@better-auth/oauth-provider 1.5.0-beta.2 → 1.5.0-beta.3

package/LICENSE.md

@@ -1,17 +1,20 @@
 The MIT License (MIT)
 Copyright (c) 2024 - present, Bereket Engida
 
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software
-and associated documentation files (the "Software"), to deal in the Software without restriction,
-including without limitation the rights to use, copy, modify, merge, publish, distribute,
-sublicense, and/or sell copies of the Software, and to permit persons to whom the Software
-is furnished to do so, subject to the following conditions:
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the “Software”), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
 
-The above copyright notice and this permission notice shall be included in all copies or
-substantial portions of the Software.
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING
-BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
-DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+DEALINGS IN THE SOFTWARE.

package/dist/client-resource.mjs

@@ -1,4 +1,4 @@
-import { a as getJwtPlugin, f as handleMcpErrors, o as getOAuthProviderPlugin } from "./utils-CSiY9oUk.mjs";
+import { a as getJwtPlugin, o as getOAuthProviderPlugin, p as handleMcpErrors } from "./utils-CAYiYjbw.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { APIError } from "better-call";
 import { BetterAuthError } from "@better-auth/core/error";
@@ -6,16 +6,27 @@ import { logger } from "@better-auth/core/env";
 
 //#region src/client-resource.ts
 const oauthProviderResourceClient = (auth) => {
-	const oauthProviderOptions = (auth ? getOAuthProviderPlugin(auth) : void 0)?.options;
-	const jwtPluginOptions = (auth && !oauthProviderOptions?.disableJwtPlugin ? getJwtPlugin(auth) : void 0)?.options;
+	let oauthProviderPlugin;
+	const getOauthProviderPlugin = async () => {
+		if (!oauthProviderPlugin) oauthProviderPlugin = auth ? getOAuthProviderPlugin(await auth.$context) : void 0;
+		return oauthProviderPlugin;
+	};
+	let jwtPlugin;
+	const getJwtPluginOptions = async () => {
+		if (!jwtPlugin) jwtPlugin = auth && !(await getOauthProviderPlugin())?.options?.disableJwtPlugin ? getJwtPlugin(await auth.$context) : void 0;
+		return jwtPlugin?.options;
+	};
+	const getAuthorizationServer = async () => {
+		return (await getJwtPluginOptions())?.jwt?.issuer ?? authServerBaseUrl;
+	};
 	const authServerBaseUrl = auth?.options.baseURL;
 	const authServerBasePath = auth?.options.basePath;
-	const authorizationServer = jwtPluginOptions?.jwt?.issuer ?? authServerBaseUrl;
 	return {
 		id: "oauth-provider-resource-client",
 		getActions() {
 			return {
 				verifyAccessToken: (async (token, opts) => {
+					const jwtPluginOptions = await getJwtPluginOptions();
 					const audience = opts?.verifyOptions?.audience ?? authServerBaseUrl;
 					const issuer = opts?.verifyOptions?.issuer ?? jwtPluginOptions?.jwt?.issuer ?? authServerBaseUrl;
 					if (!audience) throw Error("please define opts.verifyOptions.audience");
@@ -43,6 +54,7 @@ const oauthProviderResourceClient = (auth) => {
 				}),
 				getProtectedResourceMetadata: (async (overrides, opts) => {
 					const resource = overrides?.resource ?? authServerBaseUrl;
+					const oauthProviderOptions = (await getOauthProviderPlugin())?.options;
 					if (!resource) throw Error("missing required resource");
 					if (oauthProviderOptions?.scopes && opts?.externalScopes && (overrides?.authorization_servers?.length ?? 0) <= 1) throw new BetterAuthError("external scopes should not be provided with one authorization server");
 					if (overrides?.scopes_supported) {
@@ -60,6 +72,7 @@ const oauthProviderResourceClient = (auth) => {
 							if (!allValidScopes.has(sc)) throw new BetterAuthError(`Unsupported scope ${sc}. If external, please add to "externalScopes"`);
 						}
 					}
+					const authorizationServer = await getAuthorizationServer();
 					return {
 						resource,
 						authorization_servers: authorizationServer ? [authorizationServer] : void 0,

package/dist/client.d.mts

@@ -1,5 +1,5 @@
 import "./oauth-BrFoF22H.mjs";
-import { t as oauthProvider } from "./oauth-C1OnEiU-.mjs";
+import { t as oauthProvider } from "./oauth-BW67CKnu.mjs";
 import * as _better_fetch_fetch0 from "@better-fetch/fetch";
 
 //#region src/client.d.ts

package/dist/index.d.mts

@@ -1,5 +1,5 @@
 import { _ as Awaitable, a as ResourceServerMetadata, c as OAuthConsent, d as OAuthRefreshToken, f as Prompt, g as VerificationValue, h as StoreTokenType, i as OIDCMetadata, l as OAuthOpaqueAccessToken, m as Scope, n as GrantType, o as AuthorizePrompt, p as SchemaClient, r as OAuthClient, s as OAuthAuthorizationQuery, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-BrFoF22H.mjs";
-import { t as oauthProvider } from "./oauth-C1OnEiU-.mjs";
+import { t as oauthProvider } from "./oauth-BW67CKnu.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { JWSAlgorithms, JwtOptions } from "better-auth/plugins";
 import { JWTPayload } from "jose";

package/dist/index.mjs

@@ -1,4 +1,4 @@
-import { a as getJwtPlugin, c as parsePrompt, d as validateClientCredentials, i as getClient, l as storeClientSecret, n as decryptStoredClientSecret, p as mcpHandler, r as deleteFromPrompt, s as getStoredToken, t as basicToClientCredentials, u as storeToken } from "./utils-CSiY9oUk.mjs";
+import { a as getJwtPlugin, c as parseClientMetadata, d as storeToken, f as validateClientCredentials, i as getClient, l as parsePrompt, m as mcpHandler, n as decryptStoredClientSecret, r as deleteFromPrompt, s as getStoredToken, t as basicToClientCredentials, u as storeClientSecret } from "./utils-CAYiYjbw.mjs";
 import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
 import { APIError } from "better-call";
 import { BetterAuthError } from "@better-auth/core/error";
@@ -516,7 +516,7 @@ async function createJwtAccessToken(ctx, opts, user, client, audience, scopes, r
 		scopes,
 		resource: ctx.body.resource,
 		referenceId,
-		metadata: client.metadata ? JSON.parse(client.metadata) : void 0
+		metadata: parseClientMetadata(client.metadata)
 	}) : {};
 	const jwtPluginOptions = getJwtPlugin(ctx.context).options;
 	return signJWT(ctx, {
@@ -547,7 +547,7 @@ async function createIdToken(ctx, opts, user, client, scopes, nonce, sessionId)
 	const customClaims = opts.customIdTokenClaims ? await opts.customIdTokenClaims({
 		user,
 		scopes,
-		metadata: client.metadata ? JSON.parse(client.metadata) : void 0
+		metadata: parseClientMetadata(client.metadata)
 	}) : {};
 	const jwtPluginOptions = opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context).options;
 	const payload = {
@@ -857,7 +857,7 @@ async function handleClientCredentialsGrant(ctx, opts) {
 	const customClaims = opts.customAccessTokenClaims ? await opts.customAccessTokenClaims({
 		scopes: requestedScopes,
 		resource: ctx.body.resource,
-		metadata: client.metadata ? JSON.parse(client.metadata) : void 0
+		metadata: parseClientMetadata(client.metadata)
 	}) : {};
 	const accessToken = audience && !opts.disableJwtPlugin ? await signJWT(ctx, {
 		options: jwtPluginOptions,
@@ -1069,7 +1069,7 @@ async function validateOpaqueAccessToken(ctx, opts, token, clientId) {
 		user,
 		scopes: accessToken.scopes,
 		referenceId: accessToken?.referenceId,
-		metadata: client?.metadata ? JSON.parse(client.metadata) : void 0
+		metadata: parseClientMetadata(client?.metadata)
 	}) : {};
 	const jwtPluginOptions = (opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context))?.options;
 	return {
@@ -1420,14 +1420,19 @@ async function createOAuthClientEndpoint(ctx, opts, settings) {
 * @returns
 */
 function oauthToSchema(input) {
-	const { client_id: clientId, client_secret: clientSecret, client_secret_expires_at: _expiresAt, scope: _scope, user_id: userId, client_id_issued_at: _createdAt, client_name: name, client_uri: uri, logo_uri: icon, contacts, tos_uri: tos, policy_uri: policy, jwks: _jwks, jwks_uri: _jwksUri, software_id: softwareId, software_version: softwareVersion, software_statement: softwareStatement, redirect_uris: redirectUris, post_logout_redirect_uris: postLogoutRedirectUris, token_endpoint_auth_method: tokenEndpointAuthMethod, grant_types: grantTypes, response_types: responseTypes, public: _public, type, disabled, skip_consent: skipConsent, enable_end_session: enableEndSession, reference_id: referenceId, ...rest } = input;
+	const { client_id: clientId, client_secret: clientSecret, client_secret_expires_at: _expiresAt, scope: _scope, user_id: userId, client_id_issued_at: _createdAt, client_name: name, client_uri: uri, logo_uri: icon, contacts, tos_uri: tos, policy_uri: policy, jwks: _jwks, jwks_uri: _jwksUri, software_id: softwareId, software_version: softwareVersion, software_statement: softwareStatement, redirect_uris: redirectUris, post_logout_redirect_uris: postLogoutRedirectUris, token_endpoint_auth_method: tokenEndpointAuthMethod, grant_types: grantTypes, response_types: responseTypes, public: _public, type, disabled, skip_consent: skipConsent, enable_end_session: enableEndSession, reference_id: referenceId, metadata: inputMetadata, ...rest } = input;
 	const expiresAt = _expiresAt ? /* @__PURE__ */ new Date(_expiresAt * 1e3) : void 0;
 	const createdAt = _createdAt ? /* @__PURE__ */ new Date(_createdAt * 1e3) : void 0;
+	const scopes = _scope?.split(" ");
+	const metadataObj = {
+		...rest && Object.keys(rest).length ? rest : {},
+		...inputMetadata && typeof inputMetadata === "object" ? inputMetadata : {}
+	};
 	return {
 		clientId,
 		clientSecret,
 		disabled,
-		scopes: _scope?.split(" "),
+		scopes,
 		userId,
 		createdAt,
 		expiresAt,
@@ -1450,7 +1455,7 @@ function oauthToSchema(input) {
 		skipConsent,
 		enableEndSession,
 		referenceId,
-		metadata: rest && Object.keys(rest).length ? JSON.stringify(rest) : void 0
+		metadata: Object.keys(metadataObj).length ? JSON.stringify(metadataObj) : void 0
 	};
 }
 /**
@@ -1465,7 +1470,7 @@ function schemaToOAuth(input) {
 	const _createdAt = createdAt ? Math.round(createdAt.getTime() / 1e3) : void 0;
 	const _scopes = scopes?.join(" ");
 	return {
-		...metadata ? JSON.parse(metadata) : void 0,
+		...parseClientMetadata(metadata),
 		client_id: clientId,
 		client_secret: clientSecret ?? void 0,
 		client_secret_expires_at: clientSecret ? _expiresAt ?? 0 : void 0,
@@ -2857,12 +2862,12 @@ const oauthProvider = (options) => {
 	if (opts.disableJwtPlugin && (opts.storeClientSecret === "hashed" || typeof opts.storeClientSecret === "object" && "hash" in opts.storeClientSecret)) throw new BetterAuthError("unable to store hashed secrets because id tokens will be signed with secret");
 	if (!opts.disableJwtPlugin && (opts.storeClientSecret === "encrypted" || typeof opts.storeClientSecret === "object" && ("encrypt" in opts.storeClientSecret || "decrypt" in opts.storeClientSecret))) throw new BetterAuthError("encryption method not recommended, please use 'hashed' or the 'hash' function");
 	return {
-		id: "oauthProvider",
+		id: "oauth-provider",
 		options: opts,
 		init: (ctx) => {
 			if (ctx.options.session && !ctx.options.session.storeSessionInDatabase) throw new BetterAuthError("OAuth Provider requires `session.storeSessionInDatabase: true` when using secondaryStorage");
 			if (!opts.disableJwtPlugin) {
-				const issuer = getJwtPlugin(ctx).options?.jwt?.issuer ?? ctx.baseURL;
+				const issuer = (getJwtPlugin(ctx)?.options)?.jwt?.issuer ?? ctx.baseURL;
 				const issuerPath = new URL(issuer).pathname;
 				if (!opts.silenceWarnings?.oauthAuthServerConfig && !(ctx.options.basePath === "/" && issuerPath === "/")) logger.warn(`Please ensure '/.well-known/oauth-authorization-server${issuerPath === "/" ? "" : issuerPath}' exists. Upon completion, clear with silenceWarnings.oauthAuthServerConfig.`);
 				if (!opts.silenceWarnings?.openidConfig && ctx.options.basePath !== issuerPath && opts.scopes?.includes("openid")) logger.warn(`Please ensure '${issuerPath}${issuerPath.endsWith("/") ? "" : "/"}.well-known/openid-configuration' exists. Upon completion, clear with silenceWarnings.openidConfig.`);
@@ -2915,7 +2920,7 @@ const oauthProvider = (options) => {
 				metadata: { SERVER_ONLY: true }
 			}, async (ctx) => {
 				if (opts.scopes && opts.scopes.includes("openid")) return oidcServerMetadata(ctx, opts);
-				else return authServerMetadata(ctx, opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context).options, { scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes });
+				else return authServerMetadata(ctx, opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context)?.options, { scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes });
 			}),
 			getOpenIdConfig: createAuthEndpoint("/.well-known/openid-configuration", {
 				method: "GET",

package/dist/{oauth-C1OnEiU-.d.mts → oauth-BW67CKnu.d.mts}

@@ -7,7 +7,13 @@ import * as jose0 from "jose";
 import * as better_auth0 from "better-auth";
 
 //#region src/oauth.d.ts
-
+declare module "@better-auth/core" {
+  interface BetterAuthPluginRegistry<Auth, Context> {
+    "oauth-provider": {
+      creator: typeof oauthProvider;
+    };
+  }
+}
 /**
  * oAuth 2.1 provider plugin for Better Auth.
  *
@@ -16,10 +22,8 @@ import * as better_auth0 from "better-auth";
  * @returns A Better Auth plugin.
  */
 declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
-  id: "oauthProvider";
-  options: O & {
-    claims?: string[];
-  };
+  id: "oauth-provider";
+  options: NoInfer<O>;
   init: (ctx: better_auth0.AuthContext) => void;
   hooks: {
     before: {

package/dist/{utils-CSiY9oUk.mjs → utils-CAYiYjbw.mjs}

@@ -80,14 +80,14 @@ var TTLCache = class {
 * @internal
 */
 const getOAuthProviderPlugin = (ctx) => {
-	return ctx.options.plugins?.find((plugin) => plugin.id === "oauthProvider");
+	return ctx.getPlugin("oauth-provider");
 };
 /**
 * Gets the JWT Plugin
 * @internal
 */
 const getJwtPlugin = (ctx) => {
-	const plugin = ctx.options.plugins?.find((plugin$1) => plugin$1.id === "jwt");
+	const plugin = ctx.getPlugin("jwt");
 	if (!plugin) throw new BetterAuthError("jwt_config", "jwt plugin not found");
 	return plugin;
 };
@@ -256,6 +256,16 @@ async function validateClientCredentials(ctx, options, clientId, clientSecret, s
 	return client;
 }
 /**
+* Parse client metadata that may be stored as JSON string or already parsed object.
+* Handles database adapters that auto-parse JSON columns.
+*
+* @internal
+*/
+function parseClientMetadata(metadata) {
+	if (!metadata) return void 0;
+	return typeof metadata === "string" ? JSON.parse(metadata) : metadata;
+}
+/**
 * Parse space-separated prompt string into a set of prompts
 *
 * @param prompt
@@ -283,4 +293,4 @@ function deleteFromPrompt(query, prompt) {
 }
 
 //#endregion
-export { getJwtPlugin as a, parsePrompt as c, validateClientCredentials as d, handleMcpErrors as f, getClient as i, storeClientSecret as l, decryptStoredClientSecret as n, getOAuthProviderPlugin as o, mcpHandler as p, deleteFromPrompt as r, getStoredToken as s, basicToClientCredentials as t, storeToken as u };
+export { getJwtPlugin as a, parseClientMetadata as c, storeToken as d, validateClientCredentials as f, getClient as i, parsePrompt as l, mcpHandler as m, decryptStoredClientSecret as n, getOAuthProviderPlugin as o, handleMcpErrors as p, deleteFromPrompt as r, getStoredToken as s, basicToClientCredentials as t, storeClientSecret as u };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/oauth-provider",
-  "version": "1.5.0-beta.2",
+  "version": "1.5.0-beta.3",
   "type": "module",
   "description": "An oauth provider plugin for Better Auth",
   "main": "dist/index.mjs",
@@ -42,8 +42,8 @@
     "@modelcontextprotocol/sdk": "^1.24.2",
     "listhen": "^1.9.0",
     "tsdown": "^0.17.2",
-    "@better-auth/core": "1.5.0-beta.2",
-    "better-auth": "1.5.0-beta.2"
+    "@better-auth/core": "1.5.0-beta.3",
+    "better-auth": "1.5.0-beta.3"
   },
   "dependencies": {
     "jose": "^6.1.0",
@@ -52,9 +52,9 @@
   "peerDependencies": {
     "@better-auth/utils": "0.3.0",
     "@better-fetch/fetch": "1.1.21",
-    "better-call": "1.1.7",
-    "@better-auth/core": "1.5.0-beta.2",
-    "better-auth": "1.5.0-beta.2"
+    "better-call": "1.1.8",
+    "@better-auth/core": "1.5.0-beta.3",
+    "better-auth": "1.5.0-beta.3"
   },
   "files": [
     "dist"