__ */ new Date(iat * 1e3),
-		expiresAt: /* @__PURE__ */ new Date(exp * 1e3),
-		value: JSON.stringify({
-			type: "authorization_code",
-			query: ctx.query,
-			userId: verificationValue.userId,
-			sessionId: verificationValue?.sessionId,
-			referenceId: verificationValue.referenceId
-		})
+		referenceId
 	};
-	ctx.context.verification_id ? await ctx.context.internalAdapter.updateVerificationValue(ctx.context.verification_id, data) : await ctx.context.internalAdapter.createVerificationValue({
-		...data,
-		createdAt: /* @__PURE__ */ new Date(iat * 1e3)
+	foundConsent?.id ? await ctx.context.adapter.update({
+		model: "oauthConsent",
+		where: [{
+			field: "id",
+			value: foundConsent.id
+		}],
+		update: {
+			scopes: consent.scopes,
+			updatedAt: /* @__PURE__ */ new Date(iat * 1e3)
+		}
+	}) : await ctx.context.adapter.create({
+		model: "oauthConsent",
+		data: {
+			...consent,
+			scopes: consent.scopes
+		}
 	});
-	const redirectUriWithCode = new URL(verificationValue.query.redirect_uri);
-	redirectUriWithCode.searchParams.set("code", code);
-	if (verificationValue.query.state) redirectUriWithCode.searchParams.set("state", verificationValue.query.state);
-	redirectUriWithCode.searchParams.set("iss", getIssuer(ctx, opts));
-	return handleRedirect(ctx, redirectUriWithCode.toString());
-}
-async function redirectWithPromptCode(ctx, opts, type, page) {
-	const queryParams = await signParams(ctx, opts);
-	let path = opts.loginPage;
-	if (type === "select_account") path = opts.selectAccount?.page ?? opts.loginPage;
-	else if (type === "post_login") {
-		if (!opts.postLogin?.page) throw new APIError$1("INTERNAL_SERVER_ERROR", { error_description: "postLogin should have been defined" });
-		path = opts.postLogin?.page;
-	} else if (type === "consent") path = opts.consentPage;
-	else if (type === "create") path = opts.signup?.page ?? opts.loginPage;
-	return handleRedirect(ctx, `${page ?? path}?${queryParams}`);
-}
-async function signParams(ctx, opts) {
-	const exp = Math.floor(Date.now() / 1e3) + (opts.codeExpiresIn ?? 600);
-	const params = new URLSearchParams(ctx.query);
-	params.set("exp", String(exp));
-	const signature = await makeSignature(params.toString(), ctx.context.secret);
-	params.append("sig", signature);
-	return params.toString();
+	if (requestedScopes) query.set("scope", consent.scopes.join(" "));
+	ctx?.headers?.set("accept", "application/json");
+	ctx.query = deleteFromPrompt(query, "consent");
+	ctx.context.postLogin = true;
+	const { url } = await authorizeEndpoint(ctx, opts);
+	return {
+		redirect: true,
+		uri: url
+	};
 }
 
 //#endregion
-//#region src/metadata.ts
-function authServerMetadata(ctx, opts, overrides) {
-	const baseURL = ctx.context.baseURL;
-	return {
-		scopes_supported: overrides?.scopes_supported,
-		issuer: validateIssuerUrl(opts?.jwt?.issuer ?? baseURL),
-		authorization_endpoint: `${baseURL}/oauth2/authorize`,
-		token_endpoint: `${baseURL}/oauth2/token`,
-		jwks_uri: overrides?.jwt_disabled ? void 0 : opts?.jwks?.remoteUrl ?? `${baseURL}${opts?.jwks?.jwksPath ?? "/jwks"}`,
-		registration_endpoint: `${baseURL}/oauth2/register`,
-		introspection_endpoint: `${baseURL}/oauth2/introspect`,
-		revocation_endpoint: `${baseURL}/oauth2/revoke`,
-		response_types_supported: overrides?.grant_types_supported && !overrides.grant_types_supported.includes("authorization_code") ? [] : ["code"],
-		response_modes_supported: ["query"],
-		grant_types_supported: overrides?.grant_types_supported ?? [
-			"authorization_code",
-			"client_credentials",
-			"refresh_token"
-		],
-		token_endpoint_auth_methods_supported: [
-			...overrides?.public_client_supported ? ["none"] : [],
-			"client_secret_basic",
-			"client_secret_post"
-		],
-		introspection_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"],
-		revocation_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"],
-		code_challenge_methods_supported: ["S256"],
-		authorization_response_iss_parameter_supported: true
-	};
-}
-function oidcServerMetadata(ctx, opts) {
-	const baseURL = ctx.context.baseURL;
-	const jwtPluginOptions = opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context).options;
-	return {
-		...authServerMetadata(ctx, jwtPluginOptions, {
-			scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
-			public_client_supported: opts.allowUnauthenticatedClientRegistration,
-			grant_types_supported: opts.grantTypes,
-			jwt_disabled: opts.disableJwtPlugin
-		}),
-		claims_supported: opts?.advertisedMetadata?.claims_supported ?? opts?.claims ?? [],
-		userinfo_endpoint: `${baseURL}/oauth2/userinfo`,
-		subject_types_supported: ["public"],
-		id_token_signing_alg_values_supported: jwtPluginOptions?.jwks?.keyPairConfig?.alg ? [jwtPluginOptions?.jwks?.keyPairConfig?.alg] : opts.disableJwtPlugin ? ["HS256"] : ["EdDSA"],
-		end_session_endpoint: `${baseURL}/oauth2/end-session`,
-		acr_values_supported: ["urn:mace:incommon:iap:bronze"],
-		prompt_values_supported: [
-			"login",
-			"consent",
-			"create",
-			"select_account"
-		]
-	};
-}
-/**
-* Provides an exportable `/.well-known/oauth-authorization-server`.
-*
-* Useful when basePath prevents the endpoint from being located at the root
-* and must be provided manually.
-*
-* @external
-*/
-const oauthProviderAuthServerMetadata = (auth, opts) => {
-	return async (_request) => {
-		const res = await auth.api.getOAuthServerConfig();
-		return new Response(JSON.stringify(res), {
-			status: 200,
-			headers: {
-				"Cache-Control": "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400",
-				...opts?.headers,
-				"Content-Type": "application/json"
-			}
-		});
-	};
-};
-/**
-* Provides an exportable `/.well-known/openid-configuration`.
-*
-* Useful when basePath prevents the endpoint from being located at the root
-* and must be provided manually.
-*
-* @external
-*/
-const oauthProviderOpenIdConfigMetadata = (auth, opts) => {
-	return async (_request) => {
-		const res = await auth.api.getOpenIdConfig();
-		return new Response(JSON.stringify(res), {
-			status: 200,
-			headers: {
-				"Cache-Control": "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400",
-				...opts?.headers,
-				"Content-Type": "application/json"
-			}
-		});
-	};
-};
-
-//#endregion
-//#region src/consent.ts
-async function consentEndpoint(ctx, opts) {
-	const _query = (await oAuthState.get())?.query;
-	if (!_query) throw new APIError("BAD_REQUEST", {
-		error_description: "missing oauth query",
-		error: "invalid_request"
-	});
-	const query = new URLSearchParams(_query);
-	const originalRequestedScopes = query.get("scope")?.split(" ") ?? [];
-	const clientId = query.get("client_id");
-	if (!clientId) throw new APIError("BAD_REQUEST", {
-		error_description: "client_id is required",
-		error: "invalid_client"
-	});
-	const requestedScopes = ctx.body.scope?.split(" ");
-	if (requestedScopes) {
-		if (!requestedScopes.every((sc) => originalRequestedScopes?.includes(sc))) throw new APIError("BAD_REQUEST", {
-			error_description: "Scope not originally requested",
-			error: "invalid_request"
-		});
-	}
-	if (!(ctx.body.accept === true)) return {
-		redirect: true,
-		uri: formatErrorURL(query.get("redirect_uri") ?? "", "access_denied", "User denied access", query.get("state") ?? void 0, getIssuer(ctx, opts))
-	};
-	const session = await getSessionFromCtx(ctx);
-	const referenceId = await opts.postLogin?.consentReferenceId?.({
-		user: session?.user,
-		session: session?.session,
-		scopes: requestedScopes ?? originalRequestedScopes
-	});
-	const foundConsent = await ctx.context.adapter.findOne({
-		model: "oauthConsent",
-		where: [
-			{
-				field: "clientId",
-				value: clientId
-			},
-			{
-				field: "userId",
-				value: session?.user.id
-			},
-			...referenceId ? [{
-				field: "referenceId",
-				value: referenceId
-			}] : []
-		]
-	});
-	const iat = Math.floor(Date.now() / 1e3);
-	const consent = {
-		clientId,
-		userId: session?.user.id,
-		scopes: requestedScopes ?? originalRequestedScopes,
-		createdAt: /* @__PURE__ */ new Date(iat * 1e3),
-		updatedAt: /* @__PURE__ */ new Date(iat * 1e3),
-		referenceId
-	};
-	foundConsent?.id ? await ctx.context.adapter.update({
-		model: "oauthConsent",
-		where: [{
-			field: "id",
-			value: foundConsent.id
-		}],
-		update: {
-			scopes: consent.scopes,
-			updatedAt: /* @__PURE__ */ new Date(iat * 1e3)
-		}
-	}) : await ctx.context.adapter.create({
-		model: "oauthConsent",
-		data: {
-			...consent,
-			scopes: consent.scopes
-		}
-	});
-	ctx?.headers?.set("accept", "application/json");
-	ctx.query = deleteFromPrompt(query, "consent");
-	ctx.context.postLogin = true;
-	const { url } = await authorizeEndpoint(ctx, opts);
-	return {
-		redirect: true,
-		uri: url
-	};
-}
-
-//#endregion
-//#region src/continue.ts
-async function continueEndpoint(ctx, opts) {
-	if (ctx.body.selected === true) return await selected(ctx, opts);
-	else if (ctx.body.created === true) return await created(ctx, opts);
-	else if (ctx.body.postLogin === true) return await postLogin(ctx, opts);
-	else throw new APIError("BAD_REQUEST", {
-		error_description: "Missing parameters",
-		error: "invalid_request"
-	});
-}
-async function selected(ctx, opts) {
-	const _query = (await oAuthState.get())?.query;
-	if (!_query) throw new APIError("BAD_REQUEST", {
-		error_description: "missing oauth query",
-		error: "invalid_request"
-	});
-	ctx.headers?.set("accept", "application/json");
-	ctx.query = deleteFromPrompt(new URLSearchParams(_query), "select_account");
-	const { url } = await authorizeEndpoint(ctx, opts);
+//#region src/continue.ts
+async function continueEndpoint(ctx, opts) {
+	if (ctx.body.selected === true) return await selected(ctx, opts);
+	else if (ctx.body.created === true) return await created(ctx, opts);
+	else if (ctx.body.postLogin === true) return await postLogin(ctx, opts);
+	else throw new APIError("BAD_REQUEST", {
+		error_description: "Missing parameters",
+		error: "invalid_request"
+	});
+}
+async function selected(ctx, opts) {
+	const _query = (await oAuthState.get())?.query;
+	if (!_query) throw new APIError("BAD_REQUEST", {
+		error_description: "missing oauth query",
+		error: "invalid_request"
+	});
+	ctx.headers?.set("accept", "application/json");
+	ctx.query = deleteFromPrompt(new URLSearchParams(_query), "select_account");
+	const { url } = await authorizeEndpoint(ctx, opts);
 	return {
 		redirect: true,
 		uri: url
@@ -796,8 +495,8 @@ async function handleAuthorizationCodeGrant(ctx, opts) {
 	});
 	const isAuthCodeWithSecret = client_id && client_secret;
 	const isAuthCodeWithPkce = client_id && code && code_verifier;
-	if (!(isAuthCodeWithPkce || isAuthCodeWithSecret)) throw new APIError("BAD_REQUEST", {
-		error_description: "Missing a required credential value for authorization_code grant",
+	if (!isAuthCodeWithSecret && !isAuthCodeWithPkce) throw new APIError("BAD_REQUEST", {
+		error_description: "Either code_verifier or client_secret is required",
 		error: "invalid_request"
 	});
 	/** Get and check Verification Value */
@@ -809,16 +508,32 @@ async function handleAuthorizationCodeGrant(ctx, opts) {
 	});
 	/** Verify Client */
 	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, scopes);
-	/** Check challenge */
-	const challenge = code_verifier && verificationValue.query?.code_challenge_method === "S256" ? await generateCodeChallenge(code_verifier) : void 0;
-	if (isAuthCodeWithSecret && (challenge || verificationValue?.query?.code_challenge) && challenge !== verificationValue.query?.code_challenge) throw new APIError("UNAUTHORIZED", {
-		error_description: "code verification failed",
-		error: "invalid_request"
-	});
-	if (isAuthCodeWithPkce && challenge !== verificationValue.query?.code_challenge) throw new APIError("UNAUTHORIZED", {
-		error_description: "code verification failed",
+	if (isPKCERequired(client, (verificationValue.query?.scope)?.split(" ") || [])) {
+		if (!isAuthCodeWithPkce) throw new APIError("BAD_REQUEST", {
+			error_description: "PKCE is required for this client",
+			error: "invalid_request"
+		});
+	} else if (!(isAuthCodeWithPkce || isAuthCodeWithSecret)) throw new APIError("BAD_REQUEST", {
+		error_description: "Either PKCE (code_verifier) or client authentication (client_secret) is required",
 		error: "invalid_request"
 	});
+	/** Check PKCE challenge if verifier is provided */
+	const pkceUsedInAuth = !!verificationValue.query?.code_challenge;
+	const pkceUsedInToken = !!code_verifier;
+	if (pkceUsedInAuth || pkceUsedInToken) {
+		if (pkceUsedInAuth && !pkceUsedInToken) throw new APIError("UNAUTHORIZED", {
+			error_description: "code_verifier required because PKCE was used in authorization",
+			error: "invalid_request"
+		});
+		if (!pkceUsedInAuth && pkceUsedInToken) throw new APIError("UNAUTHORIZED", {
+			error_description: "code_verifier provided but PKCE was not used in authorization",
+			error: "invalid_request"
+		});
+		if ((verificationValue.query?.code_challenge_method === "S256" ? await generateCodeChallenge(code_verifier) : void 0) !== verificationValue.query?.code_challenge) throw new APIError("UNAUTHORIZED", {
+			error_description: "code verification failed",
+			error: "invalid_request"
+		});
+	}
 	/** Get user */
 	if (!verificationValue.userId) throw new APIError("BAD_REQUEST", {
 		error_description: "missing user, user may have been deleted",
@@ -1115,8 +830,8 @@ async function validateOpaqueAccessToken(ctx, opts, token, clientId) {
 		client_id: accessToken.clientId,
 		sub: user?.id,
 		sid: sessionId,
-		exp: Math.floor(accessToken.expiresAt.getTime() / 1e3),
-		iat: Math.floor(accessToken.createdAt.getTime() / 1e3),
+		exp: Math.floor(new Date(accessToken.expiresAt).getTime() / 1e3),
+		iat: Math.floor(new Date(accessToken.createdAt).getTime() / 1e3),
 		scope: accessToken.scopes?.join(" ")
 	};
 }
@@ -1159,8 +874,8 @@ async function validateRefreshToken(ctx, opts, token, clientId) {
 		iss: ((opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context))?.options)?.jwt?.issuer ?? ctx.context.baseURL,
 		sub: user?.id,
 		sid: sessionId,
-		exp: Math.floor(refreshToken.expiresAt.getTime() / 1e3),
-		iat: Math.floor(refreshToken.createdAt.getTime() / 1e3),
+		exp: Math.floor(new Date(refreshToken.expiresAt).getTime() / 1e3),
+		iat: Math.floor(new Date(refreshToken.createdAt).getTime() / 1e3),
 		scope: refreshToken.scopes?.join(" ")
 	};
 }
@@ -1407,6 +1122,10 @@ async function checkOAuthClient(client, opts, settings) {
 			error_description: `cannot request scope ${requestedScope}`
 		});
 	}
+	if (settings?.isRegister && client.require_pkce === false) throw new APIError("BAD_REQUEST", {
+		error: "invalid_client_metadata",
+		error_description: `pkce is required for registered clients.`
+	});
 }
 async function createOAuthClientEndpoint(ctx, opts, settings) {
 	const body = ctx.body;
@@ -1456,7 +1175,7 @@ async function createOAuthClientEndpoint(ctx, opts, settings) {
 * @returns
 */
 function oauthToSchema(input) {
-	const { client_id: clientId, client_secret: clientSecret, client_secret_expires_at: _expiresAt, scope: _scope, user_id: userId, client_id_issued_at: _createdAt, client_name: name, client_uri: uri, logo_uri: icon, contacts, tos_uri: tos, policy_uri: policy, jwks: _jwks, jwks_uri: _jwksUri, software_id: softwareId, software_version: softwareVersion, software_statement: softwareStatement, redirect_uris: redirectUris, post_logout_redirect_uris: postLogoutRedirectUris, token_endpoint_auth_method: tokenEndpointAuthMethod, grant_types: grantTypes, response_types: responseTypes, public: _public, type, disabled, skip_consent: skipConsent, enable_end_session: enableEndSession, reference_id: referenceId, metadata: inputMetadata, ...rest } = input;
+	const { client_id: clientId, client_secret: clientSecret, client_secret_expires_at: _expiresAt, scope: _scope, user_id: userId, client_id_issued_at: _createdAt, client_name: name, client_uri: uri, logo_uri: icon, contacts, tos_uri: tos, policy_uri: policy, jwks: _jwks, jwks_uri: _jwksUri, software_id: softwareId, software_version: softwareVersion, software_statement: softwareStatement, redirect_uris: redirectUris, post_logout_redirect_uris: postLogoutRedirectUris, token_endpoint_auth_method: tokenEndpointAuthMethod, grant_types: grantTypes, response_types: responseTypes, public: _public, type, disabled, skip_consent: skipConsent, enable_end_session: enableEndSession, require_pkce: requirePKCE, reference_id: referenceId, metadata: inputMetadata, ...rest } = input;
 	const expiresAt = _expiresAt ? /* @__PURE__ */ new Date(_expiresAt * 1e3) : void 0;
 	const createdAt = _createdAt ? /* @__PURE__ */ new Date(_createdAt * 1e3) : void 0;
 	const scopes = _scope?.split(" ");
@@ -1490,6 +1209,7 @@ function oauthToSchema(input) {
 		type,
 		skipConsent,
 		enableEndSession,
+		requirePKCE,
 		referenceId,
 		metadata: Object.keys(metadataObj).length ? JSON.stringify(metadataObj) : void 0
 	};
@@ -1501,9 +1221,9 @@ function oauthToSchema(input) {
 * @returns
 */
 function schemaToOAuth(input) {
-	const { clientId, clientSecret, disabled, scopes, userId, createdAt, updatedAt: _updatedAt, expiresAt, name, uri, icon, contacts, tos, policy, softwareId, softwareVersion, softwareStatement, redirectUris, postLogoutRedirectUris, tokenEndpointAuthMethod, grantTypes, responseTypes, public: _public, type, skipConsent, enableEndSession, referenceId, metadata } = input;
-	const _expiresAt = expiresAt ? Math.round(expiresAt.getTime() / 1e3) : void 0;
-	const _createdAt = createdAt ? Math.round(createdAt.getTime() / 1e3) : void 0;
+	const { clientId, clientSecret, disabled, scopes, userId, createdAt, updatedAt: _updatedAt, expiresAt, name, uri, icon, contacts, tos, policy, softwareId, softwareVersion, softwareStatement, redirectUris, postLogoutRedirectUris, tokenEndpointAuthMethod, grantTypes, responseTypes, public: _public, type, skipConsent, enableEndSession, requirePKCE, referenceId, metadata } = input;
+	const _expiresAt = expiresAt ? Math.round(new Date(expiresAt).getTime() / 1e3) : void 0;
+	const _createdAt = createdAt ? Math.round(new Date(createdAt).getTime() / 1e3) : void 0;
 	const _scopes = scopes?.join(" ");
 	return {
 		...parseClientMetadata(metadata),
@@ -1532,6 +1252,7 @@ function schemaToOAuth(input) {
 		disabled: disabled ?? void 0,
 		skip_consent: skipConsent ?? void 0,
 		enable_end_session: enableEndSession ?? void 0,
+		require_pkce: requirePKCE ?? void 0,
 		reference_id: referenceId ?? void 0
 	};
 }
@@ -1840,6 +1561,7 @@ const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/creat
 		client_secret_expires_at: z.union([z.string(), z.number()]).optional().default(0),
 		skip_consent: z.boolean().optional(),
 		enable_end_session: z.boolean().optional(),
+		require_pkce: z.boolean().optional(),
 		metadata: z.record(z.string(), z.unknown()).optional()
 	}),
 	metadata: {
@@ -1966,6 +1688,11 @@ const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/creat
 							type: "boolean",
 							description: "Whether the client is disabled"
 						},
+						require_pkce: {
+							type: "boolean",
+							description: "Whether the client requires PKCE",
+							default: true
+						},
 						metadata: {
 							type: "object",
 							additionalProperties: true,
@@ -2713,6 +2440,10 @@ const schema = {
 				type: "string",
 				required: false
 			},
+			requirePKCE: {
+				type: "boolean",
+				required: false
+			},
 			referenceId: {
 				type: "string",
 				required: false
@@ -2856,6 +2587,7 @@ const schema = {
 //#endregion
 //#region src/oauth.ts
 const oAuthState = defineRequestState(() => null);
+const getOAuthProviderState = oAuthState.get;
 /**
 * oAuth 2.1 provider plugin for Better Auth.
 *
@@ -3811,5 +3543,314 @@ const oauthProvider = (options) => {
 };
 
 //#endregion
-export { authServerMetadata, mcpHandler, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oidcServerMetadata };
+//#region src/authorize.ts
+/**
+* Formats an error url
+*/
+function formatErrorURL(url, error, description, state, iss) {
+	const searchParams = new URLSearchParams({
+		error,
+		error_description: description
+	});
+	state && searchParams.append("state", state);
+	iss && searchParams.append("iss", iss);
+	return `${url}${url.includes("?") ? "&" : "?"}${searchParams.toString()}`;
+}
+const handleRedirect = (ctx, uri) => {
+	if (ctx.headers?.get("accept")?.includes("application/json")) return {
+		redirect: true,
+		url: uri.toString()
+	};
+	else throw ctx.redirect(uri);
+};
+/**
+* Validates that the issuer URL
+* - MUST use HTTPS scheme (HTTP allowed for localhost in dev)
+* - MUST NOT contain query components
+* - MUST NOT contain fragment components
+*
+* @returns The validated issuer URL, or a sanitized version if invalid
+*/
+function validateIssuerUrl(issuer) {
+	try {
+		const url = new URL(issuer);
+		const isLocalhost = url.hostname === "localhost" || url.hostname === "127.0.0.1";
+		if (url.protocol !== "https:" && !isLocalhost) url.protocol = "https:";
+		url.search = "";
+		url.hash = "";
+		return url.toString().replace(/\/$/, "");
+	} catch {
+		return issuer;
+	}
+}
+/**
+* Gets the issuer identifier
+*/
+function getIssuer(ctx, opts) {
+	let issuer;
+	if (opts.disableJwtPlugin) issuer = ctx.context.baseURL;
+	else try {
+		issuer = getJwtPlugin(ctx.context).options?.jwt?.issuer ?? ctx.context.baseURL;
+	} catch {
+		issuer = ctx.context.baseURL;
+	}
+	return validateIssuerUrl(issuer);
+}
+/**
+* Error page url if redirect_uri has not been verified yet
+* Generates Url for custom error page
+*/
+function getErrorURL(ctx, error, description) {
+	return formatErrorURL(ctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`, error, description);
+}
+async function authorizeEndpoint(ctx, opts, settings) {
+	if (opts.grantTypes && !opts.grantTypes.includes("authorization_code")) throw new APIError$1("NOT_FOUND");
+	if (!ctx.request) throw new APIError$1("UNAUTHORIZED", {
+		error_description: "request not found",
+		error: "invalid_request"
+	});
+	const query = ctx.query;
+	await oAuthState.set({ query: query.toString() });
+	if (!query.client_id) throw ctx.redirect(getErrorURL(ctx, "invalid_client", "client_id is required"));
+	if (!query.response_type) throw ctx.redirect(getErrorURL(ctx, "invalid_request", "response_type is required"));
+	const promptSet = ctx.query?.prompt ? parsePrompt(ctx.query?.prompt) : void 0;
+	if (promptSet?.has("select_account") && !opts.selectAccount?.page) throw ctx.redirect(getErrorURL(ctx, `unsupported_prompt_select_account`, "unsupported prompt type"));
+	if (!(query.response_type === "code")) throw ctx.redirect(getErrorURL(ctx, "unsupported_response_type", "unsupported response type"));
+	const client = await getClient(ctx, opts, query.client_id);
+	if (!client) throw ctx.redirect(getErrorURL(ctx, "invalid_client", "client_id is required"));
+	if (client.disabled) throw ctx.redirect(getErrorURL(ctx, "client_disabled", "client is disabled"));
+	if (!client.redirectUris?.find((url) => url === query.redirect_uri) || !query.redirect_uri) throw ctx.redirect(getErrorURL(ctx, "invalid_redirect", "invalid redirect uri"));
+	let requestedScopes = query.scope?.split(" ").filter((s) => s);
+	if (requestedScopes) {
+		const validScopes = new Set(client.scopes ?? opts.scopes);
+		const invalidScopes = requestedScopes.filter((scope) => {
+			return !validScopes?.has(scope);
+		});
+		if (invalidScopes.length) throw ctx.redirect(formatErrorURL(query.redirect_uri, "invalid_scope", `The following scopes are invalid: ${invalidScopes.join(", ")}`, query.state, getIssuer(ctx, opts)));
+	}
+	if (!requestedScopes) {
+		requestedScopes = client.scopes ?? opts.scopes ?? [];
+		query.scope = requestedScopes.join(" ");
+	}
+	const pkceRequired = isPKCERequired(client, requestedScopes);
+	if (pkceRequired) {
+		if (!query.code_challenge || !query.code_challenge_method) throw ctx.redirect(formatErrorURL(query.redirect_uri, "invalid_request", pkceRequired.valueOf(), query.state, getIssuer(ctx, opts)));
+	}
+	if (query.code_challenge || query.code_challenge_method) {
+		if (!query.code_challenge || !query.code_challenge_method) throw ctx.redirect(formatErrorURL(query.redirect_uri, "invalid_request", "code_challenge and code_challenge_method must both be provided", query.state, getIssuer(ctx, opts)));
+		if (!["S256"].includes(query.code_challenge_method)) throw ctx.redirect(formatErrorURL(query.redirect_uri, "invalid_request", "invalid code_challenge method, only S256 is supported", query.state, getIssuer(ctx, opts)));
+	}
+	const session = await getSessionFromCtx(ctx);
+	if (!session || promptSet?.has("login") || promptSet?.has("create")) return redirectWithPromptCode(ctx, opts, promptSet?.has("create") ? "create" : "login");
+	if (settings?.isAuthorize && promptSet?.has("select_account")) return redirectWithPromptCode(ctx, opts, "select_account");
+	if (settings?.isAuthorize && opts.selectAccount) {
+		if (await opts.selectAccount.shouldRedirect({
+			headers: ctx.request.headers,
+			user: session.user,
+			session: session.session,
+			scopes: requestedScopes
+		})) return redirectWithPromptCode(ctx, opts, "select_account");
+	}
+	if (opts.signup?.shouldRedirect) {
+		const signupRedirect = await opts.signup.shouldRedirect({
+			headers: ctx.request.headers,
+			user: session.user,
+			session: session.session,
+			scopes: requestedScopes
+		});
+		if (signupRedirect) return redirectWithPromptCode(ctx, opts, "create", typeof signupRedirect === "string" ? signupRedirect : void 0);
+	}
+	if (!settings?.postLogin && opts.postLogin) {
+		if (await opts.postLogin.shouldRedirect({
+			headers: ctx.request.headers,
+			user: session.user,
+			session: session.session,
+			scopes: requestedScopes
+		})) return redirectWithPromptCode(ctx, opts, "post_login");
+	}
+	if (promptSet?.has("consent")) return redirectWithPromptCode(ctx, opts, "consent");
+	const referenceId = await opts.postLogin?.consentReferenceId?.({
+		user: session.user,
+		session: session.session,
+		scopes: requestedScopes
+	});
+	if (client.skipConsent) return redirectWithAuthorizationCode(ctx, opts, {
+		query,
+		clientId: client.clientId,
+		userId: session.user.id,
+		sessionId: session.session.id,
+		referenceId
+	});
+	const consent = await ctx.context.adapter.findOne({
+		model: "oauthConsent",
+		where: [
+			{
+				field: "clientId",
+				value: client.clientId
+			},
+			{
+				field: "userId",
+				value: session.user.id
+			},
+			...referenceId ? [{
+				field: "referenceId",
+				value: referenceId
+			}] : []
+		]
+	});
+	if (!consent || !requestedScopes.every((val) => consent.scopes.includes(val))) return redirectWithPromptCode(ctx, opts, "consent");
+	return redirectWithAuthorizationCode(ctx, opts, {
+		query,
+		clientId: client.clientId,
+		userId: session.user.id,
+		sessionId: session.session.id,
+		referenceId
+	});
+}
+async function redirectWithAuthorizationCode(ctx, opts, verificationValue) {
+	const code = generateRandomString(32, "a-z", "A-Z", "0-9");
+	const iat = Math.floor(Date.now() / 1e3);
+	const exp = iat + (opts.codeExpiresIn ?? 600);
+	const data = {
+		identifier: await storeToken(opts.storeTokens, code, "authorization_code"),
+		updatedAt: /* @__PURE__ */ new Date(iat * 1e3),
+		expiresAt: /* @__PURE__ */ new Date(exp * 1e3),
+		value: JSON.stringify({
+			type: "authorization_code",
+			query: ctx.query,
+			userId: verificationValue.userId,
+			sessionId: verificationValue?.sessionId,
+			referenceId: verificationValue.referenceId
+		})
+	};
+	ctx.context.verification_id ? await ctx.context.internalAdapter.updateVerificationValue(ctx.context.verification_id, data) : await ctx.context.internalAdapter.createVerificationValue({
+		...data,
+		createdAt: /* @__PURE__ */ new Date(iat * 1e3)
+	});
+	const redirectUriWithCode = new URL(verificationValue.query.redirect_uri);
+	redirectUriWithCode.searchParams.set("code", code);
+	if (verificationValue.query.state) redirectUriWithCode.searchParams.set("state", verificationValue.query.state);
+	redirectUriWithCode.searchParams.set("iss", getIssuer(ctx, opts));
+	return handleRedirect(ctx, redirectUriWithCode.toString());
+}
+async function redirectWithPromptCode(ctx, opts, type, page) {
+	const queryParams = await signParams(ctx, opts);
+	let path = opts.loginPage;
+	if (type === "select_account") path = opts.selectAccount?.page ?? opts.loginPage;
+	else if (type === "post_login") {
+		if (!opts.postLogin?.page) throw new APIError$1("INTERNAL_SERVER_ERROR", { error_description: "postLogin should have been defined" });
+		path = opts.postLogin?.page;
+	} else if (type === "consent") path = opts.consentPage;
+	else if (type === "create") path = opts.signup?.page ?? opts.loginPage;
+	return handleRedirect(ctx, `${page ?? path}?${queryParams}`);
+}
+async function signParams(ctx, opts) {
+	const exp = Math.floor(Date.now() / 1e3) + (opts.codeExpiresIn ?? 600);
+	const params = new URLSearchParams(ctx.query);
+	params.set("exp", String(exp));
+	const signature = await makeSignature(params.toString(), ctx.context.secret);
+	params.append("sig", signature);
+	return params.toString();
+}
+
+//#endregion
+//#region src/metadata.ts
+function authServerMetadata(ctx, opts, overrides) {
+	const baseURL = ctx.context.baseURL;
+	return {
+		scopes_supported: overrides?.scopes_supported,
+		issuer: validateIssuerUrl(opts?.jwt?.issuer ?? baseURL),
+		authorization_endpoint: `${baseURL}/oauth2/authorize`,
+		token_endpoint: `${baseURL}/oauth2/token`,
+		jwks_uri: overrides?.jwt_disabled ? void 0 : opts?.jwks?.remoteUrl ?? `${baseURL}${opts?.jwks?.jwksPath ?? "/jwks"}`,
+		registration_endpoint: `${baseURL}/oauth2/register`,
+		introspection_endpoint: `${baseURL}/oauth2/introspect`,
+		revocation_endpoint: `${baseURL}/oauth2/revoke`,
+		response_types_supported: overrides?.grant_types_supported && !overrides.grant_types_supported.includes("authorization_code") ? [] : ["code"],
+		response_modes_supported: ["query"],
+		grant_types_supported: overrides?.grant_types_supported ?? [
+			"authorization_code",
+			"client_credentials",
+			"refresh_token"
+		],
+		token_endpoint_auth_methods_supported: [
+			...overrides?.public_client_supported ? ["none"] : [],
+			"client_secret_basic",
+			"client_secret_post"
+		],
+		introspection_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"],
+		revocation_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"],
+		code_challenge_methods_supported: ["S256"],
+		authorization_response_iss_parameter_supported: true
+	};
+}
+function oidcServerMetadata(ctx, opts) {
+	const baseURL = ctx.context.baseURL;
+	const jwtPluginOptions = opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context).options;
+	return {
+		...authServerMetadata(ctx, jwtPluginOptions, {
+			scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
+			public_client_supported: opts.allowUnauthenticatedClientRegistration,
+			grant_types_supported: opts.grantTypes,
+			jwt_disabled: opts.disableJwtPlugin
+		}),
+		claims_supported: opts?.advertisedMetadata?.claims_supported ?? opts?.claims ?? [],
+		userinfo_endpoint: `${baseURL}/oauth2/userinfo`,
+		subject_types_supported: ["public"],
+		id_token_signing_alg_values_supported: jwtPluginOptions?.jwks?.keyPairConfig?.alg ? [jwtPluginOptions?.jwks?.keyPairConfig?.alg] : opts.disableJwtPlugin ? ["HS256"] : ["EdDSA"],
+		end_session_endpoint: `${baseURL}/oauth2/end-session`,
+		acr_values_supported: ["urn:mace:incommon:iap:bronze"],
+		prompt_values_supported: [
+			"login",
+			"consent",
+			"create",
+			"select_account"
+		]
+	};
+}
+/**
+* Provides an exportable `/.well-known/oauth-authorization-server`.
+*
+* Useful when basePath prevents the endpoint from being located at the root
+* and must be provided manually.
+*
+* @external
+*/
+const oauthProviderAuthServerMetadata = (auth, opts) => {
+	return async (_request) => {
+		const res = await auth.api.getOAuthServerConfig();
+		return new Response(JSON.stringify(res), {
+			status: 200,
+			headers: {
+				"Cache-Control": "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400",
+				...opts?.headers,
+				"Content-Type": "application/json"
+			}
+		});
+	};
+};
+/**
+* Provides an exportable `/.well-known/openid-configuration`.
+*
+* Useful when basePath prevents the endpoint from being located at the root
+* and must be provided manually.
+*
+* @external
+*/
+const oauthProviderOpenIdConfigMetadata = (auth, opts) => {
+	return async (_request) => {
+		const res = await auth.api.getOpenIdConfig();
+		return new Response(JSON.stringify(res), {
+			status: 200,
+			headers: {
+				"Cache-Control": "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400",
+				...opts?.headers,
+				"Content-Type": "application/json"
+			}
+		});
+	};
+};
+
+//#endregion
+export { authServerMetadata, getOAuthProviderState, mcpHandler, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oidcServerMetadata };
 //# sourceMappingURL=index.mjs.map